IETF Logo Mail Archive

Re: [kitten] explicit CBC IVs vs confounders: covert channels (draft-ietf-kitten-aes-cts-hmac-sha2)

"Paul Miller (NT)" <paumil@microsoft.com> Fri, 27 September 2013 22:56 UTC

Return-Path: <paumil@microsoft.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 591B521F9D42 for <kitten@ietfa.amsl.com>; Fri, 27 Sep 2013 15:56:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.456
X-Spam-Level:
X-Spam-Status: No, score=-3.456 tagged_above=-999 required=5 tests=[AWL=0.143, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OadbOP7Ot91i for <kitten@ietfa.amsl.com>; Fri, 27 Sep 2013 15:56:24 -0700 (PDT)
Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1lp0149.outbound.protection.outlook.com [207.46.163.149]) by ietfa.amsl.com (Postfix) with ESMTP id 0DF4A21F9DED for <kitten@ietf.org>; Fri, 27 Sep 2013 15:56:09 -0700 (PDT)
Received: from BLUPR03MB279.namprd03.prod.outlook.com (10.255.213.17) by BLUPR03MB279.namprd03.prod.outlook.com (10.255.213.17) with Microsoft SMTP Server (TLS) id 15.0.775.9; Fri, 27 Sep 2013 22:56:08 +0000
Received: from BLUPR03MB279.namprd03.prod.outlook.com ([169.254.1.174]) by BLUPR03MB279.namprd03.prod.outlook.com ([169.254.1.174]) with mapi id 15.00.0775.005; Fri, 27 Sep 2013 22:56:08 +0000
From: "Paul Miller (NT)" <paumil@microsoft.com>
To: "kitten@ietf.org" <kitten@ietf.org>
Thread-Topic: [kitten] explicit CBC IVs vs confounders: covert channels (draft-ietf-kitten-aes-cts-hmac-sha2)
Thread-Index: AQHOuusBYgkU2JudR0S0vPvtmQkgnpnaKpxA
Date: Fri, 27 Sep 2013 22:56:07 +0000
Message-ID: <68eb2a3d201548349da7634f867a46cc@BLUPR03MB279.namprd03.prod.outlook.com>
References: <ldvob7fmmq0.fsf@cathode-dark-space.mit.edu>
In-Reply-To: <ldvob7fmmq0.fsf@cathode-dark-space.mit.edu>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [2001:4898:80e0:ee43::2]
x-forefront-prvs: 098291215C
x-forefront-antispam-report: SFV:NSPM; SFS:(189002)(199002)(377454003)(13464003)(76576001)(76796001)(15975445006)(81542001)(59766001)(51856001)(77982001)(80022001)(83322001)(19580405001)(19580395003)(76786001)(77096001)(83072001)(4396001)(49866001)(74662001)(74502001)(74876001)(74316001)(47976001)(56776001)(31966008)(47736001)(63696002)(76482001)(50986001)(81816001)(80976001)(54316002)(65816001)(53806001)(81342001)(46102001)(15202345003)(54356001)(47446002)(56816003)(74366001)(33646001)(79102001)(74706001)(69226001)(81686001)(3826001)(24736002); DIR:OUT; SFP:; SCL:1; SRVR:BLUPR03MB279; H:BLUPR03MB279.namprd03.prod.outlook.com; CLIP:2001:4898:80e0:ee43::2; FPR:; RD:InfoNoRecords; MX:1; A:1; LANG:en;
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: DuplicateDomain-a84fc36a-4ed7-4e57-ab1c-3e967bcbad48.microsoft.com
Subject: Re: [kitten] explicit CBC IVs vs confounders: covert channels (draft-ietf-kitten-aes-cts-hmac-sha2)
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 27 Sep 2013 22:56:28 -0000

While I agree with the analysis that the use of a confounder will limit the exposure of the state of a faulty PRNG, I don't see this as a problem that needs to be addressed by Kerberos.  The RNG is a system service and not part of the Kerberos specification.  RFC 4120 references RFC 4086 "Randomness Requirements for Security" so the condition not to use a PRNG that leaks state is already covered.  Between nonces and randomly generated session keys, there are plenty of other avenues for insufficient randomness to manifest.

This is not to say that I disagree with using a confounder.  A confounder is quite useful as a source of cipher text from which to steal in order to make CTS work with short inputs.

-----Original Message-----
From: kitten-bounces@ietf.org [mailto:kitten-bounces@ietf.org] On Behalf Of Tom Yu
Sent: Thursday, September 26, 2013 12:01 PM
To: kitten@ietf.org
Subject: [kitten] explicit CBC IVs vs confounders: covert channels (draft-ietf-kitten-aes-cts-hmac-sha2)

There have recently been allegations that certain RNGs might be compromised.  This is significant when making cipher mode decisions for Kerberos, because encrypted confounders could mitigate against malicious RNGs.  I suggest that we consider the tradeoffs of using encrypted confounders.

Some of us have been thinking about whether encrypted confounders add any security beyond plaintext explicit IVs.  Researchers, e.g. Boldyreva and Kumar
(http://www.cs.washington.edu/research/projects/poirot3/Oakland/sp/PAPERS/oakland07-24.pdf)
have proven that the encrypted confounder CBC modes in Kerberos with encode-then-E&M are no worse than explicit IVs with encrypt-then-MAC.

A posting by Perry Metzger
(http://www.metzdowd.com/pipermail/cryptography/2013-September/017571.html)
brings up the idea of explicit plaintext IVs as being a covert channel through which a malicious RNG could leak state information.  If, as alleged, leaking only 32 bytes of RNG output is sufficient to allow recovery of its internal state, leakage through IVs is a serious risk.
Using an encrypted confounder can remove this covert channel, or at least significantly raise the bar for using it.

A malicious implementation could still leak RNG state by first passing the confounder through a block decryption operation, but that requires access to the encryption key.  Also, invocation of a decryption operation during what is supposed to be an encryption operation might be more obvious to auditors than a malicious RNG would be.

I think one question we should consider is whether the increased security from using encrypted confounders is worth deviating from the historically preferred explicit IVs that we're considering in draft-ietf-kitten-aes-cts-hmac-sha2.
_______________________________________________
Kitten mailing list
Kitten@ietf.org
https://www.ietf.org/mailman/listinfo/kitten

v2.23.0 | Report a Bug | By Email