IETF Logo Mail Archive

Re: [kitten] considering abandoning CTS mode (Re: I-D Action:draft-ietf-kitten-aes-cts-hmac-sha2-01.txt)

Kelley Burgin <kwburgi@tycho.ncsc.mil> Thu, 15 August 2013 17:26 UTC

Return-Path: <kwburgi@tycho.ncsc.mil>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 779BF11E81DF for <kitten@ietfa.amsl.com>; Thu, 15 Aug 2013 10:26:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.599
X-Spam-Level:
X-Spam-Status: No, score=-10.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 91JUrPVUvgbL for <kitten@ietfa.amsl.com>; Thu, 15 Aug 2013 10:26:53 -0700 (PDT)
Received: from nsa.gov (emvm-gh1-uea08.nsa.gov [63.239.67.9]) by ietfa.amsl.com (Postfix) with ESMTP id 7936511E817A for <kitten@ietf.org>; Thu, 15 Aug 2013 10:26:52 -0700 (PDT)
X-TM-IMSS-Message-ID: <18bac63d0000ebf2@nsa.gov>
Received: from tarius.tycho.ncsc.mil ([144.51.31.2]) by nsa.gov ([63.239.67.9]) with ESMTP (TREND IMSS SMTP Service 7.1) id 18bac63d0000ebf2 ; Thu, 15 Aug 2013 13:26:34 -0400
Received: from rd6um-58422h.infosec.tycho.ncsc.mil (rd6um-58422h [192.168.26.151]) by tarius.tycho.ncsc.mil (8.13.1/8.13.1) with ESMTP id r7FHQlRI005294; Thu, 15 Aug 2013 13:26:47 -0400
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 6.3 \(1503\))
From: Kelley Burgin <kwburgi@tycho.ncsc.mil>
In-Reply-To: <ldv7gfnfxcv.fsf@cathode-dark-space.mit.edu>
Date: Thu, 15 Aug 2013 13:28:38 -0400
Content-Transfer-Encoding: quoted-printable
Message-Id: <E0DABA8F-493C-45C1-B909-3383A6B28E25@tycho.ncsc.mil>
References: <5674376E76F88641AD3748A64F0996971AAA4F35@TK5EX14MBXC285.redmond.corp.microsoft.com> <tsly584dyzt.fsf@mit.edu> <5674376E76F88641AD3748A64F0996971AAB7DA1@TK5EX14MBXC285.redmond.corp.microsoft.com> <CAK3OfOgRH88DmtAJw=hgd-t7-Sac3xTf-kD+aYOUCDh79AOtkg@mail.gmail.com> <ldv7gfnfxcv.fsf@cathode-dark-space.mit.edu>
To: Tom Yu <tlyu@MIT.EDU>
X-Mailer: Apple Mail (2.1503)
Cc: "kitten@ietf.org" <kitten@ietf.org>, Michiko Short <michikos@microsoft.com>, Sam Hartman <hartmans-ietf@MIT.EDU>
Subject: Re: [kitten] considering abandoning CTS mode (Re: I-D Action:draft-ietf-kitten-aes-cts-hmac-sha2-01.txt)
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 15 Aug 2013 17:26:59 -0000

Thanks Tom for your responses, you are correct.

>> I would not say that padding is not a concern. There is definitely concern about security vulnerabilities pursuing this course of action.  We have seen plenty of issues with CBC and padding. At the least, if there is a padding oracle then there is a problem. So there will need to be much more scrutiny if moving away from CTS. Remaining with CTS would be preferred as it would both avoid the app compat issue and security concerns. We would hate to have to disable a new cipher suite due to app compat issues or limit it to enlighted applications. 
> 
> My understanding is that the encrypt-then-MAC construction eliminates
> the known CBC padding oracle attacks.  If someone has evidence to the
> contrary, I would like to hear about it.

This is correct.

> 
>> I am curious why we aren't just using the same AES-CTS as in the current RFC?
> 
> I think the short answer is Suite B requirements and a desire to
> conform with current cryptographic best practices.

Correct again.

> 
> I believe one goal is to align with
> draft-mcgrew-aead-aes-cbc-hmac-sha2.  Earlier proposals for the Suite
> B enctypes involved GCM (I think we had a consensus that GCM wouldn't
> really work for anything invoving long-term keys), and some variant on
> the padded CBC that we're considering now, but changed to CTS mode
> because of MS-RPC related padding concerns.  It's a different CTS mode
> than the one we use for RFC 3962.

GCM will not work in a long-term key environment because of counter rollover issues.

> 
> I think part of the justification for the differences between
> draft-ietf-kitten-aes-cts-hmac-sha2-01 and RFC 3962 is to align more
> closely with cryptographic best practice.  This includes using an
> explicit IV (rather than a confounder) and using encrypt-then-MAC.
> The RFC 3962 encode-then-encrypt-and-MAC approach has been proven
> secure, but I recall that particular security result was far from
> obvious to the research community before the publication of the proof.
> 
>> Also why SHA 384 instead of 512?
> 
> I asked Kelley about this, and he said the Suite B mandate was for 128
> bits for lower security, and 192 bits for higher security.  That would
> imply SHA-384 (I think HMAC-SHA-256 should be sufficient, but they
> want an unequivocal 192 bits of strength).  I don't know why Suite B
> doesn't specify AES-192 instead of AES-256 though.  Maybe these
> rationales should be included in future revisions.

This encryption type is intended to support Suite B applications.

v2.23.0 | Report a Bug | By Email