IETF Logo Mail Archive

Re: [Lake] Ways forward on MTI cipher suite text

Michael Richardson <mcr+ietf@sandelman.ca> Tue, 25 January 2022 16:49 UTC

Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: lake@ietfa.amsl.com
Delivered-To: lake@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C7FBA3A1168 for <lake@ietfa.amsl.com>; Tue, 25 Jan 2022 08:49:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=sandelman.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id izfVQait_aPv for <lake@ietfa.amsl.com>; Tue, 25 Jan 2022 08:49:07 -0800 (PST)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [IPv6:2607:f0b0:f:3:216:3eff:fe7c:d1f3]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 139E83A1154 for <lake@ietf.org>; Tue, 25 Jan 2022 08:49:06 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by tuna.sandelman.ca (Postfix) with ESMTP id 2E644389DC for <lake@ietf.org>; Tue, 25 Jan 2022 11:55:49 -0500 (EST)
Received: from tuna.sandelman.ca ([127.0.0.1]) by localhost (localhost [127.0.0.1]) (amavisd-new, port 10024) with LMTP id PEgsdFNseryR for <lake@ietf.org>; Tue, 25 Jan 2022 11:55:47 -0500 (EST)
Received: from sandelman.ca (obiwan.sandelman.ca [IPv6:2607:f0b0:f:2::247]) by tuna.sandelman.ca (Postfix) with ESMTP id DB3AA389DA for <lake@ietf.org>; Tue, 25 Jan 2022 11:55:47 -0500 (EST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=sandelman.ca; s=mail; t=1643129747; bh=UwMZRGi6UDOveszRbyNcrvPeCwHcJCxAagDJjOy4OQs=; h=From:to:Subject:In-Reply-To:References:Date:From; b=0jE8VobPwEhnoRU6k6+diMsQQ53aU5LXXeUvTmnUIRhm66rLxWN5cEIELGDeyhh2j zBESU4rfx+K8MB8Wribt19dsh7YiMiwvlNAQjE8RBURM3BBRnNguqndO09uYJsINGo jJL0R5O1gDs3FY/tfC0qxQAuLOmyQ8SMdnXMtrKz+zfIBgqmWqeiD5cGwlDvGqbwq+ XPf6BdBbvxsIOg8NRLgPJHXx7JVf8JpntCpRONN1B+W4r3iV8I0iHaE4ID6Ql0QxUF V7sDlSw1xWLlgM2ndcHsp87h/xOyeDv0M8rOMFqbQh+fHBSd9ZLGg6YJw7qcT1jBGk inoW85k8VdWEA==
Received: from localhost (localhost [IPv6:::1]) by sandelman.ca (Postfix) with ESMTP id A79512C1 for <lake@ietf.org>; Tue, 25 Jan 2022 11:49:02 -0500 (EST)
From: Michael Richardson <mcr+ietf@sandelman.ca>
to: "lake@ietf.org" <lake@ietf.org>
In-Reply-To: <14667.1643068411@localhost>
References: <2A2081E4-BAAF-4292-925E-0B683AA6CD23@inria.fr> <24192.1643036826@localhost> <AM4PR0701MB2195208CA41C14108E5CD85AF45E9@AM4PR0701MB2195.eurprd07.prod.outlook.com> <14667.1643068411@localhost>
X-Mailer: MH-E 8.6+git; nmh 1.7+dev; GNU Emacs 26.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
Date: Tue, 25 Jan 2022 11:49:02 -0500
Message-ID: <24988.1643129342@localhost>
Archived-At: <https://mailarchive.ietf.org/arch/msg/lake/Tuu01u0z_9kMHZapVxLpZUQTPBs>
Subject: Re: [Lake] Ways forward on MTI cipher suite text
X-BeenThere: lake@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Lightweight Authenticated Key Exchange <lake.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/lake>, <mailto:lake-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/lake/>
List-Post: <mailto:lake@ietf.org>
List-Help: <mailto:lake-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/lake>, <mailto:lake-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 25 Jan 2022 16:49:18 -0000

Let me go back.

The threat we are dealing with is where an attacker has captured a packet
that they feel does something interesting ("open flood gates now"), or which
they think they know the layout of, and think they can via XOR, flip one of
the plaintext bits by flipping a ciphertext bit.

In order to do that, the attacker has to create a packet that has the same
MAC as the captured packet.  They need some number of extra (irrelevant) bits
which they can permute in order to create such a thing.

Why?

If they knew the authentication/integrity key, they could just create their
own packet, but of course, they might be limited to encrypted packets they
had captured, if they didn't also know the encryption key.
The discussion about 64-bit or 128-bit MACs is how about hard it becomes to
guess a combination that works out.   Fewer bits visible leads to fewer
combinations.  It is unclear to me in such a pre-image attack, if attacker
does not recover the integrity key.   I don't see how they mount such an
attack without it though.

My understanding from the 1990 days of IPsec, and the 96-bit truncated MAC,
was that by truncating it, we open the possibility that when doing this
attack, that the attacker might find a key which leads to the same lower
96-bits, but which isn't actually the correct key.  So one packet works,
but others do not.

A keyed HMAC is very different than a pure pre-image attack on SHAxx.

So what do these extra 8 bytes actually do?

--
Michael Richardson <mcr+IETF@sandelman.ca>   . o O ( IPv6 IøT consulting )
           Sandelman Software Works Inc, Ottawa and Worldwide

v2.23.0 | Report a Bug | By Email