IETF Logo Mail Archive

Re: [jose] [Cfrg] GCM nonce reuse question

Richard Barnes <rbarnes@bbn.com> Tue, 02 April 2013 17:55 UTC

Return-Path: <rbarnes@bbn.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A224A21F8CEB; Tue, 2 Apr 2013 10:55:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -105.999
X-Spam-Level:
X-Spam-Status: No, score=-105.999 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, J_CHICKENPOX_33=0.6, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id q5loGLYFqlEd; Tue, 2 Apr 2013 10:55:35 -0700 (PDT)
Received: from smtp.bbn.com (smtp.bbn.com [128.33.1.81]) by ietfa.amsl.com (Postfix) with ESMTP id BFE4721F8CE9; Tue, 2 Apr 2013 10:55:35 -0700 (PDT)
Received: from ros-dhcp192-1-51-16.bbn.com ([192.1.51.16]:49983) by smtp.bbn.com with esmtps (TLSv1:AES128-SHA:128) (Exim 4.77 (FreeBSD)) (envelope-from <rbarnes@bbn.com>) id 1UN5Qb-000PYb-Bi; Tue, 02 Apr 2013 13:55:25 -0400
Content-Type: text/plain; charset="windows-1252"
Mime-Version: 1.0 (Mac OS X Mail 6.3 \(1503\))
From: Richard Barnes <rbarnes@bbn.com>
In-Reply-To: <4EC6AC2C-8EE6-4433-8302-E884DD0B3C06@ve7jtb.com>
Date: Tue, 02 Apr 2013 13:55:24 -0400
Content-Transfer-Encoding: quoted-printable
Message-Id: <734D4714-BEF1-4E0C-8DB4-6753083F0F11@bbn.com>
References: <006a01ce2b3c$8f0d03b0$ad270b10$@augustcellars.com> <747787E65E3FBD4E93F0EB2F14DB556B183EF2E3@xmb-rcd-x04.cisco.com> <4E1F6AAD24975D4BA5B1680429673943675A0978@TK5EX14MBXC283.redmond.corp.microsoft.com> <004e01ce2fb9$74979730$5dc6c590$@augustcellars.com> <4EC6AC2C-8EE6-4433-8302-E884DD0B3C06@ve7jtb.com>
To: John Bradley <ve7jtb@ve7jtb.com>
X-Mailer: Apple Mail (2.1503)
Cc: "David McGrew (mcgrew)" <mcgrew@cisco.com>, cfrg@irtf.org, "jose@ietf.org" <jose@ietf.org>, Jim Schaad <jimsch@augustcellars.com>
Subject: Re: [jose] [Cfrg] GCM nonce reuse question
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Apr 2013 17:55:36 -0000

[re-added JOSE, since we're talking design now]

On Apr 2, 2013, at 11:59 AM, John Bradley <ve7jtb@ve7jtb.com> wrote:

> Jim,
> 
> I don't think Mike was proposing that as a solution, but rather an attempt to characterize the issue.
> 
> Yes changing the nonce per recipient would cause the cypher text produced by GCM to change per recipient and need to be repeated, making it an array of JWE effectively, and not really anyones idea of encrypting to multiple recipients.
> 
> In a later email I asked David if we have the same or similar issue with his AES-CBC+HMAC. 
> 
> Perhaps and I think it is too early to go there, perhaps not all encryption algorithms are equally well suited to using with multiple recipients.

This is the wrong conclusion.  GCM is suited just fine to multiple recipients, as it's use with CMS (AuthEnvelopedData) shows. 

The problem here is JWE, specifically the fact that the header (with per-recipient data) is covered by the integrity check.  If you remove the per-recipient data from the integrity check, then this problem goes away.  In that case, there is only one invocation of GCM (not one per recipient), so there's no problem.

So the choice that JOSE faces is from the following options:

Option 0. Outlaw GCM for multiple recipients.
  COST: GCM

Option 1. Keep per-recipient info under integrity check, and require a fresh nonce for each recipient
  COST: Removes all savings in the multiple recipient case 
  BENEFIT: Doesn't break backward compatibility with current, single-recipient JWE

Option 2. Remove per-recipient info from integrity check
  COST: Breaks backward compatibility with current, single-recipient JWE
  BENEFIT: Increases savings in multiple-recipient case (since no per-recipient integrity check value)

Option 0 is clearly not acceptable.  So basically, this is a choice about how much we want to let deployed code keep us from sensible architecture.

To me, the choice is clear.  Changing code is minor, short-term pain.  Getting architecture wrong is major, long-term pain.  Let's do option (2).

--Richard





> 
> John B.
> 
> On 2013-04-02, at 12:48 PM, "Jim Schaad" <jimsch@augustcellars.com> wrote:
> 
>> Mike,
>>  
>> I will note that this is not going to be considered an acceptable solution for the JOSE group.  You don’t really want to increase the size of the message by n*base64 encoding where in is the number of recipients.
>>  
>> Jim
>>  
>>  
>> From: Mike Jones [mailto:Michael.Jones@microsoft.com] 
>> Sent: Monday, April 01, 2013 5:55 PM
>> To: David McGrew (mcgrew); Jim Schaad
>> Cc: cfrg@irtf.org; John Bradley
>> Subject: RE: GCM nonce reuse question
>>  
>> Hi David,
>>  
>> In reading this thread and http://tools.ietf.org/html/draft-mcgrew-iv-gen-02, I believe that it’s OK, however if the usage is:
>>  
>> (Recipient #1 ciphertext, Recipient #1 authentication tag) = GCM(Key, Recipient #1 data, nonce #1, plain text)
>> (Recipient #2 ciphertext, Recipient #2 authentication tag) = GCM(Key, Recipient #2 data, nonce #2, plain text)
>>  
>> where nonce #1 and nonce #2 are guaranteed to be distinct?  Am I reading things correctly in that regard?
>>  
>>                                                                 Thanks,
>>                                                                 -- Mike
>>  
>> From: cfrg-bounces@irtf.org [mailto:cfrg-bounces@irtf.org] On Behalf Of David McGrew (mcgrew)
>> Sent: Thursday, March 28, 2013 4:15 AM
>> To: Jim Schaad
>> Cc: cfrg@irtf.org
>> Subject: Re: [Cfrg] GCM nonce reuse question
>>  
>> Hi Jim,
>>  
>> From: Jim Schaad <jimsch@augustcellars.com>
>> Date: Wednesday, March 27, 2013 6:43 PM
>> To: David McGrew <mcgrew@cisco.com>
>> Cc: "cfrg@irtf.org" <cfrg@irtf.org>
>> Subject: GCM nonce reuse question
>>  
>> David,
>>  
>> In doing a write up I became worried about a security property of the GCM encryption mode in the way that the JOSE group is currently using it.
>>  
>> There are known problems with not having a unique set of values for IVs and Key pairings.  Do these problems apply to having a different set of auxiliary data as well as the plain text?
>>  
>>  
>> Yes.  The security issues are summarized in http://tools.ietf.org/html/rfc5116#section-5.1.1  but apparently they are not described generally enough.   They should read "plaintext or associated data values".
>>  
>> Specifically the current way that GCM mode is being used in JOSE is
>>  
>> Recipient #1 authentication tag = GCM(Key, Recipient #1 data, nonce, plain text)
>> Recipient #2 authentication tag = GCM(Key, Recipient #2 data, nonce, plain text)
>>  
>> As the key, nonce and plain text are fixed it would produce the same encrypted text value but different authentication tags.
>>  
>>  
>> Can't do that.   Each invocation of the encryption operation needs a distinct nonce, unless all of the encryption operation inputs are identical.
>>  
>> Many thanks for calling this out, Jim.
>>  
>> David
>>  
>> Jim
>>  
> 
> _______________________________________________
> Cfrg mailing list
> Cfrg@irtf.org
> http://www.irtf.org/mailman/listinfo/cfrg

v2.23.0 | Report a Bug | By Email