IETF Logo Mail Archive

Re: [Secdispatch] Ciphertext format draft

Yaron Sheffer <yaronf.ietf@gmail.com> Sun, 17 January 2021 16:39 UTC

Return-Path: <yaronf.ietf@gmail.com>
X-Original-To: secdispatch@ietfa.amsl.com
Delivered-To: secdispatch@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 99A1F3A127D for <secdispatch@ietfa.amsl.com>; Sun, 17 Jan 2021 08:39:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.527
X-Spam-Level:
X-Spam-Status: No, score=-0.527 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, MALFORMED_FREEMAIL=1.569, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RRdCl2Xssj3K for <secdispatch@ietfa.amsl.com>; Sun, 17 Jan 2021 08:39:45 -0800 (PST)
Received: from mail-wr1-x433.google.com (mail-wr1-x433.google.com [IPv6:2a00:1450:4864:20::433]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 60D6F3A127B for <secdispatch@ietf.org>; Sun, 17 Jan 2021 08:39:45 -0800 (PST)
Received: by mail-wr1-x433.google.com with SMTP id l12so8962616wry.2 for <secdispatch@ietf.org>; Sun, 17 Jan 2021 08:39:45 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=user-agent:date:subject:from:to:cc:message-id:thread-topic :references:in-reply-to:mime-version; bh=pVv54TVnSP8lO33a/QZjbkqGl511IxCrM1iZ3EnLExI=; b=blzDoJ3gcauZ+Fo6zIrmrTanoPo00vRLer79hR2wt4MXt01y7HzUcJMxu1aFp0+SCc Sto7Cutx8adopvdkdakh5ZQJeyWBbBqNAAW+8fl3+YzV+R/093NoncW4KJjSG1jbs+OE eSSouLhilRi5DNL0+tD/+9epbRoeusI3VJx+8l9gSbOix+BIrwgyXyR7wmeqGrR2qI4V uuhjoDuvXF0gunrI1ovn7KBrmPE3NWxcItGEejGcbAgd5GhMrDhO8UueUdNOZ9GI+XS4 +aYIH53gJ8smO6Py2fdeyY0N1ip52SHnwb1viOtCr9b3pT5yaE2tK8ABcxijrrgyD+Od RV9A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:user-agent:date:subject:from:to:cc:message-id :thread-topic:references:in-reply-to:mime-version; bh=pVv54TVnSP8lO33a/QZjbkqGl511IxCrM1iZ3EnLExI=; b=BnEBc/E8jSnqmo6lI/maVecUo8fuK6HDmikLuRRtSzVC+njEu6jzt4dbpFY+6jMe+b AGD3uEDwUafo47qsPS+keiXBmSYdMeV4/mzT6/t9r+gvT8EV9FZhD9JaIyO3uzpsQmKa TRHLGjvHgQLAT7f0P46Rgobp03NbOuFA/RVOWSL201hLKrhvqbx1d+Xo9QWu5QpcjBcl Xzj4Uud4qHx5aLv8iKetqo3D+wN6hzU1ndMkrPhZDUi/iy8Oaj4jHcywPZasZl6cl1td j5R7HIP7RctKYMZimbdz7E0t8OpxFGldOTaiS4AKvTgJ9cJe1ETo20I56ZwqH+YEMhUw 5emg==
X-Gm-Message-State: AOAM533hWh98AiEYhOwiFZa4uEPCLdsOe0t5mTFgSndWYjHYCRcwltDU ferOj0yQjTAKyrc6xFM2WAk=
X-Google-Smtp-Source: ABdhPJwigdhr+QkB8o3U/y0nY74k0xMkAfjXiAS/OXsV6uhVLwEIVaOhAO41hL+qnoanos6nQocX9g==
X-Received: by 2002:a5d:4f82:: with SMTP id d2mr22040453wru.87.1610901583483; Sun, 17 Jan 2021 08:39:43 -0800 (PST)
Received: from [192.168.68.105] (bzq-79-183-113-247.red.bezeqint.net. [79.183.113.247]) by smtp.gmail.com with ESMTPSA id r10sm5451856wmd.15.2021.01.17.08.39.41 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Sun, 17 Jan 2021 08:39:42 -0800 (PST)
User-Agent: Microsoft-MacOutlook/16.45.21011103
Date: Sun, 17 Jan 2021 18:39:41 +0200
From: Yaron Sheffer <yaronf.ietf@gmail.com>
To: Russ Housley <housley@vigilsec.com>
CC: "Keselman, Gleb" <Gleb_Keselman@intuit.com>, Yoav Nir <ynir.ietf@gmail.com>, IETF SecDispatch <secdispatch@ietf.org>
Message-ID: <3CFBC5E4-1261-4635-931B-BB090E8AB881@gmail.com>
Thread-Topic: [Secdispatch] Ciphertext format draft
References: <8B46C11A-790A-4E8E-A7A1-8FE97E2DD9A7@contoso.com> <523854C0-3D2B-4565-A6FF-8DF46EBD88A2@vigilsec.com> <3C9F29DF-CDA6-48BA-B94E-5CCE63E4AA57@gmail.com> <77529C17-9D2F-46A0-9F80-44227A71C5A0@vigilsec.com> <F5A7508D-E1B1-4DF5-ABF6-155F864C2F2B@gmail.com> <1721133D-89C3-435D-9B0D-BA362A4B1242@vigilsec.com>
In-Reply-To: <1721133D-89C3-435D-9B0D-BA362A4B1242@vigilsec.com>
Mime-version: 1.0
Content-type: multipart/alternative; boundary="B_3693753582_497584094"
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdispatch/18qWOxHejdWX7oNOgnVGSriKNuE>
Subject: Re: [Secdispatch] Ciphertext format draft
X-BeenThere: secdispatch@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Dispatch <secdispatch.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdispatch>, <mailto:secdispatch-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdispatch/>
List-Post: <mailto:secdispatch@ietf.org>
List-Help: <mailto:secdispatch-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdispatch>, <mailto:secdispatch-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 17 Jan 2021 16:39:48 -0000

Hi Russ,

 

NIST 800-38D speaks of a single AAD input, not multiple. Thus we have a single AAD field in the format. An application can obviously concatenate multiple inputs into this field, and we could add instructions how to do it securely. Would that address your comment?

 

Thanks,

                Yaron

 

From: Russ Housley <housley@vigilsec.com>
Date: Sunday, January 17, 2021 at 18:10
To: Yaron Sheffer <yaronf.ietf@gmail.com>
Cc: "Keselman, Gleb" <Gleb_Keselman@intuit.com>, Yoav Nir <ynir.ietf@gmail.com>, IETF SecDispatch <secdispatch@ietf.org>
Subject: Re: [Secdispatch] Ciphertext format draft

 

Yaron:

 

Binding the plaintext fields to the ciphertext ones is important, but it requires knowledge such as the ordering that is not expressed in the format.  That would be useful.

 

Russ



On Jan 16, 2021, at 5:13 PM, Yaron Sheffer <yaronf.ietf@gmail.com> wrote:

 

Hi Russ,

 

In the example in the document, the database primary key (e.g. customer’s email address) is included as AAD for all the fields that are encrypted for that customer. This prevent an attacker who can modify the database (but has no access to keys) from moving encrypted fields from one customer to another. Decryption of such moved fields would fail.

 

Note that in this use case, the AAD does NOT need to be stored explicitly, because it is a duplicate of data in other (plaintext) fields.

 

Quoting the blog: “EncryptionContext should include all of the information associated with the ciphertext that you will later need to interpret it. A good rule is to always include at least enough information to uniquely identify the location of the ciphertext (for example, a URI, file path, or database table and primary keys).”

 

Thanks,

                Yaron

 

From: Russ Housley <housley@vigilsec.com>
Date: Friday, January 15, 2021 at 23:40
To: Yaron Sheffer <yaronf.ietf@gmail.com>
Cc: "Keselman, Gleb" <Gleb_Keselman@intuit.com>, IETF SecDispatch <secdispatch@ietf.org>, Yoav Nir <ynir.ietf@gmail.com>
Subject: Re: [Secdispatch] Ciphertext format draft

 

Yaron:

 

The document does not saqy anything about what might go in the AAD field.  I know what it is, and I know how it is used in packet protocols.  But how is it used in this database context?

 

Russ




On Jan 15, 2021, at 3:23 PM, Yaron Sheffer <yaronf.ietf@gmail.com> wrote:

 

Hi Russ,

 

I’m not sure what you are asking re: AAD. This is a single octet-string input to AES-GCM (NIST SP 800-38D, Sec. 5.2.1.1, as well as RFC 5116). Or did you mean: what is the use case for AAD when encrypting data at rest? Amazon uses AEAD in their KMS SDK, and published [1] a nice blog showing how it can be used to bind ciphertext to its context in order to prevent cut-and-paste attacks.

 

In our main use case, the data is structured with a well defined schema (a.k.a., SQL database). So “content type” doesn’t make sense. This is early days for the format and people will surely come up with other use cases.

 

Thanks,

                Yaron

 

[1] https://aws.amazon.com/blogs/security/how-to-protect-the-integrity-of-your-encrypted-data-by-using-aws-key-management-service-and-encryptioncontext/

 

From: Russ Housley <housley@vigilsec.com>
Date: Friday, January 15, 2021 at 18:37
To: Yaron Sheffer <yaronf.ietf@gmail.com>
Cc: IETF SecDispatch <secdispatch@ietf.org>, "Keselman, Gleb" <Gleb_Keselman@intuit.com>, Yoav Nir <ynir.ietf@gmail.com>
Subject: Re: [Secdispatch] Ciphertext format draft

 

Yaron:

 

How do you see AAD being used? 

 

Also, CMS carries a field that tells how to parse the plaintext (the content type) after it obtained by decryption.  I cannot tell whether that is useful or in you use case, but I can imagine places where it would be very helpful.

 

Russ





On Jan 15, 2021, at 9:53 AM, Yaron Sheffer <yaronf.ietf@gmail.com> wrote:

 

Hi, we just submitted draft-sheffer-ietf-ciphertext-format-01 [1]. This is a CBOR-based set of headers for encrypted data, with the goal of enabling automation of large datasets that contain encrypted data, typically interspersed with plain data. Specifically we want to facilitate discovery of encrypted data (e.g., this database column contains ciphertext) and attributing this data back to the service that created the data and the key that was used to encrypt it.

 

We received good feedback on the SAAG list to change from generic TLV to CBOR, which we implemented in -01.

 

The authors would appreciate this list’s feedback regarding next steps.

 

Thanks,

                Yaron

 

[1] https://tools.ietf.org/id/draft-sheffer-ietf-ciphertext-format-01.xml

 

_______________________________________________
Secdispatch mailing list
Secdispatch@ietf.org
https://www.ietf.org/mailman/listinfo/secdispatch

 

_______________________________________________
Secdispatch mailing list
Secdispatch@ietf.org
https://www.ietf.org/mailman/listinfo/secdispatch

 

_______________________________________________
Secdispatch mailing list
Secdispatch@ietf.org
https://www.ietf.org/mailman/listinfo/secdispatch

v2.23.0 | Report a Bug | By Email