IETF Logo Mail Archive

Re: [kitten] explicit CBC IVs vs confounders: covert channels (draft-ietf-kitten-aes-cts-hmac-sha2)

Nico Williams <nico@cryptonector.com> Tue, 01 October 2013 22:19 UTC

Return-Path: <nico@cryptonector.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 610F121E822B for <kitten@ietfa.amsl.com>; Tue, 1 Oct 2013 15:19:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.977
X-Spam-Level:
X-Spam-Status: No, score=-1.977 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dTys9-jqIAAp for <kitten@ietfa.amsl.com>; Tue, 1 Oct 2013 15:19:43 -0700 (PDT)
Received: from homiemail-a88.g.dreamhost.com (caiajhbdcbef.dreamhost.com [208.97.132.145]) by ietfa.amsl.com (Postfix) with ESMTP id C8E4C21E820E for <kitten@ietf.org>; Tue, 1 Oct 2013 15:19:33 -0700 (PDT)
Received: from homiemail-a88.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a88.g.dreamhost.com (Postfix) with ESMTP id 9386C264060 for <kitten@ietf.org>; Tue, 1 Oct 2013 15:19:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h= mime-version:in-reply-to:references:date:message-id:subject:from :to:cc:content-type; s=cryptonector.com; bh=Bnx7ALp7PEF/8x0ZbUcV sLeZBOE=; b=OhHb8bgVBZvOM9NSAEkDwXJIPhkaB8wbNIxhF/2rjb/hiWFXSB3t +YjLVRV1YVqRfdhipeLrG+HN7FOBq/2XF1tyHcPlPl/mFkhBF8yc98IX02M9rgGd /FPNWBHe4twh+PaL/VDTCD5Kk7FfYp/46m3UGcKpRnaEv0oD+/4IZho=
Received: from mail-we0-f174.google.com (mail-we0-f174.google.com [74.125.82.174]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by homiemail-a88.g.dreamhost.com (Postfix) with ESMTPSA id 47FCF264058 for <kitten@ietf.org>; Tue, 1 Oct 2013 15:19:33 -0700 (PDT)
Received: by mail-we0-f174.google.com with SMTP id q58so7988475wes.19 for <kitten@ietf.org>; Tue, 01 Oct 2013 15:19:31 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=UCl9YF60heDofEdYLdNb2OJkBNmIdJ5nw3ixRWauZI4=; b=B73bbElWjO1fcz3hz1kzP8wm8/YlM4w+0l+gAhGFej5hS0asx7uhUKeupPF1dVPQiD u/o+s0p0tTiQDFLK1zpbrxjycaujo5KwfwIq7E4raYlqhW/aG9zAH8t8JHwxo9E5PhtN 7CAoMc0HFiWjzBD9VMQyrVaBwCa3clZh7vIRoh0UKpkwQplEiD9cpPCOiWSn0DG8GbmP x+v8+m1E7ycCROMG5PyYNl/vznaU6BxWtky7cX0Ip/Cz6bhFyYChE3Q+f0EB6mVu7gnL vR0AlAc2OxCR/14mhNH5tSV44jyo1Pt0lOS5sYpcOvlaUovle9cYJSi1g/8yZ2h5r1v8 /Oew==
MIME-Version: 1.0
X-Received: by 10.180.19.169 with SMTP id g9mr20715134wie.39.1380665971612; Tue, 01 Oct 2013 15:19:31 -0700 (PDT)
Received: by 10.216.240.70 with HTTP; Tue, 1 Oct 2013 15:19:31 -0700 (PDT)
In-Reply-To: <tslioxgepiw.fsf@mit.edu>
References: <ldvob7fmmq0.fsf@cathode-dark-space.mit.edu> <68eb2a3d201548349da7634f867a46cc@BLUPR03MB279.namprd03.prod.outlook.com> <tslioxgepiw.fsf@mit.edu>
Date: Tue, 01 Oct 2013 17:19:31 -0500
Message-ID: <CAK3OfOipCmshXUtA9kNfJx59QodbYi3b_PKngf4FCgUS2tizUQ@mail.gmail.com>
From: Nico Williams <nico@cryptonector.com>
To: Sam Hartman <hartmans-ietf@mit.edu>
Content-Type: text/plain; charset="UTF-8"
Cc: "kitten@ietf.org" <kitten@ietf.org>
Subject: Re: [kitten] explicit CBC IVs vs confounders: covert channels (draft-ietf-kitten-aes-cts-hmac-sha2)
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 01 Oct 2013 22:19:54 -0000

For uses of RFC3961 without state chaining there's no way to prove
that the confounder was obtained by encrypting a random IV...  So
confounding isn't necessarily sufficient to prevent leaking of RNG
state or keys, at least not for GSS mechanism uses.  And even where
chaining is used, there is one initial state case where the sender
might not have produced a confounder by encrypting a random IV, so
confounding does little to prevent leakage of RNG state (or outright
leakage of keys) via the confounder.

In light of recent events, I would like us to design protocols that
-as much as possible- have no public nonces, and where they are
necessary, they should be as small as possible and their cryptographic
purpose replaced/augmented by the plaintext of nonces sent enciphered
as soon as appropriate key material is available.  For Kerberos this
may require a revamp of RFC3961, with attendant changes to
implementations' APIs and to applications (so they may use the new
enctypes), unless we get clever.  If we're not prepared to do either
(upate RFC3961 or get clever) at this time, then which I think I
prefer to stick to confounding, with the security considerations
involved noted.

Of course, the right thing to do is to not leak RNG outputs by using
them as random IVs directly.  As various participants have pointed out
in various crypto lists, we all assumed no one would do *that* (use a
conjectured-backdoored RNG's outputs directly as nonces and keys), and
this sentiment will be even stronger going forward.  Preventing peers
from compromising one's communications with them is desirable, but I
think the best we can do is limit their covert channels for doing so,
and since one must trust one's peers to a fairly large degree... I'm
not too concerned here and I'm willing to settle for either random IVs
or confounders if there's no support for doing something better.

Nico
--

v2.23.0 | Report a Bug | By Email