IETF Logo Mail Archive

Re: [smime] [Technical Errata Reported] RFC5084 (4774)

Russ Housley <housley@vigilsec.com> Mon, 15 August 2016 20:55 UTC

Return-Path: <housley@vigilsec.com>
X-Original-To: smime@ietfa.amsl.com
Delivered-To: smime@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7964712D50E for <smime@ietfa.amsl.com>; Mon, 15 Aug 2016 13:55:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.899
X-Spam-Level:
X-Spam-Status: No, score=-101.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, USER_IN_WHITELIST=-100] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fuZIvbrjZTj0 for <smime@ietfa.amsl.com>; Mon, 15 Aug 2016 13:55:37 -0700 (PDT)
Received: from mail.smeinc.net (mail.smeinc.net [209.135.209.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CA0C912D18A for <smime@ietf.org>; Mon, 15 Aug 2016 13:55:37 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mail.smeinc.net (Postfix) with ESMTP id 784DE3005D8 for <smime@ietf.org>; Mon, 15 Aug 2016 16:55:35 -0400 (EDT)
X-Virus-Scanned: amavisd-new at mail.smeinc.net
Received: from mail.smeinc.net ([127.0.0.1]) by localhost (mail.smeinc.net [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id L8hpgyaDo2DY for <smime@ietf.org>; Mon, 15 Aug 2016 16:55:32 -0400 (EDT)
Received: from [192.168.2.100] (pool-108-51-128-219.washdc.fios.verizon.net [108.51.128.219]) by mail.smeinc.net (Postfix) with ESMTPSA id 63020300430; Mon, 15 Aug 2016 16:55:31 -0400 (EDT)
Content-Type: multipart/alternative; boundary="Apple-Mail=_C4D8DC90-B21C-4EB0-94B5-B72BBBE318BE"
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
From: Russ Housley <housley@vigilsec.com>
In-Reply-To: <CAKkgqz0j3KwQi5ARRmOYf7+iw5W_6zo3qgLT0aoHiARYqUwjqA@mail.gmail.com>
Date: Mon, 15 Aug 2016 16:55:35 -0400
Message-Id: <EA5FD496-53AE-4902-A18F-556F954CD161@vigilsec.com>
References: <20160811184733.4444EB8111E@rfc-editor.org> <CAKkgqz0j3KwQi5ARRmOYf7+iw5W_6zo3qgLT0aoHiARYqUwjqA@mail.gmail.com>
To: Quan Nguyen <quannguyen@google.com>
X-Mailer: Apple Mail (2.1878.6)
Archived-At: <https://mailarchive.ietf.org/arch/msg/smime/j2QLTa_uuaYEauQQk5Tz2fZNtiA>
Cc: IETF SMIME <smime@ietf.org>, Paul Hoffman <paul.hoffman@vpnc.org>, Kathleen Moriarty <Kathleen.Moriarty.ietf@gmail.com>, David McGrew <mcgrew@cisco.com>, RFC Editor <rfc-editor@rfc-editor.org>, Stephen Farrell <stephen.farrell@cs.tcd.ie>
Subject: Re: [smime] [Technical Errata Reported] RFC5084 (4774)
X-BeenThere: smime@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: SMIME Working Group <smime.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/smime>, <mailto:smime-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/smime/>
List-Post: <mailto:smime@ietf.org>
List-Help: <mailto:smime-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/smime>, <mailto:smime-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Aug 2016 20:55:40 -0000

Quan:

I do not think that we can change the DEFAULT value associated with these OIDs.  Changing the meaning of an absent aes-ICVlen will result in too many interoperability problems.  However, we could put out a very short RFC that updates RFC 5084 to recommend the use of 16 octet authentication tags in all situations.  

Russ


On Aug 11, 2016, at 2:49 PM, Quan Nguyen <quannguyen@google.com> wrote:

> 
> 
> On Thu, Aug 11, 2016 at 11:47 AM, RFC Errata System <rfc-editor@rfc-editor.org> wrote:
> The following errata report has been submitted for RFC5084,
> "Using AES-CCM and AES-GCM Authenticated Encryption in the Cryptographic Message Syntax (CMS)".
> 
> --------------------------------------
> You may review the report below and at:
> http://www.rfc-editor.org/errata_search.php?rfc=5084&eid=4774
> 
> --------------------------------------
> Type: Technical
> Reported by: QUAN NGUYEN <quannguyen@google.com>
> 
> Section: 3.2
> 
> Original Text
> -------------
> aes-ICVlen       AES-GCM-ICVlen DEFAULT 12
> 
> A length of 12 octets is RECOMMENDED.
> 
> Corrected Text
> --------------
> aes-ICVlen       AES-GCM-ICVlen DEFAULT 16
> 
> A length of 16 octets is RECOMMENDED.
> 
> Notes
> -----
> Many JCE providers including OpenJDK, BouncyCastle, Conscrypt have a bug to use 12 bytes authentication tag (aes-ICVlen) as default if the code path [1] uses CMS. According to Ferguson's attack (http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/comments/CWC-GCM/Ferguson2.pdf), if a user encrypts 2^32 block length message, then 12 bytes authentication tag length has only 96 - 32 = 64 bits security which is not good enough nowadays. Furthermore, once a forgery happens then authentication is leaked.
> 
> Sorry, I meant "authentication key" is leaked. 
> 
> [1] In other code paths, all providers use 16 bytes authentication tag as default.
> 
> Instructions:
> -------------
> This erratum is currently posted as "Reported". If necessary, please
> use "Reply All" to discuss whether it should be verified or
> rejected. When a decision is reached, the verifying party (IESG)
> can log in to change the status and edit the report, if necessary.
> 
> --------------------------------------
> RFC5084 (draft-ietf-smime-cms-aes-ccm-and-gcm-03)
> --------------------------------------
> Title               : Using AES-CCM and AES-GCM Authenticated Encryption in the Cryptographic Message Syntax (CMS)
> Publication Date    : November 2007
> Author(s)           : R. Housley
> Category            : PROPOSED STANDARD
> Source              : S/MIME Mail Security
> Area                : Security
> Stream              : IETF
> Verifying Party     : IESG
> 
>

v2.23.0 | Report a Bug | By Email