Re: [jose] FW: GCM nonce reuse question
Mike Jones <Michael.Jones@microsoft.com> Fri, 29 March 2013 02:05 UTC
Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7677821F89D8 for <jose@ietfa.amsl.com>; Thu, 28 Mar 2013 19:05:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.298
X-Spam-Level:
X-Spam-Status: No, score=-2.298 tagged_above=-999 required=5 tests=[AWL=-0.300, BAYES_00=-2.599, HTML_MESSAGE=0.001, J_CHICKENPOX_33=0.6]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fmhx5UNDbaSw for <jose@ietfa.amsl.com>; Thu, 28 Mar 2013 19:05:33 -0700 (PDT)
Received: from na01-by2-obe.outbound.protection.outlook.com (mail-by2lp0235.outbound.protection.outlook.com [207.46.163.235]) by ietfa.amsl.com (Postfix) with ESMTP id F22F421F89C3 for <jose@ietf.org>; Thu, 28 Mar 2013 19:05:32 -0700 (PDT)
Received: from BL2FFO11FD024.protection.gbl (10.1.15.202) by BY2FFO11HUB023.protection.gbl (10.1.14.110) with Microsoft SMTP Server (TLS) id 15.0.651.3; Fri, 29 Mar 2013 02:05:30 +0000
Received: from TK5EX14HUBC104.redmond.corp.microsoft.com (131.107.125.37) by BL2FFO11FD024.mail.protection.outlook.com (10.173.161.103) with Microsoft SMTP Server (TLS) id 15.0.651.3 via Frontend Transport; Fri, 29 Mar 2013 02:05:30 +0000
Received: from TK5EX14MBXC283.redmond.corp.microsoft.com ([169.254.2.224]) by TK5EX14HUBC104.redmond.corp.microsoft.com ([157.54.80.25]) with mapi id 14.02.0318.003; Fri, 29 Mar 2013 02:05:26 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: Jim Schaad <ietf@augustcellars.com>, "jose@ietf.org" <jose@ietf.org>
Thread-Topic: [jose] FW: GCM nonce reuse question
Thread-Index: Ac4rPAw7MkpmLDvlR4e6aC3llihwKgAccr0AABzjcgAAAAvPoA==
Date: Fri, 29 Mar 2013 02:05:25 +0000
Message-ID: <4E1F6AAD24975D4BA5B16804296739436759732D@TK5EX14MBXC283.redmond.corp.microsoft.com>
References: <006a01ce2b3c$8f0d03b0$ad270b10$@augustcellars.com> <747787E65E3FBD4E93F0EB2F14DB556B183EF2E3@xmb-rcd-x04.cisco.com> <006701ce2c21$65accf10$31066d30$@augustcellars.com>
In-Reply-To: <006701ce2c21$65accf10$31066d30$@augustcellars.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [157.54.51.71]
Content-Type: multipart/alternative; boundary="_000_4E1F6AAD24975D4BA5B16804296739436759732DTK5EX14MBXC283r_"
MIME-Version: 1.0
X-Forefront-Antispam-Report: CIP:131.107.125.37; CTRY:US; IPV:CAL; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(377454001)(189002)(66654001)(52604002)(199002)(63696002)(47446002)(80022001)(46102001)(5343635001)(5343655001)(20776003)(47736001)(44976002)(31966008)(69226001)(74502001)(4396001)(74662001)(50986001)(76482001)(16406001)(54316002)(79102001)(512954001)(55846006)(51856001)(15202345001)(49866001)(56776001)(71186001)(65816001)(77982001)(54356001)(53806001)(59766001)(33656001)(47976001)(56816002)(66066001)(16236675001)(81342001); DIR:OUT; SFP:; SCL:1; SRVR:BY2FFO11HUB023; H:TK5EX14HUBC104.redmond.corp.microsoft.com; RD:InfoDomainNonexistent; MX:1; A:1; LANG:en;
X-OriginatorOrg: microsoft.onmicrosoft.com
X-Forefront-PRVS: 0800C0C167
Cc: "crfg@irtf.org" <crfg@irtf.org>
Subject: Re: [jose] FW: GCM nonce reuse question
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 29 Mar 2013 02:05:34 -0000
I'll plan to add text to the GCM section of JWA during the current round of edits pointing this out. David McGrew was also going to get me some text about constraints on GCM initialization vector values. -- Mike From: jose-bounces@ietf.org [mailto:jose-bounces@ietf.org] On Behalf Of Jim Schaad Sent: Thursday, March 28, 2013 7:02 PM To: jose@ietf.org Subject: [jose] FW: GCM nonce reuse question For those people not on the CFRG list - Jim From: David McGrew (mcgrew) [mailto:mcgrew@cisco.com] Sent: Thursday, March 28, 2013 4:15 AM To: Jim Schaad Cc: cfrg@irtf.org<mailto:cfrg@irtf.org> Subject: Re: GCM nonce reuse question Hi Jim, From: Jim Schaad <jimsch@augustcellars.com<mailto:jimsch@augustcellars.com>> Date: Wednesday, March 27, 2013 6:43 PM To: David McGrew <mcgrew@cisco.com<mailto:mcgrew@cisco.com>> Cc: "cfrg@irtf.org<mailto:cfrg@irtf.org>" <cfrg@irtf.org<mailto:cfrg@irtf.org>> Subject: GCM nonce reuse question David, In doing a write up I became worried about a security property of the GCM encryption mode in the way that the JOSE group is currently using it. There are known problems with not having a unique set of values for IVs and Key pairings. Do these problems apply to having a different set of auxiliary data as well as the plain text? Yes. The security issues are summarized in http://tools.ietf.org/html/rfc5116#section-5.1.1 but apparently they are not described generally enough. They should read "plaintext or associated data values". Specifically the current way that GCM mode is being used in JOSE is Recipient #1 authentication tag = GCM(Key, Recipient #1 data, nonce, plain text) Recipient #2 authentication tag = GCM(Key, Recipient #2 data, nonce, plain text) As the key, nonce and plain text are fixed it would produce the same encrypted text value but different authentication tags. Can't do that. Each invocation of the encryption operation needs a distinct nonce, unless all of the encryption operation inputs are identical. Many thanks for calling this out, Jim. David Jim
- [jose] FW: GCM nonce reuse question Jim Schaad
- Re: [jose] FW: GCM nonce reuse question Mike Jones
- Re: [jose] FW: GCM nonce reuse question Mike Jones
- Re: [jose] FW: GCM nonce reuse question Richard Barnes
- Re: [jose] FW: GCM nonce reuse question Vijay Bharadwaj
- Re: [jose] [Cfrg] GCM nonce reuse question Richard Barnes
- Re: [jose] [Cfrg] GCM nonce reuse question Manger, James H
- Re: [jose] [Cfrg] GCM nonce reuse question Richard Barnes
- Re: [jose] [Cfrg] GCM nonce reuse question Matt Miller
- Re: [jose] [Cfrg] GCM nonce reuse question Richard Barnes