Re: [Lake] Some questions about CIPHERTEXT_2 of Message 2 in draft-ietf-lake-edhoc-20
"Yanlei(Ray)" <ray.yanlei@huawei.com> Fri, 25 August 2023 02:49 UTC
Return-Path: <ray.yanlei@huawei.com>
X-Original-To: lake@ietfa.amsl.com
Delivered-To: lake@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DCE91C14CEFC for <lake@ietfa.amsl.com>; Thu, 24 Aug 2023 19:49:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.204
X-Spam-Level:
X-Spam-Status: No, score=-4.204 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pDuLAd76NDBC for <lake@ietfa.amsl.com>; Thu, 24 Aug 2023 19:49:34 -0700 (PDT)
Received: from frasgout.his.huawei.com (frasgout.his.huawei.com [185.176.79.56]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 55D80C151995 for <lake@ietf.org>; Thu, 24 Aug 2023 19:49:34 -0700 (PDT)
Received: from lhrpeml500006.china.huawei.com (unknown [172.18.147.206]) by frasgout.his.huawei.com (SkyGuard) with ESMTP id 4RX4CG4w6bz6HJbG for <lake@ietf.org>; Fri, 25 Aug 2023 10:48:42 +0800 (CST)
Received: from kwepemm000020.china.huawei.com (7.193.23.93) by lhrpeml500006.china.huawei.com (7.191.161.198) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.31; Fri, 25 Aug 2023 03:49:29 +0100
Received: from kwepemm600017.china.huawei.com (7.193.23.234) by kwepemm000020.china.huawei.com (7.193.23.93) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.31; Fri, 25 Aug 2023 10:49:27 +0800
Received: from kwepemm600017.china.huawei.com ([7.193.23.234]) by kwepemm600017.china.huawei.com ([7.193.23.234]) with mapi id 15.01.2507.031; Fri, 25 Aug 2023 10:49:27 +0800
From: "Yanlei(Ray)" <ray.yanlei@huawei.com>
To: John Mattsson <john.mattsson=40ericsson.com@dmarc.ietf.org>, "lake@ietf.org" <lake@ietf.org>
Thread-Topic: Some questions about CIPHERTEXT_2 of Message 2 in draft-ietf-lake-edhoc-20
Thread-Index: AdnWZMZV4aEbCiBxSMOEHXebgiTkswAHCfTkAB8I0XA=
Date: Fri, 25 Aug 2023 02:49:27 +0000
Message-ID: <9cff78e83429455e9d1e6dbe57ed5674@huawei.com>
References: <c7f1688b1c29405a9ff4543e8e62d4f2@huawei.com> <GVXPR07MB9678150AB73A4853019FD9E0891DA@GVXPR07MB9678.eurprd07.prod.outlook.com>
In-Reply-To: <GVXPR07MB9678150AB73A4853019FD9E0891DA@GVXPR07MB9678.eurprd07.prod.outlook.com>
Accept-Language: zh-CN, en-US
Content-Language: zh-CN
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.138.39.228]
Content-Type: multipart/alternative; boundary="_000_9cff78e83429455e9d1e6dbe57ed5674huaweicom_"
MIME-Version: 1.0
X-CFilter-Loop: Reflected
Archived-At: <https://mailarchive.ietf.org/arch/msg/lake/8UiUfssBHmBFd1ahEmLQnpPG-3o>
Subject: Re: [Lake] Some questions about CIPHERTEXT_2 of Message 2 in draft-ietf-lake-edhoc-20
X-BeenThere: lake@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Lightweight Authenticated Key Exchange <lake.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/lake>, <mailto:lake-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/lake/>
List-Post: <mailto:lake@ietf.org>
List-Help: <mailto:lake-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/lake>, <mailto:lake-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 25 Aug 2023 02:49:39 -0000
Dear John Mattsson, Thank you for your answer. Regards, Lei YAN From: Lake <lake-bounces@ietf.org> On Behalf Of John Mattsson Sent: Thursday, August 24, 2023 7:52 PM To: Yanlei(Ray) <ray.yanlei=40huawei.com@dmarc.ietf.org>; lake@ietf.org Subject: Re: [Lake] Some questions about CIPHERTEXT_2 of Message 2 in draft-ietf-lake-edhoc-20 Dear Lei YAN, >I am confused about how the CIPHERTEXT_2 is calculated. >In Section 5.3.2 of draft-ietf-lake-edhoc-20, I found there are 2 >sentences that contradict each other. >¡° * CIPHERTEXT_2 is calculated by using the EDHOC_Expand function as a >binary additive stream cipher over the following plaintext: >- PLAINTEXT_2 =... >... >- CIPHERTEXT_2 = PLAINTEXT_2 XOR KEYSTREAM_2¡± >Is the calculation of the CIPHERTEXT_2 using the EDHOC_Expand function or >just making the XOR operation? EDHOC_Expand is used to calculate KEYSTREAM_2. CIPHERTEXT_2 is then calculated as CIPHERTEXT_2 = PLAINTEXT_2 XOR KEYSTREAM_2. I made an issue on GitHub. We will try to reformulate “CIPHERTEXT_2 is calculated by using the EDHOC_Expand function as a binary additive stream cipher over the following plaintext” to make it clearer. https://github.com/lake-wg/edhoc/issues/431 FYI, there is also a companion document with test vectors that tries to illustrate all the steps. https://datatracker.ietf.org/doc/draft-ietf-lake-traces/ >Another concern is the security level of the encryption using XOR. >In Section 9.1 of draft-ietf-lake-edhoc-20: ¡°EDHOC has similar security >properties as can be expected from the theoretical SIGMA-I protocol >[SIGMA] and the Noise XX pattern [Noise], which are similar to methods 0 >and 3, respectively.¡± >However, Section 3.2 of the referenced paper [SIGMA] said the encryption >of the XOR type is not safe : ¡° In this case the above attack against STS >is still viable if the encryption is of the XOR type discussed above. In >this case, when A sends the message { A , sigA(gy, gx) }Ks, Eve replaces >A¡¯s identity (or certificate) by just XORing the value A ¨’ E in the >identity location in the ciphertext. When decrypted by B this identity is >read as E¡¯s and the signature verified also as E¡¯s.¡± The text in Section 3.2 is analyzing a modified version of the STS protocol and not SIGMA-I. SIGMA-I is analyzed in Section 5.2 where it is stated that “the encryption function (as applied in the third message) must be resistant to active attacks and therefore must combine some form of integrity protection”. Authenticated encryption in the second message does not improve identity protection in SIGMA-I as an active attacker can find the identity of B anyway. >By the way, is the encryption using XOR quantum-safe? Yes. Basically all encryption today such as AES-GCM, AES-CCM, ChaCha20-Poly1305 is done with modes that turn them into binary additive stream ciphers, i.e. XOR with a keystream. Cheers, John From: Lake <lake-bounces@ietf.org<mailto:lake-bounces@ietf.org>> on behalf of Yanlei(Ray) <ray.yanlei=40huawei.com@dmarc.ietf.org<mailto:ray.yanlei=40huawei.com@dmarc.ietf.org>> Date: Thursday, 24 August 2023 at 12:03 To: lake@ietf.org<mailto:lake@ietf.org> <lake@ietf.org<mailto:lake@ietf.org>> Subject: [Lake] Some questions about CIPHERTEXT_2 of Message 2 in draft-ietf-lake-edhoc-20 Dear authors, I am confused about how the CIPHERTEXT_2 is calculated. In Section 5.3.2 of draft-ietf-lake-edhoc-20, I found there are 2 sentences that contradict each other. “ * CIPHERTEXT_2 is calculated by using the EDHOC_Expand function as a binary additive stream cipher over the following plaintext: - PLAINTEXT_2 =... ... - CIPHERTEXT_2 = PLAINTEXT_2 XOR KEYSTREAM_2” Is the calculation of the CIPHERTEXT_2 using the EDHOC_Expand function or just making the XOR operation? Another concern is the security level of the encryption using XOR. In Section 9.1 of draft-ietf-lake-edhoc-20: “EDHOC has similar security properties as can be expected from the theoretical SIGMA-I protocol [SIGMA] and the Noise XX pattern [Noise], which are similar to methods 0 and 3, respectively.” However, Section 3.2 of the referenced paper [SIGMA] said the encryption of the XOR type is not safe : “ In this case the above attack against STS is still viable if the encryption is of the XOR type discussed above. In this case, when A sends the message { A , sigA(gy, gx) }Ks, Eve replaces A’s identity (or certificate) by just XORing the value A ⊕ E in the identity location in the ciphertext. When decrypted by B this identity is read as E’s and the signature verified also as E’s.” By the way, is the encryption using XOR quantum-safe? Regards, Lei YAN
- [Lake] Some questions about CIPHERTEXT_2 of Messa… Yanlei(Ray)
- Re: [Lake] Some questions about CIPHERTEXT_2 of M… John Mattsson
- Re: [Lake] Some questions about CIPHERTEXT_2 of M… Yanlei(Ray)