Re: [smime] [Technical Errata Reported] RFC5084 (4774)
Quan Nguyen <quannguyen@google.com> Thu, 11 August 2016 18:50 UTC
Return-Path: <quannguyen@google.com>
X-Original-To: smime@ietfa.amsl.com
Delivered-To: smime@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9B15512D7FF for <smime@ietfa.amsl.com>; Thu, 11 Aug 2016 11:50:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.247
X-Spam-Level:
X-Spam-Status: No, score=-3.247 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-1.247, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id O9AtlnBe2V9y for <smime@ietfa.amsl.com>; Thu, 11 Aug 2016 11:50:15 -0700 (PDT)
Received: from mail-ua0-x235.google.com (mail-ua0-x235.google.com [IPv6:2607:f8b0:400c:c08::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 94E64127077 for <smime@ietf.org>; Thu, 11 Aug 2016 11:50:15 -0700 (PDT)
Received: by mail-ua0-x235.google.com with SMTP id n59so7374055uan.2 for <smime@ietf.org>; Thu, 11 Aug 2016 11:50:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=Vj5bB4SOVRH7adfCJ6fPwP9eGngCJ2LPV5cvrisLJaE=; b=jQa5/ci3j99y6M5ZC4PHk9Cwc+FweRe+Uz4m2tea+xqsyTcufTtKau0RlDylkESlHe jkfs6X2o7Cf2YmNm/oVVgJDFyrzwLrRm7ia6SL2sFgywcOl1pI98Bc2nq5KFjUCG8KWk WuA1N2wKH4ts0mfEu1NYAMU6xjBXxnFnkX46jPLsMbKSKSe75B/0uUlbYY0vbXxsXmST XI750BwSZoyGVPv8cOqlga8l2dsyamJTRg4ctwrNMvuGocR3gvZDVCiVfKYbSyX899hv yG8ttGZ86PpYIjExPFGHeGDWRP6b1g0irHMjkqESfapRW8e8aBWfW8pGiZ/4saD2lzJD j5ng==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=Vj5bB4SOVRH7adfCJ6fPwP9eGngCJ2LPV5cvrisLJaE=; b=LoBmD85J5pC0zff+L0zNTEQ7D81YT8m1ZEZq797pwJKrQ/otoxLZhLy9jdj66RIfTj jjOJ8hz3MXZXylz3UZn1l/yv84ZxMnAU+rP5UCfJtTN2ObhiKTpgwxn2UfZHBSML/RZz VDqYELIfcBeZkUhEk2vklPr/IiBMrzyzaSSXOfCMwNtWSI21KYLa2euf3tJfZlQTMr4m soIfC36hwpwiDPFo8T8n9rycuw6XjcpfFdjloJo/E0WN33B031UI/Lt+qUTXmZmAjpNE P5NdqQQRMxrvKhMbEQkxVxM1+91L3wS4AMCZslndSqNKdvfvyDImESJpOl9184XZnpG/ RfZg==
X-Gm-Message-State: AEkoouvHK/KYJ2WYojDkMrkioZTIbTeoplkjqBmi3XYmxd76UeWUW7hz6IE8AlrksRxRvvOeqFXGQ4nODskswmM4
X-Received: by 10.31.244.138 with SMTP id s132mr1225125vkh.49.1470941414645; Thu, 11 Aug 2016 11:50:14 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.103.151.197 with HTTP; Thu, 11 Aug 2016 11:49:54 -0700 (PDT)
In-Reply-To: <20160811184733.4444EB8111E@rfc-editor.org>
References: <20160811184733.4444EB8111E@rfc-editor.org>
From: Quan Nguyen <quannguyen@google.com>
Date: Thu, 11 Aug 2016 11:49:54 -0700
Message-ID: <CAKkgqz0j3KwQi5ARRmOYf7+iw5W_6zo3qgLT0aoHiARYqUwjqA@mail.gmail.com>
To: RFC Errata System <rfc-editor@rfc-editor.org>
Content-Type: multipart/alternative; boundary="94eb2c1124f281d22c0539d03c73"
Archived-At: <https://mailarchive.ietf.org/arch/msg/smime/SGlZsjoviGO0kYxk96Vb2SkHL_I>
X-Mailman-Approved-At: Mon, 15 Aug 2016 14:47:09 -0700
Cc: smime@ietf.org, paul.hoffman@vpnc.org, Kathleen.Moriarty.ietf@gmail.com, stephen.farrell@cs.tcd.ie
Subject: Re: [smime] [Technical Errata Reported] RFC5084 (4774)
X-BeenThere: smime@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: SMIME Working Group <smime.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/smime>, <mailto:smime-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/smime/>
List-Post: <mailto:smime@ietf.org>
List-Help: <mailto:smime-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/smime>, <mailto:smime-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 11 Aug 2016 18:54:56 -0000
On Thu, Aug 11, 2016 at 11:47 AM, RFC Errata System < rfc-editor@rfc-editor.org> wrote: > The following errata report has been submitted for RFC5084, > "Using AES-CCM and AES-GCM Authenticated Encryption in the Cryptographic > Message Syntax (CMS)". > > -------------------------------------- > You may review the report below and at: > http://www.rfc-editor.org/errata_search.php?rfc=5084&eid=4774 > > -------------------------------------- > Type: Technical > Reported by: QUAN NGUYEN <quannguyen@google.com> > > Section: 3.2 > > Original Text > ------------- > aes-ICVlen AES-GCM-ICVlen DEFAULT 12 > > A length of 12 octets is RECOMMENDED. > > Corrected Text > -------------- > aes-ICVlen AES-GCM-ICVlen DEFAULT 16 > > A length of 16 octets is RECOMMENDED. > > Notes > ----- > Many JCE providers including OpenJDK, BouncyCastle, Conscrypt have a bug > to use 12 bytes authentication tag (aes-ICVlen) as default if the code path > [1] uses CMS. According to Ferguson's attack (http://csrc.nist.gov/groups/ > ST/toolkit/BCM/documents/comments/CWC-GCM/Ferguson2.pdf), if a user > encrypts 2^32 block length message, then 12 bytes authentication tag length > has only 96 - 32 = 64 bits security which is not good enough nowadays. > Furthermore, once a forgery happens then authentication is leaked. > Sorry, I meant "authentication *key*" is leaked. > > [1] In other code paths, all providers use 16 bytes authentication tag as > default. > > Instructions: > ------------- > This erratum is currently posted as "Reported". If necessary, please > use "Reply All" to discuss whether it should be verified or > rejected. When a decision is reached, the verifying party (IESG) > can log in to change the status and edit the report, if necessary. > > -------------------------------------- > RFC5084 (draft-ietf-smime-cms-aes-ccm-and-gcm-03) > -------------------------------------- > Title : Using AES-CCM and AES-GCM Authenticated Encryption > in the Cryptographic Message Syntax (CMS) > Publication Date : November 2007 > Author(s) : R. Housley > Category : PROPOSED STANDARD > Source : S/MIME Mail Security > Area : Security > Stream : IETF > Verifying Party : IESG > >
- Re: [smime] [Technical Errata Reported] RFC5084 (… Quan Nguyen
- Re: [smime] [Technical Errata Reported] RFC5084 (… Quan Nguyen
- Re: [smime] [Technical Errata Reported] RFC5084 (… Jim Schaad
- Re: [smime] [Technical Errata Reported] RFC5084 (… Quan Nguyen
- Re: [smime] [Technical Errata Reported] RFC5084 (… Russ Housley
- Re: [smime] [Technical Errata Reported] RFC5084 (… Quan Nguyen
- Re: [smime] [Technical Errata Reported] RFC5084 (… Quan Nguyen
- Re: [smime] [Technical Errata Reported] RFC5084 (… Quan Nguyen
- Re: [smime] [Technical Errata Reported] RFC5084 (… Russ Housley
- Re: [smime] [Technical Errata Reported] RFC5084 (… Russ Housley
- Re: [smime] [Technical Errata Reported] RFC5084 (… Sean Leonard
- Re: [smime] [Technical Errata Reported] RFC5084 (… Paul Hoffman
- Re: [smime] [Technical Errata Reported] RFC5084 (… Jim Schaad
- [smime] [Technical Errata Reported] RFC5084 (4774) RFC Errata System