Re: [jose] FW: GCM nonce reuse question

Mike Jones <Michael.Jones@microsoft.com> Fri, 29 March 2013 02:05 UTC

Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7677821F89D8 for <jose@ietfa.amsl.com>; Thu, 28 Mar 2013 19:05:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.298
X-Spam-Level:
X-Spam-Status: No, score=-2.298 tagged_above=-999 required=5 tests=[AWL=-0.300, BAYES_00=-2.599, HTML_MESSAGE=0.001, J_CHICKENPOX_33=0.6]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fmhx5UNDbaSw for <jose@ietfa.amsl.com>; Thu, 28 Mar 2013 19:05:33 -0700 (PDT)
Received: from na01-by2-obe.outbound.protection.outlook.com (mail-by2lp0235.outbound.protection.outlook.com [207.46.163.235]) by ietfa.amsl.com (Postfix) with ESMTP id F22F421F89C3 for <jose@ietf.org>; Thu, 28 Mar 2013 19:05:32 -0700 (PDT)
Received: from BL2FFO11FD024.protection.gbl (10.1.15.202) by BY2FFO11HUB023.protection.gbl (10.1.14.110) with Microsoft SMTP Server (TLS) id 15.0.651.3; Fri, 29 Mar 2013 02:05:30 +0000
Received: from TK5EX14HUBC104.redmond.corp.microsoft.com (131.107.125.37) by BL2FFO11FD024.mail.protection.outlook.com (10.173.161.103) with Microsoft SMTP Server (TLS) id 15.0.651.3 via Frontend Transport; Fri, 29 Mar 2013 02:05:30 +0000
Received: from TK5EX14MBXC283.redmond.corp.microsoft.com ([169.254.2.224]) by TK5EX14HUBC104.redmond.corp.microsoft.com ([157.54.80.25]) with mapi id 14.02.0318.003; Fri, 29 Mar 2013 02:05:26 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: Jim Schaad <ietf@augustcellars.com>, "jose@ietf.org" <jose@ietf.org>
Thread-Topic: [jose] FW: GCM nonce reuse question
Thread-Index: Ac4rPAw7MkpmLDvlR4e6aC3llihwKgAccr0AABzjcgAAAAvPoA==
Date: Fri, 29 Mar 2013 02:05:25 +0000
Message-ID: <4E1F6AAD24975D4BA5B16804296739436759732D@TK5EX14MBXC283.redmond.corp.microsoft.com>
References: <006a01ce2b3c$8f0d03b0$ad270b10$@augustcellars.com> <747787E65E3FBD4E93F0EB2F14DB556B183EF2E3@xmb-rcd-x04.cisco.com> <006701ce2c21$65accf10$31066d30$@augustcellars.com>
In-Reply-To: <006701ce2c21$65accf10$31066d30$@augustcellars.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [157.54.51.71]
Content-Type: multipart/alternative; boundary="_000_4E1F6AAD24975D4BA5B16804296739436759732DTK5EX14MBXC283r_"
MIME-Version: 1.0
X-Forefront-Antispam-Report: CIP:131.107.125.37; CTRY:US; IPV:CAL; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(377454001)(189002)(66654001)(52604002)(199002)(63696002)(47446002)(80022001)(46102001)(5343635001)(5343655001)(20776003)(47736001)(44976002)(31966008)(69226001)(74502001)(4396001)(74662001)(50986001)(76482001)(16406001)(54316002)(79102001)(512954001)(55846006)(51856001)(15202345001)(49866001)(56776001)(71186001)(65816001)(77982001)(54356001)(53806001)(59766001)(33656001)(47976001)(56816002)(66066001)(16236675001)(81342001); DIR:OUT; SFP:; SCL:1; SRVR:BY2FFO11HUB023; H:TK5EX14HUBC104.redmond.corp.microsoft.com; RD:InfoDomainNonexistent; MX:1; A:1; LANG:en;
X-OriginatorOrg: microsoft.onmicrosoft.com
X-Forefront-PRVS: 0800C0C167
Cc: "crfg@irtf.org" <crfg@irtf.org>
Subject: Re: [jose] FW: GCM nonce reuse question
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 29 Mar 2013 02:05:34 -0000

I'll plan to add text to the GCM section of JWA during the current round of edits pointing this out.  David McGrew was also going to get me some text about constraints on GCM initialization vector values.

                                                            -- Mike

From: jose-bounces@ietf.org [mailto:jose-bounces@ietf.org] On Behalf Of Jim Schaad
Sent: Thursday, March 28, 2013 7:02 PM
To: jose@ietf.org
Subject: [jose] FW: GCM nonce reuse question

For those people not on the CFRG list -

Jim


From: David McGrew (mcgrew) [mailto:mcgrew@cisco.com]
Sent: Thursday, March 28, 2013 4:15 AM
To: Jim Schaad
Cc: cfrg@irtf.org<mailto:cfrg@irtf.org>
Subject: Re: GCM nonce reuse question

Hi Jim,

From: Jim Schaad <jimsch@augustcellars.com<mailto:jimsch@augustcellars.com>>
Date: Wednesday, March 27, 2013 6:43 PM
To: David McGrew <mcgrew@cisco.com<mailto:mcgrew@cisco.com>>
Cc: "cfrg@irtf.org<mailto:cfrg@irtf.org>" <cfrg@irtf.org<mailto:cfrg@irtf.org>>
Subject: GCM nonce reuse question

David,

In doing a write up I became worried about a security property of the GCM encryption mode in the way that the JOSE group is currently using it.

There are known problems with not having a unique set of values for IVs and Key pairings.  Do these problems apply to having a different set of auxiliary data as well as the plain text?


Yes.  The security issues are summarized in http://tools.ietf.org/html/rfc5116#section-5.1.1  but apparently they are not described generally enough.   They should read "plaintext or associated data values".

Specifically the current way that GCM mode is being used in JOSE is

Recipient #1 authentication tag = GCM(Key, Recipient #1 data, nonce, plain text)
Recipient #2 authentication tag = GCM(Key, Recipient #2 data, nonce, plain text)

As the key, nonce and plain text are fixed it would produce the same encrypted text value but different authentication tags.


Can't do that.   Each invocation of the encryption operation needs a distinct nonce, unless all of the encryption operation inputs are identical.

Many thanks for calling this out, Jim.

David

Jim