[kitten] explicit CBC IVs vs confounders: covert channels (draft-ietf-kitten-aes-cts-hmac-sha2)

Tom Yu <tlyu@MIT.EDU> Thu, 26 September 2013 19:01 UTC

Return-Path: <tlyu@mit.edu>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 978DC21E80D3 for <kitten@ietfa.amsl.com>; Thu, 26 Sep 2013 12:01:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -103.599
X-Spam-Level:
X-Spam-Status: No, score=-103.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fyGSl2izl3js for <kitten@ietfa.amsl.com>; Thu, 26 Sep 2013 12:01:36 -0700 (PDT)
Received: from dmz-mailsec-scanner-7.mit.edu (dmz-mailsec-scanner-7.mit.edu [18.7.68.36]) by ietfa.amsl.com (Postfix) with ESMTP id 9F72221E80CC for <kitten@ietf.org>; Thu, 26 Sep 2013 12:01:15 -0700 (PDT)
X-AuditID: 12074424-b7f228e00000096b-23-5244847ac1b3
Received: from mailhub-auth-1.mit.edu ( [18.9.21.35]) by dmz-mailsec-scanner-7.mit.edu (Symantec Messaging Gateway) with SMTP id A7.D1.02411.A7484425; Thu, 26 Sep 2013 15:01:14 -0400 (EDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-1.mit.edu (8.13.8/8.9.2) with ESMTP id r8QJ1Ekr024897 for <kitten@ietf.org>; Thu, 26 Sep 2013 15:01:14 -0400
Received: from cathode-dark-space.mit.edu (cathode-dark-space.mit.edu [18.18.1.96]) (authenticated bits=56) (User authenticated as tlyu@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id r8QJ1C1U020211 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT) for <kitten@ietf.org>; Thu, 26 Sep 2013 15:01:14 -0400
Received: (from tlyu@localhost) by cathode-dark-space.mit.edu (8.12.9.20060308) id r8QJ1BWE004520; Thu, 26 Sep 2013 15:01:11 -0400 (EDT)
To: kitten@ietf.org
From: Tom Yu <tlyu@MIT.EDU>
Date: Thu, 26 Sep 2013 15:01:11 -0400
Message-ID: <ldvob7fmmq0.fsf@cathode-dark-space.mit.edu>
Lines: 32
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFtrHIsWRmVeSWpSXmKPExsUixCmqrFvV4hJk8HiNhcXRzatYHBg9liz5 yRTAGMVlk5Kak1mWWqRvl8CVce/rG9aC97wVK77PYW9gvM7dxcjJISFgIrH4+m4WCFtM4sK9 9WxdjFwcQgL7GCV+/ZzCDJIQEjjOKHFgTTxE4gmTRM+vrYwQThejRNf8rWwgVSICwhK7t74D 6xAWiJd4PH0nexcjBwebgLTE0cVlIGEWAVWJ41sPgW3jFbCQuLn+OFgrjwCnxOlZn6HighIn Zz4Bs5kFtCRu/HvJNIGRbxaS1CwkqQWMTKsYZVNyq3RzEzNzilOTdYuTE/PyUot0zfVyM0v0 UlNKNzGCgondRWUHY/MhpUOMAhyMSjy8GVkuQUKsiWXFlbmHGCU5mJREeTc1AIX4kvJTKjMS izPii0pzUosPMUpwMCuJ8K6PBcrxpiRWVqUW5cOkpDlYlMR5b3HYBwkJpCeWpGanphakFsFk ZTg4lCR4U5qBGgWLUtNTK9Iyc0oQ0kwcnCDDeYCGJ4HU8BYXJOYWZ6ZD5E8xKkqJ85qBJARA EhmleXC9sGh/xSgO9IowrylIFQ8wUcB1vwIazAQ02KHDCWRwSSJCSqqBUW5mUdqMGzIXGmd8 6GGXyM6/HmApOtfQ81uuYeBq3qLpvruWpuavmrCDeeeXZffza+btfjbzqvTHvU2yMx3FfT92 qF+Zx2bTxP2P36fTUsXrpsyC5Dst6+QS/z2a4ugnUKewe0P7yd0MP69np3uElLC/vqTz27b0 f3egiRBDieLJvNN1vpZSSizFGYmGWsxFxYkAdzBTbNECAAA=
Subject: [kitten] explicit CBC IVs vs confounders: covert channels (draft-ietf-kitten-aes-cts-hmac-sha2)
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 26 Sep 2013 19:01:54 -0000

There have recently been allegations that certain RNGs might be
compromised.  This is significant when making cipher mode decisions
for Kerberos, because encrypted confounders could mitigate against
malicious RNGs.  I suggest that we consider the tradeoffs of using
encrypted confounders.

Some of us have been thinking about whether encrypted confounders add
any security beyond plaintext explicit IVs.  Researchers,
e.g. Boldyreva and Kumar
(http://www.cs.washington.edu/research/projects/poirot3/Oakland/sp/PAPERS/oakland07-24.pdf)
have proven that the encrypted confounder CBC modes in Kerberos with
encode-then-E&M are no worse than explicit IVs with encrypt-then-MAC.

A posting by Perry Metzger
(http://www.metzdowd.com/pipermail/cryptography/2013-September/017571.html)
brings up the idea of explicit plaintext IVs as being a covert channel
through which a malicious RNG could leak state information.  If, as
alleged, leaking only 32 bytes of RNG output is sufficient to allow
recovery of its internal state, leakage through IVs is a serious risk.
Using an encrypted confounder can remove this covert channel, or at
least significantly raise the bar for using it.

A malicious implementation could still leak RNG state by first passing
the confounder through a block decryption operation, but that requires
access to the encryption key.  Also, invocation of a decryption
operation during what is supposed to be an encryption operation might
be more obvious to auditors than a malicious RNG would be.

I think one question we should consider is whether the increased
security from using encrypted confounders is worth deviating from the
historically preferred explicit IVs that we're considering in
draft-ietf-kitten-aes-cts-hmac-sha2.