Re: [Lake] Ways forward on MTI cipher suite text
John Mattsson <john.mattsson@ericsson.com> Wed, 26 January 2022 06:45 UTC
Return-Path: <john.mattsson@ericsson.com>
X-Original-To: lake@ietfa.amsl.com
Delivered-To: lake@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B55AE3A276A for <lake@ietfa.amsl.com>; Tue, 25 Jan 2022 22:45:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.676
X-Spam-Level:
X-Spam-Status: No, score=-2.676 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.576, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id N1nR_w4pHky5 for <lake@ietfa.amsl.com>; Tue, 25 Jan 2022 22:45:24 -0800 (PST)
Received: from EUR01-VE1-obe.outbound.protection.outlook.com (mail-eopbgr140045.outbound.protection.outlook.com [40.107.14.45]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0B17C3A2766 for <lake@ietf.org>; Tue, 25 Jan 2022 22:45:23 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=UZGyqp2Py0XV//ZPmLodd75r9eythhCzY5R8PW1B5aoGuXKFUIllBSssoC0MRJ9h7oLWX4WEVugo4VsX9GIzfnbl+iersk3M77QLvxpHjqZDrOOo/QlMcHEH9Xvdky44WCMMwSJIpAQsTMJeLmlSVxmAHoOtHRNxaMfbn2rx0GvQGxRStFFuJ9/TnM0evomXQ1LwsBwMjYlng4j70vX+rDIUQml/H7DlQWtCum8G3v0uhcjo1rXCxpf+bcbEZEzgfIHZnt6Pzx4SsOrblSVadqd2q4i9YOGEocW6rMxqL0sX1ZzYnEuFzVNzJu5HLIeHFzN46OIviNfE95gQIw4Vow==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=KADbJHL75/tBGiv3w8aPl/JsFuH8wB+bwM/oTgrvkL4=; b=d7q1A0zkePjmDs9iw3pWDMT34kpA7hpBfN8TYZ4xFFcDUE48+g/JnD/Jm8FmEO+rtH5Wnphw+7w96J+A7g8VX4VMhR/CuglVub4IYyHvkVSbX1WUzICRA7PYMt/vYGj1lcxn4KYqoTPFGTkdijL5qDKglroX20DkQLgxJ/olA3Z96MeO/z4FpKbZqZVVI8Acp8SriUIx+bl4b//wz2fH+5jNqSfMORfN6iIXZIC9Mlk2/oEBbuzUGyKbP/iDDvgH2reMFc+S545ErgLxX2g9IP5pAoeEB9b0uOKhYlc/qXOCdk8Jnt8lAQTuyF1UlNPPrEfJckjmh+WmmEmEje/nJg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none; dmarc=none; dkim=none; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=KADbJHL75/tBGiv3w8aPl/JsFuH8wB+bwM/oTgrvkL4=; b=b8bh5FVgae+cT3vlHvO4XfmsC6+54BICgXWKsX555xO0NueM6eNmJ25xGYuHmxi9C1xzKKArdkpdWnoIiY7fgs0UxbCETvwoqb5jlqlZM/MiGIEoOLd4jdewDhnNcDuDAvtAHcTh+6RN5ph8HtJctz/FI/ZuRGoEG0JpXZRde08=
Received: from HE1PR0701MB3050.eurprd07.prod.outlook.com (2603:10a6:3:4b::8) by AM6PR07MB5254.eurprd07.prod.outlook.com (2603:10a6:20b:62::27) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4930.17; Wed, 26 Jan 2022 06:45:20 +0000
Received: from HE1PR0701MB3050.eurprd07.prod.outlook.com ([fe80::ec63:344f:ebbc:a251]) by HE1PR0701MB3050.eurprd07.prod.outlook.com ([fe80::ec63:344f:ebbc:a251%10]) with mapi id 15.20.4930.015; Wed, 26 Jan 2022 06:45:19 +0000
From: John Mattsson <john.mattsson@ericsson.com>
To: Michael Richardson <mcr+ietf@sandelman.ca>, "lake@ietf.org" <lake@ietf.org>
Thread-Topic: [Lake] Ways forward on MTI cipher suite text
Thread-Index: AQHYDh+3etYVtTz/9UintzI3aLxfhqxyS9oAgAA9sICAAFVkgIABG7wAgADmgoU=
Date: Wed, 26 Jan 2022 06:45:19 +0000
Message-ID: <HE1PR0701MB3050626ED7924371EC03DADF89209@HE1PR0701MB3050.eurprd07.prod.outlook.com>
References: <2A2081E4-BAAF-4292-925E-0B683AA6CD23@inria.fr> <24192.1643036826@localhost> <AM4PR0701MB2195208CA41C14108E5CD85AF45E9@AM4PR0701MB2195.eurprd07.prod.outlook.com> <14667.1643068411@localhost> <24988.1643129342@localhost>
In-Reply-To: <24988.1643129342@localhost>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=ericsson.com;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 510f7c66-008f-43af-17b4-08d9e0976b86
x-ms-traffictypediagnostic: AM6PR07MB5254:EE_
x-microsoft-antispam-prvs: <AM6PR07MB5254C70FF157686661A641A189209@AM6PR07MB5254.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: TiCB2MYzNNjTjWwETUgZJhoRx0eR0hJSvvpyEral0w8j4wRfgeTUK889eXyWctxEqktMpoZIYvF2FPOdEdS+38Tbcy8RG0qha52HzGIzoG2h/Gf2iCoy4KiqVFg/z8tBLn3qft5Ny7bYWV6Q/xl9Iyq1wy64LcObKvIlELRngJm1z0o4pDzSx0VzOsrgtigSWOzh9JYTFERJUceTYbG9Ouyi371lXgVhi8hFZozPrKMswrZfrz0Jlthm1suEyxoVALHAtdl8COQBAYowLHkwJyMbJHH7gY6Mic/SvA3W91fZbzrsaG8XAZ2VZRyYfsnaiRzbYUus1gCMajAgLEOnG/LU6Yqyz44jOGXw1KU4DtbhU40bz4e1uyL8jCh/5XhXLsMFHFNgVyproS5oMMBWdCkvY+yDBS+iL2wD8122ifFnIO1oaIKqqHQeHQ5kReJbbQlFHNWbvHvBOTNRIwbGNr/n6SEaL8b3OcLJeYvNR+K1oxE0qvHm3l6RrQbo350U5taVtx6v68rueJ1KSxLKPQ5KLnu5oBveycyaAh25Ra19Ndk9PcP2DRHMK/t2Pw0pWb0j1ynQ5zDdXM2GKK7dQZJFMgj+70d/oZWeDPLky1Aghc1E/o1O67z7ppqHq/mmjKc6AtkVOAi/lDZmqI52RzUOPLAPbZTzVEaOyrv0lOMsUalBf905IK+VvJDUQJNuC/T4Z11KdgM7+n5VeBtOQw==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:HE1PR0701MB3050.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230001)(4636009)(366004)(86362001)(2906002)(71200400001)(33656002)(6506007)(7696005)(9686003)(110136005)(53546011)(122000001)(316002)(44832011)(52536014)(38070700005)(55016003)(5660300002)(38100700002)(76116006)(508600001)(83380400001)(64756008)(66446008)(66476007)(186003)(8676002)(26005)(82960400001)(8936002)(66574015)(66556008)(66946007)(20210929001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: 4tSNH7rou8VMylfdLDkvaqZQ0aYnPVXaCgxH2DFtDtkiC55ISEhMVymiHzlNlW6SJB5o4AGxthMKwME1UVN9pWbEcA8E6RLDpLMr3KqommZcJygVUhlod2CTVXnRQPjbTn3Q1oahywOS2L/psCFWKki0C/6XJ5gntU/8EoO8w63Tb0wmQW0Yn14pJm94IBHTp4v7dSQEaAgyw8jNZqfAAqb4mal+1NE8jkM4YgqgcnK8dr/txlW0EE3YmWTT9Jaf+F4UfCk9JxM7gqf3RYtf8GaorMjAhtcqdjnq7jwcxAnllMCC5CzjGt+OPnUz3KbqBejVAmu8pGYMY8szCKLSnFTVhES0B33OVWAmi7G+Ob+mv5mcagQxu5PT8WBkDVb919KLkvzy2bEEzMKnK+cHz1a+6WrYt9sJL9Op7i0JVI48ltgalYcu996+T7BW0LewrtTOchp+pRiFP06LpJKH+1c2TucCLgQX5NNsn6bEAK6Azv3ChyooVT7vvm5Gk4QZYjWCVlaAhtFDAp1s9bO4IU22uooroBqwt34y/d6K3IZGym6HDeCMYm3HpnEHrIyE4W1WriO5757puTJWdvE2wQabrIwSpC6TQG6Rdv/75PA+pG0XJB8jcldsyMgqJynQf9ke1yPA+GHDZ97aRdWVxlzJgWxgXJN2E5AdK+1TtLT2yLemOA6L1Xhsuqg2/3MmTUQHGv/a/vlXkRtzsTl9lFqYoHgl01WP/n/FzWEkTB8pQ93Pvhrckl6VWq8Ia7SNy6ZPvqH+V7pRtedunVyRqn3SmRW7r2q0bzU39aw+Ql5guaoiTp7e2nS754vbqjpZvM3lw81om+6hMaMm9FjFDsGiPx309VUL7eV/2x/ApT0CEop/zarWDyuhkQgP1hv3Od9wCSZMd+ToUJl7PdSGKnPFzzmIypJyV4F5+tqCCYjT7xMtfkv6vAXeitcJ/i7uteOclzjZeLxpBZqdUMXIywEdqgZ0xLd9eU7/katvAC0hVWWWSX44YDJulcb61ZErrM13YH2jHfr0pI0301Q6lCzTf1oDQJpxjxdenoHBivfXMmJEPeU7EKdCQDA+5cKMCVRQmbIGQRnh36SlMrs9Aoa6dP00u+4n2cy3+G5ZYCBSTFnk1gGoVGvpnNHu/VIlXZMO/CYVPXOTjg/U9UZg1UihCnvb9nCQYI7QBsytB8Gn+gb7r9kLuz6TjMYmDVa0azAswYaNnOeyh2AkbzgCeTGgGj2QChKDekOFngXr4X2m7/lAvQSzIxJz2kL6aKwBsklRMolXOl+kXrNc1+UlzQE9sDI+DuxhnwqztcE7FIYJn2Mguyo706uu5q94DSmIMMWQO4qP7ZG4R1p6DkWbiyk5fXJqi4BKQhw7Zuyfy1qoe7iV0/yYs/oId2582fWWsEtLALV+uFa+LgOnpUG66prw0jxpRdbROE5hDQFsLBhIIgRwuiD8azghpx2duHfUqxgjL5uJu79LGtJKSnX5cO9LLt/4EZnWfpJ32EtNmOOn3DxEHHAZ0kHYmLxAGyyiEWgW+JJnv8EqmXZiTE85QLsZSUPbAI22m29PvXZHHxbsc8oZkOVAO0MzUBdGSPyU57LLm3dfcw/dSVETVSsBsCGoy0hDEK2ULleNgyrM6D3mdyBUgIqM6hGMFn3SAJyZreU6yMFSMg/Zmr/b0JwyHiaYy+gM2/TlUfOm8NM12s4=
Content-Type: multipart/alternative; boundary="_000_HE1PR0701MB3050626ED7924371EC03DADF89209HE1PR0701MB3050_"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: HE1PR0701MB3050.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 510f7c66-008f-43af-17b4-08d9e0976b86
X-MS-Exchange-CrossTenant-originalarrivaltime: 26 Jan 2022 06:45:19.7331 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: wwVfcdoDgDJwBQ7mAiJ281njpAdv9EDjrV7IABwgp4o4HQSRdRlseShQqumALweHTPSACtsK0XR9UuM+z/uJ5QFrNQjioKU/+72q5zC72/k=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM6PR07MB5254
Archived-At: <https://mailarchive.ietf.org/arch/msg/lake/alXvTss1OHtWQATSNnPs0TP3dH8>
Subject: Re: [Lake] Ways forward on MTI cipher suite text
X-BeenThere: lake@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Lightweight Authenticated Key Exchange <lake.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/lake>, <mailto:lake-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/lake/>
List-Post: <mailto:lake@ietf.org>
List-Help: <mailto:lake-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/lake>, <mailto:lake-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Jan 2022 06:45:33 -0000
> So what do these extra 8 bytes actually do? 8 byte tags provide 64-bit security against online brute force attacks. 16 byte tags provides 128-bit security against offline brute force attacks. To break 64-bit security against online brute force an attacker would on average have to send 4.3 billion messages per second for 68 years, which is infeasible in constrained IoT radio technologies. A forgery against a 64-bit MAC in EDHOC breaks the security of all future application data, while a forgery against a 64-bit MAC in the subsequent application protocol (e.g., OSCORE typically only breaks the security of the data in the forged packet. I don’t understand exactly what attack you are talking about but the following types of attacks has been discussed: - For most MAC algorithms, a forgery only breaks the security of that single packet and the complexity of key recovery is equal to the key length. For GCM, the complexity of authentication key recovery is equal to the tag length. But the complexities of multi-forgeries for most other MAC algorithms are not well understood. - If the MAC length is not integrity protected and the receiver accepts different length, an attacker can perform forgeries on 32 bit MAC even if the sender only uses 128 bit MACs. John From: Lake <lake-bounces@ietf.org> on behalf of Michael Richardson <mcr+ietf@sandelman.ca> Date: Tuesday, 25 January 2022 at 17:49 To: lake@ietf.org <lake@ietf.org> Subject: Re: [Lake] Ways forward on MTI cipher suite text Let me go back. The threat we are dealing with is where an attacker has captured a packet that they feel does something interesting ("open flood gates now"), or which they think they know the layout of, and think they can via XOR, flip one of the plaintext bits by flipping a ciphertext bit. In order to do that, the attacker has to create a packet that has the same MAC as the captured packet. They need some number of extra (irrelevant) bits which they can permute in order to create such a thing. Why? If they knew the authentication/integrity key, they could just create their own packet, but of course, they might be limited to encrypted packets they had captured, if they didn't also know the encryption key. The discussion about 64-bit or 128-bit MACs is how about hard it becomes to guess a combination that works out. Fewer bits visible leads to fewer combinations. It is unclear to me in such a pre-image attack, if attacker does not recover the integrity key. I don't see how they mount such an attack without it though. My understanding from the 1990 days of IPsec, and the 96-bit truncated MAC, was that by truncating it, we open the possibility that when doing this attack, that the attacker might find a key which leads to the same lower 96-bits, but which isn't actually the correct key. So one packet works, but others do not. A keyed HMAC is very different than a pure pre-image attack on SHAxx. So what do these extra 8 bytes actually do? -- Michael Richardson <mcr+IETF@sandelman.ca> . o O ( IPv6 IøT consulting ) Sandelman Software Works Inc, Ottawa and Worldwide
- [Lake] Ways forward on MTI cipher suite text Mališa Vučinić
- Re: [Lake] Ways forward on MTI cipher suite text Russ Housley
- Re: [Lake] Ways forward on MTI cipher suite text Mališa Vučinić
- Re: [Lake] Ways forward on MTI cipher suite text Russ Housley
- Re: [Lake] Ways forward on MTI cipher suite text Blumenthal, Uri - 0553 - MITLL
- Re: [Lake] Ways forward on MTI cipher suite text Peter.Blomqvist
- Re: [Lake] Ways forward on MTI cipher suite text Marco Tiloca
- Re: [Lake] Ways forward on MTI cipher suite text Göran Selander
- Re: [Lake] Ways forward on MTI cipher suite text John Mattsson
- Re: [Lake] Ways forward on MTI cipher suite text Peter.Blomqvist
- Re: [Lake] Ways forward on MTI cipher suite text Michael Richardson
- Re: [Lake] Ways forward on MTI cipher suite text Göran Selander
- Re: [Lake] Ways forward on MTI cipher suite text Michael Richardson
- Re: [Lake] Ways forward on MTI cipher suite text Stephen Farrell
- Re: [Lake] Ways forward on MTI cipher suite text Carsten Bormann
- Re: [Lake] Ways forward on MTI cipher suite text Stephen Farrell
- Re: [Lake] Ways forward on MTI cipher suite text Ira McDonald
- Re: [Lake] Ways forward on MTI cipher suite text John Mattsson
- Re: [Lake] Ways forward on MTI cipher suite text Göran Selander
- Re: [Lake] Ways forward on MTI cipher suite text Claeys, Timothy
- Re: [Lake] Ways forward on MTI cipher suite text Michael Richardson
- Re: [Lake] Ways forward on MTI cipher suite text Michael Richardson
- Re: [Lake] Ways forward on MTI cipher suite text Michael Richardson
- Re: [Lake] Ways forward on MTI cipher suite text John Mattsson
- Re: [Lake] Ways forward on MTI cipher suite text John Mattsson
- Re: [Lake] Ways forward on MTI cipher suite text Peter.Blomqvist
- Re: [Lake] Ways forward on MTI cipher suite text Blumenthal, Uri - 0553 - MITLL
- Re: [Lake] Ways forward on MTI cipher suite text Michael Richardson
- Re: [Lake] Ways forward on MTI cipher suite text Carsten Bormann
- Re: [Lake] Ways forward on MTI cipher suite text John Mattsson
- Re: [Lake] Ways forward on MTI cipher suite text Michael Richardson
- Re: [Lake] Ways forward on MTI cipher suite text Blumenthal, Uri - 0553 - MITLL
- Re: [Lake] Ways forward on MTI cipher suite text Peter.Blomqvist
- Re: [Lake] Ways forward on MTI cipher suite text John Mattsson
- Re: [Lake] Ways forward on MTI cipher suite text Göran Selander
- Re: [Lake] Ways forward on MTI cipher suite text Stephen Farrell
- Re: [Lake] Ways forward on MTI cipher suite text Mališa Vučinić
- Re: [Lake] Ways forward on MTI cipher suite text Rene Struik