Re: [kitten] draft-ietf-kitten-aes-cts-hmac-sha2-01
"Paul Miller (NT)" <paumil@microsoft.com> Tue, 01 October 2013 23:06 UTC
Return-Path: <paumil@microsoft.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C5CAA1F0D07 for <kitten@ietfa.amsl.com>; Tue, 1 Oct 2013 16:06:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.599
X-Spam-Level:
X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 18QImvi+uPID for <kitten@ietfa.amsl.com>; Tue, 1 Oct 2013 16:06:05 -0700 (PDT)
Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1lp0157.outbound.protection.outlook.com [207.46.163.157]) by ietfa.amsl.com (Postfix) with ESMTP id BB81D21F9E01 for <kitten@ietf.org>; Tue, 1 Oct 2013 16:06:02 -0700 (PDT)
Received: from BLUPR03MB279.namprd03.prod.outlook.com (10.255.213.17) by BLUPR03MB277.namprd03.prod.outlook.com (10.255.213.15) with Microsoft SMTP Server (TLS) id 15.0.785.10; Tue, 1 Oct 2013 23:06:01 +0000
Received: from BLUPR03MB279.namprd03.prod.outlook.com ([169.254.1.181]) by BLUPR03MB279.namprd03.prod.outlook.com ([169.254.1.181]) with mapi id 15.00.0785.001; Tue, 1 Oct 2013 23:06:00 +0000
From: "Paul Miller (NT)" <paumil@microsoft.com>
To: "Peck, Michael A" <mpeck@mitre.org>, Sam Hartman <hartmans-ietf@mit.edu>, Benjamin Kaduk <kaduk@MIT.EDU>
Thread-Topic: [kitten] draft-ietf-kitten-aes-cts-hmac-sha2-01
Thread-Index: AQHOuTQqLL9iqiJfDEOixCgfmtSLk5nVbNDwgApl3ACAAKb/AA==
Date: Tue, 01 Oct 2013 23:06:00 +0000
Message-ID: <0ed0b14528314630b9c500399497dcc2@BLUPR03MB279.namprd03.prod.outlook.com>
References: <1553bab817a2411c90c18aa4ffd2b1dc@BLUPR03MB279.namprd03.prod.outlook.com> <CE703504.6536%mpeck@mitre.org>
In-Reply-To: <CE703504.6536%mpeck@mitre.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [2001:4898:80e0:ee43::3]
x-forefront-prvs: 09860C2161
x-forefront-antispam-report: SFV:NSPM; SFS:(377454003)(479174003)(13464003)(24454002)(189002)(199002)(51704005)(31966008)(51856001)(19580395003)(74662001)(19580405001)(83322001)(47446002)(74502001)(49866001)(47976001)(76482001)(74366001)(63696002)(56776001)(561944002)(53806001)(54356001)(33646001)(80976001)(59766001)(47736001)(77982001)(83072001)(74316001)(4396001)(74706001)(74876001)(50986001)(65816001)(80022001)(79102001)(81342001)(81542001)(76796001)(46102001)(54316002)(81686001)(77096001)(81816001)(56816003)(76576001)(76786001)(69226001)(24736002)(3826001); DIR:OUT; SFP:; SCL:1; SRVR:BLUPR03MB277; H:BLUPR03MB279.namprd03.prod.outlook.com; CLIP:2001:4898:80e0:ee43::3; FPR:; RD:InfoNoRecords; MX:1; A:1; LANG:en;
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: DuplicateDomain-a84fc36a-4ed7-4e57-ab1c-3e967bcbad48.microsoft.com
Cc: "kitten@ietf.org" <kitten@ietf.org>, Michiko Short <michikos@microsoft.com>
Subject: Re: [kitten] draft-ietf-kitten-aes-cts-hmac-sha2-01
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 01 Oct 2013 23:06:25 -0000
I omitted the critical context for my statement. We cannot follow the behavior in RFC3962 for short cipher texts if we are to use an IV instead of a confounder. RFC3962 says this in section 5: Ciphertext stealing, as defined in [RC5], assumes that more than one block of plain text is available. If exactly one block is to be encrypted, that block is simply encrypted with AES (also known as ECB mode). Input smaller than one block is padded at the end to one block; the values of the padding bits are unspecified. This behavior of using padding for text shorter than one block and not padding block sized inputs creates the ambiguity. We just never encountered any problems due to the use of the confounder which prevents inputs smaller than one block from occurring. The CTS behavior in draft-ietf-kitten-aes-cts-hmac-sha2 describes cipher text stealing from the nonce handling short inputs. I do not have any strong feelings on IV versus confounder so long as we keep using CTS in a mode that can steal from the IV to handle short inputs. -----Original Message----- From: Peck, Michael A [mailto:mpeck@mitre.org] Sent: Tuesday, October 1, 2013 5:34 AM To: Paul Miller (NT); Sam Hartman; Benjamin Kaduk Cc: kitten@ietf.org; Michiko Short Subject: Re: [kitten] draft-ietf-kitten-aes-cts-hmac-sha2-01 Hi Paul, Your example plaintexts below wouldn't result in ambiguous behavior with PKCS #7 padding. As described in RFC5652 Section 6.3, your second plaintext example would have a full block of padding added. Our reasoning for using an explicit IV: Comply with the definition of CBC in NIST SP 800-38A (or the definition of CTS in NIST SP 800-38A Addendum), it's the current standard cryptographic practice, and save an unnecessary encryption/decryption operation per message. Mike On 9/24/13 6:00 PM, "Paul Miller (NT)" <paumil@microsoft.com> wrote: >Through GSS_Wrap, the fact that we are encrypting at least the header >per RFC 4121 ensures that the message is not less than one block. The >use of the cipher suite in the context establishment could be a problem, however. > >Without the confounder to avoid the short message problem, there could >be ambiguity between what is CTS encoded to exact length and what is >padded when the cipher text is exactly one block length. That is to >say that the plain texts: > >01 23 45 67 89 ab cd ef 01 23 45 67 89 ab cd >01 23 45 67 89 ab cd ef 01 23 45 67 89 ab cd 01 > >Would end up encrypting the same and could not be distinguished as the >former would need to PKCS #7 pad and the latter would just CBC the >single block. > >I'm sorry I missed a lot of the context from prior discussions, but >what is the reason for using a traditional IV instead of the >confounder? I don't see a difference in security and using the >confounder like cipher text allows CTS for short inputs. > >-----Original Message----- >From: kitten-bounces@ietf.org [mailto:kitten-bounces@ietf.org] On >Behalf Of Sam Hartman >Sent: Tuesday, September 24, 2013 7:42 AM >To: Benjamin Kaduk >Cc: kitten@ietf.org; Michiko Short; Sam Hartman >Subject: Re: [kitten] draft-ietf-kitten-aes-cts-hmac-sha2-01 > >>>>>> "Benjamin" == Benjamin Kaduk <kaduk@MIT.EDU> writes: > > Benjamin> On Mon, 23 Sep 2013, Sam Hartman wrote: > >> Hi. With my chair hat on, does anyone wish to re-open the > >> discussion of the CBC decision based on this late input? > > Benjamin> No comment on that particular question as of yet, but I > Benjamin> would ask for a clarification from Paul -- when he says > Benjamin> that "We use CTS today with AES so the complexity penalty > Benjamin> for using it is already paid. Using known-good code > Benjamin> reduces the chance of introducing new security holes.", > Benjamin> does this account for the difference between the existing > Benjamin> enctypes (17,18) and the propsed enctypes with respect to > Benjamin> the use of a confounder versus explicit initialization > Benjamin> vector, and the the corresponding need to special-case > Benjamin> short inputs in the new proposal? I could not tell what > Benjamin> Microsoft's position on the short-input behavior was from > Benjamin> Paul's initial message. > >well, I can't think of a way to get to a short-input case throguh SSPI. > >It seems like we're having the discussion, so that bar has been reached. >_______________________________________________ >Kitten mailing list >Kitten@ietf.org >https://www.ietf.org/mailman/listinfo/kitten >_______________________________________________ >Kitten mailing list >Kitten@ietf.org >https://www.ietf.org/mailman/listinfo/kitten
- [kitten] draft-ietf-kitten-aes-cts-hmac-sha2-01 Paul Miller (NT)
- Re: [kitten] draft-ietf-kitten-aes-cts-hmac-sha2-… Sam Hartman
- Re: [kitten] draft-ietf-kitten-aes-cts-hmac-sha2-… Benjamin Kaduk
- Re: [kitten] draft-ietf-kitten-aes-cts-hmac-sha2-… Nico Williams
- Re: [kitten] draft-ietf-kitten-aes-cts-hmac-sha2-… Luke Howard
- Re: [kitten] draft-ietf-kitten-aes-cts-hmac-sha2-… Sam Hartman
- Re: [kitten] draft-ietf-kitten-aes-cts-hmac-sha2-… Paul Miller (NT)
- Re: [kitten] draft-ietf-kitten-aes-cts-hmac-sha2-… Peck, Michael A
- Re: [kitten] draft-ietf-kitten-aes-cts-hmac-sha2-… Peck, Michael A
- Re: [kitten] draft-ietf-kitten-aes-cts-hmac-sha2-… Paul Miller (NT)