Re: [Lake] Some questions about CIPHERTEXT_2 of Message 2 in draft-ietf-lake-edhoc-20
John Mattsson <john.mattsson@ericsson.com> Thu, 24 August 2023 11:52 UTC
Return-Path: <john.mattsson@ericsson.com>
X-Original-To: lake@ietfa.amsl.com
Delivered-To: lake@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B050EC131C78 for <lake@ietfa.amsl.com>; Thu, 24 Aug 2023 04:52:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.109
X-Spam-Level:
X-Spam-Status: No, score=-2.109 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YI3f0pWGlU6l for <lake@ietfa.amsl.com>; Thu, 24 Aug 2023 04:52:17 -0700 (PDT)
Received: from EUR04-VI1-obe.outbound.protection.outlook.com (mail-vi1eur04on2054.outbound.protection.outlook.com [40.107.8.54]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C21DCC14CE33 for <lake@ietf.org>; Thu, 24 Aug 2023 04:52:16 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Jfsnns8i0rjeyhN/h9W22k8YArX3c236AShLyPk7NdpAO6kD0wPrVPk8nqXBUReUB6/X9Amd1ux83nBoMwc64KSg2jy6Ha52R2kDzc1gyXRHj4uEcOCUT3tB3b7MPIHYk1Cov8lNmVHMKgIzf3xroIP11yf75Kgvsz+Ul5OO66BjCNsTgDfWwx+FdPmuyldhFkjJt/I7SSTwQRBwJ/Y2UO66RkeRIsLpck22HTjAiIaBBSWqFhZY0c8w5WVmUsEjREcIUfYKUVuDz5PMacFjcpZFhwJ9RuILD/8buWdt+kraNhStbdYAeREBB+icWn3rp/p3npdDGH0SBnA8Y9PSuw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=GmeluwI02EgOF+ca9MWqu9B4lbBsNPt48IQBwBFWb/4=; b=ZIOIFBSO7W/i5emmlIqiX2Zwn351zgWpkstPAeL2riyqo1C7UbsoVaChJD2iTlZu1BYQVNQokdgg/mJTv04zJb3vyZsn2YLBo5IyozFKwAk9nPTTHp1dujRMHsZ2giNZc1hsK3QD8cUo5UuVO1Zn/RHR+rM/nh1mEW8RlAHaqK0kHLcFGe8rl9Q4A/Mgf5aEsPtuuTIBg+FuIYpLi/YVi8BWn3eVv9HxItegA/N1mCXSmtZ8VfaaqfT/r1tDM0gmaVlYthp6QVnaJAk2MzGmasDLe7JswN36kDk5AYk0w8hpDf3BB1bVKH3W+ZDVyuoY9HgTME6/25uuD/8TNPN8mQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=GmeluwI02EgOF+ca9MWqu9B4lbBsNPt48IQBwBFWb/4=; b=UYY9/mEXYuj78Dx8eAjw6mvYv+7GOgeH1MLfAFb9x8MzmgYdVlPgSSLsIXUOcmPdm21eCcPUcuDo/6LqExUA7u1Xr8HDEQ8f8TSIwzFIgfX9ss6W8zO7h5jhJIoAFtaDwDJ1B/eJ/Nu19U3xWuaIk1DXlcOpiOsw2CPqU09oRI8=
Received: from GVXPR07MB9678.eurprd07.prod.outlook.com (2603:10a6:150:114::10) by VI1PR07MB6527.eurprd07.prod.outlook.com (2603:10a6:800:18c::24) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6699.27; Thu, 24 Aug 2023 11:52:13 +0000
Received: from GVXPR07MB9678.eurprd07.prod.outlook.com ([fe80::cf5e:848b:9613:bfd]) by GVXPR07MB9678.eurprd07.prod.outlook.com ([fe80::cf5e:848b:9613:bfd%7]) with mapi id 15.20.6699.027; Thu, 24 Aug 2023 11:52:13 +0000
From: John Mattsson <john.mattsson@ericsson.com>
To: "Yanlei(Ray)" <ray.yanlei=40huawei.com@dmarc.ietf.org>, "lake@ietf.org" <lake@ietf.org>
Thread-Topic: Some questions about CIPHERTEXT_2 of Message 2 in draft-ietf-lake-edhoc-20
Thread-Index: AdnWZMZV4aEbCiBxSMOEHXebgiTkswAHCfTk
Date: Thu, 24 Aug 2023 11:52:13 +0000
Message-ID: <GVXPR07MB9678150AB73A4853019FD9E0891DA@GVXPR07MB9678.eurprd07.prod.outlook.com>
References: <c7f1688b1c29405a9ff4543e8e62d4f2@huawei.com>
In-Reply-To: <c7f1688b1c29405a9ff4543e8e62d4f2@huawei.com>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=ericsson.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: GVXPR07MB9678:EE_|VI1PR07MB6527:EE_
x-ms-office365-filtering-correlation-id: 961cc6c9-98ac-48dc-53fa-08dba4988e4a
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: pOCGw3qNjK/3EpxLrrPIif61moJ5Cla3RLL/fwa7dfRhKal54uJnDRZ54A6s5vGXrHTqOLqf8H4aMUVF88v/pLmY1CRcWdSFaxCI303fzHzufVKOizZ0tO0+s1DmXrvgARiuchwYiGNFh+y3BrQ+1LIo6etjRPgaUPiqu0l5NhNfsF+V8UNs+1TdaKxawWN3QJ+LZ2bVEEr/sWq6gonV5Q434TcbuGQ3EBuA/OQWYMRwAuj0lx2X9sNyaQX2yjaH1M/ZMI94TT7DbVTtb6ZsZ1fVE9SaEVJEDm3uFaA9ySrExOKbLkcHUGfM1SxBk+cH52saBv8aNhbdoc2pewY0DdfPrislrehP6aQy9pUL81JBpuGAMmO+NnStkuFafI3bLZ5n1erBtLOPyxn3DFULarVhFTMAr/G3+4zLwWGa2wsBlZ3gInXuiHIJhbxu+NpYcZUBPvDlISR030zZgz2hOPUerjb8Fz2jPmq+EL4MDjVAlLj1S+oOWElYGRUUWrekjgLhM+XlsmR+JC9j19ES+PmV/Yu5UckcCWrGcs44leILXPnxQx+JBuB8C666pvicDlcHqEoJh8cEC2hsK0bPjjEsMg7RAr2K1jcrr9tCDv26OIiKiXo8CJLbMeuIRygNM36QOr44FbrkBBqd+WvSuFIazA+HReNfpngNlMCFsyA71mBVvLJiD5T1CtNvXFJmQOTXawmKfLcLpM4EH5mJz98sf4KXVIwiy0G1b8t6Wlg=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:GVXPR07MB9678.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230031)(366004)(376002)(39860400002)(346002)(396003)(136003)(451199024)(186009)(1800799009)(64756008)(66446008)(76116006)(66556008)(66946007)(66476007)(316002)(122000001)(82960400001)(166002)(478600001)(110136005)(55016003)(26005)(44832011)(38070700005)(38100700002)(71200400001)(12101799020)(7696005)(86362001)(53546011)(41300700001)(6506007)(9686003)(966005)(8936002)(8676002)(52536014)(5660300002)(2906002)(83380400001)(15650500001)(33656002); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: vgJg/zI7S1Sk/33eex25Roa3xJIzTLZyQuFDNjED8/Pos8T3HSjn5xDQrdvCuH9W5Lrg2uhjpKd7FpDYftbxswJ2j+TtIkhDMqOkgguXoAt3tthS4smm9jnbCkh50MPMrUS1IBFLEnnVI6B2MkW5WEUg41TKQqbEqwE8T78lS79N3KjX0WMcuxmnrwfjz1ylCu2pJeKl8Z/UJ4pmkHtxVJHAQoqMgt1y/tTrfhtAyN96TNHkvnaDmACRx8ezC1JNswd5Oh/76G/BfuuIUTXESDVv+RrHNvmA9FO141byDtlGEzGnmPlm8HiBuw9ktdS7KE6pyAKNo9DSOUKS+NXRHnf/Md5scWYQqa3Z/pk3FOOOaZ3wiUBPGn7T45jOuCUYsQN3ScK0vaotAKchgc3/OSq5Ptfa/L5LuDULMVNnhXI2jaW5OGmrV3hsYb48gvmRN12pqFZ4qMjlwiUFWDeLMCPpTrrK4epNhGYlKGapGKYN6s92QHQj15Oa0sqWnypZwPS5y82LXI3aVziNFKgSZ0frQBevP+n8FgkYXlfCq/BVZbsNjx9NsgsWLOW781kouJCW+nd8n0mpJnWdthx13R/SI5DZshkf5nSzV/WATHxbTIm/PfmWUSisiahL/X0EF/Tf7Epp2CvJyxKGrFn72pJ3QoefRS4mQOevXzG1NwPf7SqvDcTNm7faOvYY/MNPTwlXEXcg93hRrnnp8jr6IYXtRBmpp1js7K+Hl9Q+19mDoiwfL/nYKfE+jdzne9JgPXE+avtM22liN7q4HnVOGcEhbBxHPv+SMfwwGhoKuj92mRav9/p7xt7Ft3JlQDZVnReqGulDi2r4gQuT67bmR2TbuU1WYtjcgxfe+s6k7fmYpB9A3B+xGxm4C7Gm566rEhS5pm5m4dkvc9vakf9uNcj2y+I5Ad08SXy6mo0xVtSdQA+/FPcwTJG7urZwwmIs3Uni17BxfSAYBIjgZY0lU+VXbrBIogX92ngsK36b0aygRz4rRN8wRpfvavVkSGWl50qauttPR8mTQw6gcCxu96V2hUZdWYT5XfIilyDHKZ6vjcUd00Pjb3Ds7XeMh4VYhzoA4eU1MWDP04M4Ah1KfYf5aFyfPv8qqN1lWuWxDkQXeBITh1ziIal85o4e00ZfyHFzcDgeIWubna5gbxw0+Rbwj3A2+9s4L5kyZ37KguPqf4zVFpPHwt1sL6wmQFm/GGAZFTSRLQrCN2nKpiglMD/2Kf7Hcxx+7qVaBXKeAudSDQP6Kd4kVd0esYJq8m8H0p9k2+TeXynrfza7DPNn+w/Lp77zEPX5aA8WEGY9fIiZFWoKGoWAY2O78+zrCXuvhPZxmr01VOhqZe/qebAoSxW/YK4Mq6/HWVz82d6FiWvgnWgX/M17kjF5zlAx1I6wppJy7U0yQH9tSYroNaz8cxss5mt6mKks9cX3KV5KjgfxbZkt3sgduPZAYIggy4EyVNakgTs4KM5XTxAOD2ygjaYcZpxNuffB0eQROVJ/mC/mkp0g/qmmveOwhJ7q1Ga4gjZXKfOHAeL3wqOCszGvjmBPJkD+C0I7yefNBCw7MLyKaBunS+WF5XV0ADCo1UbrPIyLsLNgI/9JoqPCHre+o2pfinTuMDSd1hc4dBEzBoc=
Content-Type: multipart/alternative; boundary="_000_GVXPR07MB9678150AB73A4853019FD9E0891DAGVXPR07MB9678eurp_"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: GVXPR07MB9678.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 961cc6c9-98ac-48dc-53fa-08dba4988e4a
X-MS-Exchange-CrossTenant-originalarrivaltime: 24 Aug 2023 11:52:13.2001 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: FlV580C4XtI1DWnA7UT+4sbgnEnHrs+E+3eJ/eW8JkMsoDEEeJ/Wqh7gewsOWotAT5za6M0IyVuQyGlX1mjdjb5Y7JHul4sh6/544SG7jF4=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR07MB6527
Archived-At: <https://mailarchive.ietf.org/arch/msg/lake/RF3pQ_HV9yTMJku6Ui3Sg11zcY8>
Subject: Re: [Lake] Some questions about CIPHERTEXT_2 of Message 2 in draft-ietf-lake-edhoc-20
X-BeenThere: lake@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Lightweight Authenticated Key Exchange <lake.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/lake>, <mailto:lake-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/lake/>
List-Post: <mailto:lake@ietf.org>
List-Help: <mailto:lake-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/lake>, <mailto:lake-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 24 Aug 2023 11:52:20 -0000
Dear Lei YAN, >I am confused about how the CIPHERTEXT_2 is calculated. >In Section 5.3.2 of draft-ietf-lake-edhoc-20, I found there are 2 >sentences that contradict each other. >¡° * CIPHERTEXT_2 is calculated by using the EDHOC_Expand function as a >binary additive stream cipher over the following plaintext: >- PLAINTEXT_2 =... >... >- CIPHERTEXT_2 = PLAINTEXT_2 XOR KEYSTREAM_2¡± >Is the calculation of the CIPHERTEXT_2 using the EDHOC_Expand function or >just making the XOR operation? EDHOC_Expand is used to calculate KEYSTREAM_2. CIPHERTEXT_2 is then calculated as CIPHERTEXT_2 = PLAINTEXT_2 XOR KEYSTREAM_2. I made an issue on GitHub. We will try to reformulate “CIPHERTEXT_2 is calculated by using the EDHOC_Expand function as a binary additive stream cipher over the following plaintext” to make it clearer. https://github.com/lake-wg/edhoc/issues/431 FYI, there is also a companion document with test vectors that tries to illustrate all the steps. https://datatracker.ietf.org/doc/draft-ietf-lake-traces/ >Another concern is the security level of the encryption using XOR. >In Section 9.1 of draft-ietf-lake-edhoc-20: ¡°EDHOC has similar security >properties as can be expected from the theoretical SIGMA-I protocol >[SIGMA] and the Noise XX pattern [Noise], which are similar to methods 0 >and 3, respectively.¡± >However, Section 3.2 of the referenced paper [SIGMA] said the encryption >of the XOR type is not safe : ¡° In this case the above attack against STS >is still viable if the encryption is of the XOR type discussed above. In >this case, when A sends the message { A , sigA(gy, gx) }Ks, Eve replaces >A¡¯s identity (or certificate) by just XORing the value A ¨’ E in the >identity location in the ciphertext. When decrypted by B this identity is >read as E¡¯s and the signature verified also as E¡¯s.¡± The text in Section 3.2 is analyzing a modified version of the STS protocol and not SIGMA-I. SIGMA-I is analyzed in Section 5.2 where it is stated that “the encryption function (as applied in the third message) must be resistant to active attacks and therefore must combine some form of integrity protection”. Authenticated encryption in the second message does not improve identity protection in SIGMA-I as an active attacker can find the identity of B anyway. >By the way, is the encryption using XOR quantum-safe? Yes. Basically all encryption today such as AES-GCM, AES-CCM, ChaCha20-Poly1305 is done with modes that turn them into binary additive stream ciphers, i.e. XOR with a keystream. Cheers, John From: Lake <lake-bounces@ietf.org> on behalf of Yanlei(Ray) <ray.yanlei=40huawei.com@dmarc.ietf.org> Date: Thursday, 24 August 2023 at 12:03 To: lake@ietf.org <lake@ietf.org> Subject: [Lake] Some questions about CIPHERTEXT_2 of Message 2 in draft-ietf-lake-edhoc-20 Dear authors, I am confused about how the CIPHERTEXT_2 is calculated. In Section 5.3.2 of draft-ietf-lake-edhoc-20, I found there are 2 sentences that contradict each other. “ * CIPHERTEXT_2 is calculated by using the EDHOC_Expand function as a binary additive stream cipher over the following plaintext: - PLAINTEXT_2 =... ... - CIPHERTEXT_2 = PLAINTEXT_2 XOR KEYSTREAM_2” Is the calculation of the CIPHERTEXT_2 using the EDHOC_Expand function or just making the XOR operation? Another concern is the security level of the encryption using XOR. In Section 9.1 of draft-ietf-lake-edhoc-20: “EDHOC has similar security properties as can be expected from the theoretical SIGMA-I protocol [SIGMA] and the Noise XX pattern [Noise], which are similar to methods 0 and 3, respectively.” However, Section 3.2 of the referenced paper [SIGMA] said the encryption of the XOR type is not safe : “ In this case the above attack against STS is still viable if the encryption is of the XOR type discussed above. In this case, when A sends the message { A , sigA(gy, gx) }Ks, Eve replaces A’s identity (or certificate) by just XORing the value A ⊕ E in the identity location in the ciphertext. When decrypted by B this identity is read as E’s and the signature verified also as E’s.” By the way, is the encryption using XOR quantum-safe? Regards, Lei YAN
- [Lake] Some questions about CIPHERTEXT_2 of Messa… Yanlei(Ray)
- Re: [Lake] Some questions about CIPHERTEXT_2 of M… John Mattsson
- Re: [Lake] Some questions about CIPHERTEXT_2 of M… Yanlei(Ray)