IETF Logo Mail Archive

Re: [Sframe] John Scudder's No Objection on draft-ietf-sframe-enc-07: (with COMMENT)

Richard Barnes <rlb@ipv.sx> Wed, 03 April 2024 17:04 UTC

Return-Path: <rlb@ipv.sx>
X-Original-To: sframe@ietfa.amsl.com
Delivered-To: sframe@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D0E58C14F73E for <sframe@ietfa.amsl.com>; Wed, 3 Apr 2024 10:04:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ipv-sx.20230601.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oB_BHDp6pDg8 for <sframe@ietfa.amsl.com>; Wed, 3 Apr 2024 10:04:44 -0700 (PDT)
Received: from mail-il1-x12f.google.com (mail-il1-x12f.google.com [IPv6:2607:f8b0:4864:20::12f]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 34DFCC14F71C for <sframe@ietf.org>; Wed, 3 Apr 2024 10:04:43 -0700 (PDT)
Received: by mail-il1-x12f.google.com with SMTP id e9e14a558f8ab-369f1e29dccso4032745ab.3 for <sframe@ietf.org>; Wed, 03 Apr 2024 10:04:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipv-sx.20230601.gappssmtp.com; s=20230601; t=1712163883; x=1712768683; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=tw4yVYYpleqTgZDU8pGc1w8luqDpBxYa5vPuAvr7voU=; b=FNVFNlyDljCu3K2lkzWnQ8CyamFZM+M536MPpQMaNx66pu0GTmnA+aMhCQLJ7e5JGx DGl+enTWOGDQTSKHitYQmawp9wgXpCHKuO8qsLm5Qt97NvROo4i4XUcUTr/ND2o4p6UX NlppNlNjmURIdD7w0RMOGm0kNVDe1LBcqgYFnxlxAA/01ycsyhNxERhC0k7YBPSrRlDr Xhszwb8XeoU8QGS4ODo+uj4zDhDSDeIckkLGXl296ozbl3lAK6/qtg34YgZuyAWgR9w1 0mlRLYXDH/Lz9Ql+xxcjs6g148g/GAaFb7rdjbAFeC07Uf5AnPSxZnr/zC27pZp1z3gW KKLQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1712163883; x=1712768683; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=tw4yVYYpleqTgZDU8pGc1w8luqDpBxYa5vPuAvr7voU=; b=tkIJOj0sNy7hiocfbHviJ37+/EinzjffB/C7RDTTJ5eFpMWyk5pLfxiwpqkcOk6/7O KaPEiN2JoHEuZLR3c6ez3IWShxDokDTuIgmwswyVIiagJzOfP9rpLEjro0Fp62euYW2f r5aXTVo1PpyjDSdCmCC0dMv1qoBQWQR8mmMnYdYggxUfXwWjBgh6WZkgbuo8BXWJi7Fz dCiSNaPQl8agN3Z2QyisMzQr4xcg/bIUOAjzVAa4rie/XFCXgA0bAlno8DrnhcwadK4X wzXd3KNVWFDu8V+JjZO19Bk9QvaR0UYppNIWkIm3t0a3Uy7n4BSZvnLrS1z+IeATq0lg 1XXw==
X-Forwarded-Encrypted: i=1; AJvYcCVmhjzADWMNfat0RpVHmC+GO2mf+E5Gc0k5gd/MQESlREiz0Qum1MbxiHRC8j7hr3kD4ll8r4lIjaEh9yMHTP0=
X-Gm-Message-State: AOJu0Yy94wCvjdJQ+3GoU6/8ynDDuLbwz7Vh6JEOA9qK/AB9DUxdmOna PSp3OVptJ0oweuT8xS8Oyl0lSG0bVUMKVQK4ndV77rZqj6eIyph2Q6jKmKrCgL6UcT62giShhN7 EAEeWSK5dnXuqezFbOGJRI9jKwknQX6TO5T/bdw==
X-Google-Smtp-Source: AGHT+IG1h7Y2nu0e1Xo/Jvjt327Pd+K6xLLMDXillaE+7Jue2ulIhB/lwSuvKyF5oS4EpcdYI3uJPudNGVbMYNpkLc4=
X-Received: by 2002:a05:6e02:1949:b0:368:96a2:f759 with SMTP id x9-20020a056e02194900b0036896a2f759mr213635ilu.13.1712163883238; Wed, 03 Apr 2024 10:04:43 -0700 (PDT)
MIME-Version: 1.0
References: <171215449244.43146.5206581136717668242@ietfa.amsl.com> <CAL02cgRGF0un9Cd+xyRTyaNojgE+YqU_W8TdQ1jDStjL_YO-Ew@mail.gmail.com> <B74AFCD2-9C89-4CD6-820D-369728404FE4@juniper.net>
In-Reply-To: <B74AFCD2-9C89-4CD6-820D-369728404FE4@juniper.net>
From: Richard Barnes <rlb@ipv.sx>
Date: Wed, 03 Apr 2024 13:04:32 -0400
Message-ID: <CAL02cgRL3krZymVCMXSV9H4px2yyD_SULbLZeWkN-5v6NFzmDg@mail.gmail.com>
To: John Scudder <jgs@juniper.net>
Cc: The IESG <iesg@ietf.org>, "draft-ietf-sframe-enc@ietf.org" <draft-ietf-sframe-enc@ietf.org>, "sframe-chairs@ietf.org" <sframe-chairs@ietf.org>, "sframe@ietf.org" <sframe@ietf.org>, Martin Thomson <mt@lowentropy.net>
Content-Type: multipart/alternative; boundary="0000000000000ee7fd06153438d3"
Archived-At: <https://mailarchive.ietf.org/arch/msg/sframe/iithGUCYYwG1bXz66ZXJucnQ38c>
Subject: Re: [Sframe] John Scudder's No Objection on draft-ietf-sframe-enc-07: (with COMMENT)
X-BeenThere: sframe@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Secure Media Frames <sframe.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sframe>, <mailto:sframe-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sframe/>
List-Post: <mailto:sframe@ietf.org>
List-Help: <mailto:sframe-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sframe>, <mailto:sframe-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Apr 2024 17:04:44 -0000

Not unreasonable.  Wrote up a PR:

https://github.com/sframe-wg/sframe/pull/197

On Wed, Apr 3, 2024 at 12:39 PM John Scudder <jgs@juniper.net> wrote:

> On Apr 3, 2024, at 11:39 AM, Richard Barnes <rlb@ipv.sx> wrote:
>
> The high-level message, though, is that `SFrameContext::decrypt()` should
> be a constant-time operation, irrespective of whether the decryption is
> successful or not.  I think the current text is close enough to capture
> that, but would be open to clarifying further.
>
>
> The attack I can imagine that isn’t captured by your discussion is that
> (as hinted in my earlier comment) an attacker on (or in sight range of!)
> the subject endpoint could potentially know by visual inspection, or
> equivalent, that a keyframe had been dropped. Still up to you whether you
> want to take this on board, though. I think the additional clarity provided
> by your specific observation that "`SFrameContext::decrypt()` should be a
> constant-time operation” seems more valuable overall. One way to write that
> could be,
>
> OLD:
>             Invalid ciphertexts SHOULD be discarded
>    in a way that is indistinguishable (to an external observer) from
>    having processed a valid ciphertext.
>
> NEW:
>             Invalid ciphertexts SHOULD be discarded
>    in a way that is indistinguishable (to an external observer) from
>    having processed a valid ciphertext. In particular the decrypt()
>    operation should be constant-time, irrespective of input.
>
> And thanks for the context about compressed CTR.
>
> —John
>

v2.23.0 | Report a Bug | By Email