Re: [kitten] explicit CBC IVs vs confounders: covert channels (draft-ietf-kitten-aes-cts-hmac-sha2)
Sam Hartman <hartmans-ietf@mit.edu> Tue, 01 October 2013 19:54 UTC
Return-Path: <hartmans@mit.edu>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C117921E80C5 for <kitten@ietfa.amsl.com>; Tue, 1 Oct 2013 12:54:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -100
X-Spam-Level:
X-Spam-Status: No, score=-100 tagged_above=-999 required=5 tests=[USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hvTsP2nyHhO1 for <kitten@ietfa.amsl.com>; Tue, 1 Oct 2013 12:54:22 -0700 (PDT)
Received: from mail.painless-security.com (mail.painless-security.com [23.30.188.241]) by ietfa.amsl.com (Postfix) with ESMTP id 0679421E818A for <kitten@ietf.org>; Tue, 1 Oct 2013 12:53:46 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mail.painless-security.com (Postfix) with ESMTP id 6C24B2037F; Tue, 1 Oct 2013 15:52:40 -0400 (EDT)
Received: from mail.painless-security.com ([127.0.0.1]) by localhost (mail.suchdamage.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CH-KbCErneom; Tue, 1 Oct 2013 15:52:39 -0400 (EDT)
Received: from carter-zimmerman.suchdamage.org (c-50-136-31-107.hsd1.ma.comcast.net [50.136.31.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "laptop", Issuer "laptop" (not verified)) by mail.painless-security.com (Postfix) with ESMTPS; Tue, 1 Oct 2013 15:52:39 -0400 (EDT)
Received: by carter-zimmerman.suchdamage.org (Postfix, from userid 8042) id C866582B43; Tue, 1 Oct 2013 15:53:43 -0400 (EDT)
From: Sam Hartman <hartmans-ietf@mit.edu>
To: "Paul Miller (NT)" <paumil@microsoft.com>
References: <ldvob7fmmq0.fsf@cathode-dark-space.mit.edu> <68eb2a3d201548349da7634f867a46cc@BLUPR03MB279.namprd03.prod.outlook.com>
Date: Tue, 01 Oct 2013 15:53:43 -0400
In-Reply-To: <68eb2a3d201548349da7634f867a46cc@BLUPR03MB279.namprd03.prod.outlook.com> (Paul Miller's message of "Fri, 27 Sep 2013 22:56:07 +0000")
Message-ID: <tslioxgepiw.fsf@mit.edu>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/23.4 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Cc: "kitten@ietf.org" <kitten@ietf.org>
Subject: Re: [kitten] explicit CBC IVs vs confounders: covert channels (draft-ietf-kitten-aes-cts-hmac-sha2)
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 01 Oct 2013 19:54:35 -0000
>>>>> "Paul" == Paul Miller (NT) <paumil@microsoft.com> writes: Paul> While I agree with the analysis that the use of a confounder Paul> will limit the exposure of the state of a faulty PRNG, I don't Paul> see this as a problem that needs to be addressed by Kerberos. Paul> The RNG is a system service and not part of the Kerberos Paul> specification. RFC 4120 references RFC 4086 "Randomness Paul> Requirements for Security" so the condition not to use a PRNG Paul> that leaks state is already covered. Between nonces and Paul> randomly generated session keys, there are plenty of other Paul> avenues for insufficient randomness to manifest. This is not Paul> to say that I disagree with using a confounder. A confounder Paul> is quite useful as a source of cipher text from which to steal Paul> in order to make CTS work with short inputs. The issue here in my mind is that it seems like we as a community have paid inadequate attention to what the damage of a malicious RNG could do is. We've been focusing on the sorts of things described in RFC 4086, rather than RNGS maliciously affected either in implementation or standards. That class of attack having been pointed out, we should consider its impact on security systems we design. I agree that introducing another covert channel by which random data can leak is kind of uninteresting. However, an attacker who can predict your RNG state will now be much more able to predict future explicit IVs. Where as that attacker will find it difficult to predict explicit confounders without knowing the key. I have not yet figured out whether this matters.
- [kitten] explicit CBC IVs vs confounders: covert … Tom Yu
- Re: [kitten] explicit CBC IVs vs confounders: cov… Paul Miller (NT)
- Re: [kitten] explicit CBC IVs vs confounders: cov… Nico Williams
- Re: [kitten] explicit CBC IVs vs confounders: cov… Sam Hartman
- Re: [kitten] explicit CBC IVs vs confounders: cov… Nico Williams