Re: [Sframe] Question about sframe_salt
Richard Barnes <rlb@ipv.sx> Thu, 03 August 2023 18:17 UTC
Return-Path: <rlb@ipv.sx>
X-Original-To: sframe@ietfa.amsl.com
Delivered-To: sframe@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D3A1EC15DF48 for <sframe@ietfa.amsl.com>; Thu, 3 Aug 2023 11:17:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.904
X-Spam-Level:
X-Spam-Status: No, score=-6.904 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ipv-sx.20221208.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nBBpj_0x5N6Y for <sframe@ietfa.amsl.com>; Thu, 3 Aug 2023 11:17:18 -0700 (PDT)
Received: from mail-ej1-x62d.google.com (mail-ej1-x62d.google.com [IPv6:2a00:1450:4864:20::62d]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C344FC15DF4D for <sframe@ietf.org>; Thu, 3 Aug 2023 11:17:18 -0700 (PDT)
Received: by mail-ej1-x62d.google.com with SMTP id a640c23a62f3a-99bdf08860dso518985166b.0 for <sframe@ietf.org>; Thu, 03 Aug 2023 11:17:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipv-sx.20221208.gappssmtp.com; s=20221208; t=1691086637; x=1691691437; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=QcU1c1ojeJCTZcclXTkSj2mokAQGMe5+F4Xyg+cmAi0=; b=BCkzWZ6FPNtiOBKJlqQEf5GBWTpOE1weGDrF8ezDfYaTNjGgcDCtZgMqMeAUw1rBxb X7fcSZT09hVpFvI80gOPP5arWhqc7eY7sMGeN7nSVnK2+Th8b/NJPmItK7tFEz5n+eaS qyYczDxto4ayoKi7XI2FGXnSuE9w2luT0sX2oIvMDTif4SNuFam3FonyPJQe2HlaZ95U 9cxv0eIhyxXSAPBKVQmrr2uDnwReboHhFwAOCbh2iMrHKs9+5HXZcFEA0JNcQFDnq3uq ehMYpGN/U+qFBEupsexvPxcnLZV7LY6UOYmqAmuXJ9OOVR0oDYG+Z2Eei/lBJLUQtJXD C0dQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1691086637; x=1691691437; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=QcU1c1ojeJCTZcclXTkSj2mokAQGMe5+F4Xyg+cmAi0=; b=EkXYENXWYkAxXnSt43IrQOEs8wHIFFCRwsocOgg5i1zNiQRqEAiVFC58BQCdrQpPQE Bwosn4gsN5YbueJw0gafKXurAmvVGYdoASSX0M5QUBDfYgEEodnISO7yEGU8EcVNxdVJ 7HnDZL25uCmsWGH2yCkIANOXPHhTS+GWIdg5jZlhCvNL2pId22RqUNCPGbtRF8XOKWVH 2TjzcuDlcK50JJ7i/jIYMhEupniLmgCWADY7U/D/PLeP4L5Nk9S/OzuO/87PieiLy2Ha Khlh4LuVk53hxCeq25LXZhnnuCOytoFhN1V7+DLdTZTrKgGeH76DmBHXwZ+yjTp90k5b 6CUg==
X-Gm-Message-State: ABy/qLZSK2ScObqb8odmkCikVsDnIQc2r5QCzAbSBM6t4VULTXNTHimL pCFQpHyHwEfFFQ0ggOy5opoBsixMFMD6Pcn1WRvprvWmbaH2yStNrVxYQM4n
X-Google-Smtp-Source: APBJJlFpQI08ezLkDjlnfqFiTt8GvfmR4nYUh96V4QgAuWXdsj18jDFi4eO3KQ4A48rHKGYdqHk1cDmAUWvmOnZBTHw=
X-Received: by 2002:a17:907:3f1f:b0:98d:abd4:4000 with SMTP id hq31-20020a1709073f1f00b0098dabd44000mr9720826ejc.35.1691086636785; Thu, 03 Aug 2023 11:17:16 -0700 (PDT)
MIME-Version: 1.0
References: <946e9afba6bc430bae83a135105c26e6@amazon.ch>
In-Reply-To: <946e9afba6bc430bae83a135105c26e6@amazon.ch>
From: Richard Barnes <rlb@ipv.sx>
Date: Thu, 03 Aug 2023 14:17:05 -0400
Message-ID: <CAL02cgT63W27xEbf6oxYomh_1tNN3X-CL7M5xAQkbqt-nsy5Yw@mail.gmail.com>
To: "Mularczyk, Marta" <mulmarta=40amazon.ch@dmarc.ietf.org>
Cc: "sframe@ietf.org" <sframe@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000045388b060208cade"
Archived-At: <https://mailarchive.ietf.org/arch/msg/sframe/0WjUdB--Bt1gMXU_rMDNToD6zy4>
Subject: Re: [Sframe] Question about sframe_salt
X-BeenThere: sframe@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Secure Media Frames <sframe.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sframe>, <mailto:sframe-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sframe/>
List-Post: <mailto:sframe@ietf.org>
List-Help: <mailto:sframe-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sframe>, <mailto:sframe-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 03 Aug 2023 18:17:22 -0000
The construction here is just mimicking what SRTP does for AES-CTR IV formation [1]: > IV = (k_s * 2^16) XOR (SSRC * 2^64) XOR (i * 2^16) The differences here are just that (1) the SFrame CTR value replaces the SRTP counter `i` and (2) we allow for 32 bits of counter instead of 16. There is some rationale in RFC 3711 for this design [2]: > The effective key size is determined (upper bounded) by the size of > the master key and, for encryption, the size of the salting key. Any > additive stream cipher is vulnerable to attacks that use statistical > knowledge about the plaintext source to enable key collision and > time-memory tradeoff attacks [MF00] [H80] [BS00]. If I understand correctly, the core thing the salt does is make sure that the IV is unknown to any attacker who doesn't also have the key, so that the attacker can't perform certain attacks that would require knowledge of the IV. Just using nonce = CTR would obviously make the nonce known to the attacker. This pattern turns out to be pretty universal in protocols that encrypt streams of objects: * TLS/DTLS XORs a per-record sequence number with a per-stream `client/server_write_iv` [3] * MLS derives a completely fresh nonce for each message it protects [4] * IPsec ESP has an explicit IV, but the GCM integration adds a random salt [5] * SSH derives IVs from secret state via hashing [6] * HPKE XORs a message counter with a "base nonce" [7] * NaCl doesn't specify a nonce formation, but notes "Choosing the nonce as a counter followed by (e.g.) 32 random bits helps protect some protocols against denial-of-service attacks" [8] The only exception I came across in a brief search is Noise, which appears to use an unmodified counter for its nonce [9]. --Richard [1] https://datatracker.ietf.org/doc/html/rfc3711#section-4.1.1 [2] https://datatracker.ietf.org/doc/html/rfc3711#section-7.2 [3] https://datatracker.ietf.org/doc/html/rfc8446#section-5.3 [4] https://datatracker.ietf.org/doc/html/rfc9420#name-encryption-keys [5] https://datatracker.ietf.org/doc/html/rfc4106#section-3.1 [6] https://datatracker.ietf.org/doc/html/rfc4253#section-7.2 [7] https://datatracker.ietf.org/doc/html/rfc9180#name-encryption-and-decryption [8] https://cr.yp.to/highspeed/naclcrypto-20090310.pdf [9] http://www.noiseprotocol.org/noise.html#security-considerations On Thu, Aug 3, 2023 at 1:05 PM Mularczyk, Marta <mulmarta= 40amazon.ch@dmarc.ietf.org> wrote: > Hi all! > > > Another small question, this time not necessarily to change anything. Why > is the nonce computed as xor(sframe_salt, CTR) instead of nonce = CTR? Is > there an attack this prevents? > > > Best, > > Marta > -- > Sframe mailing list > Sframe@ietf.org > https://www.ietf.org/mailman/listinfo/sframe >
- [Sframe] Question about sframe_salt Mularczyk, Marta
- Re: [Sframe] Question about sframe_salt Richard Barnes
- Re: [Sframe] Question about sframe_salt Mularczyk, Marta