Re: [smime] [Technical Errata Reported] RFC5084 (4774)
Russ Housley <housley@vigilsec.com> Mon, 15 August 2016 20:55 UTC
Return-Path: <housley@vigilsec.com>
X-Original-To: smime@ietfa.amsl.com
Delivered-To: smime@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7964712D50E for <smime@ietfa.amsl.com>; Mon, 15 Aug 2016 13:55:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.899
X-Spam-Level:
X-Spam-Status: No, score=-101.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, USER_IN_WHITELIST=-100] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fuZIvbrjZTj0 for <smime@ietfa.amsl.com>; Mon, 15 Aug 2016 13:55:37 -0700 (PDT)
Received: from mail.smeinc.net (mail.smeinc.net [209.135.209.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CA0C912D18A for <smime@ietf.org>; Mon, 15 Aug 2016 13:55:37 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mail.smeinc.net (Postfix) with ESMTP id 784DE3005D8 for <smime@ietf.org>; Mon, 15 Aug 2016 16:55:35 -0400 (EDT)
X-Virus-Scanned: amavisd-new at mail.smeinc.net
Received: from mail.smeinc.net ([127.0.0.1]) by localhost (mail.smeinc.net [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id L8hpgyaDo2DY for <smime@ietf.org>; Mon, 15 Aug 2016 16:55:32 -0400 (EDT)
Received: from [192.168.2.100] (pool-108-51-128-219.washdc.fios.verizon.net [108.51.128.219]) by mail.smeinc.net (Postfix) with ESMTPSA id 63020300430; Mon, 15 Aug 2016 16:55:31 -0400 (EDT)
Content-Type: multipart/alternative; boundary="Apple-Mail=_C4D8DC90-B21C-4EB0-94B5-B72BBBE318BE"
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
From: Russ Housley <housley@vigilsec.com>
In-Reply-To: <CAKkgqz0j3KwQi5ARRmOYf7+iw5W_6zo3qgLT0aoHiARYqUwjqA@mail.gmail.com>
Date: Mon, 15 Aug 2016 16:55:35 -0400
Message-Id: <EA5FD496-53AE-4902-A18F-556F954CD161@vigilsec.com>
References: <20160811184733.4444EB8111E@rfc-editor.org> <CAKkgqz0j3KwQi5ARRmOYf7+iw5W_6zo3qgLT0aoHiARYqUwjqA@mail.gmail.com>
To: Quan Nguyen <quannguyen@google.com>
X-Mailer: Apple Mail (2.1878.6)
Archived-At: <https://mailarchive.ietf.org/arch/msg/smime/j2QLTa_uuaYEauQQk5Tz2fZNtiA>
Cc: IETF SMIME <smime@ietf.org>, Paul Hoffman <paul.hoffman@vpnc.org>, Kathleen Moriarty <Kathleen.Moriarty.ietf@gmail.com>, David McGrew <mcgrew@cisco.com>, RFC Editor <rfc-editor@rfc-editor.org>, Stephen Farrell <stephen.farrell@cs.tcd.ie>
Subject: Re: [smime] [Technical Errata Reported] RFC5084 (4774)
X-BeenThere: smime@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: SMIME Working Group <smime.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/smime>, <mailto:smime-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/smime/>
List-Post: <mailto:smime@ietf.org>
List-Help: <mailto:smime-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/smime>, <mailto:smime-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Aug 2016 20:55:40 -0000
Quan: I do not think that we can change the DEFAULT value associated with these OIDs. Changing the meaning of an absent aes-ICVlen will result in too many interoperability problems. However, we could put out a very short RFC that updates RFC 5084 to recommend the use of 16 octet authentication tags in all situations. Russ On Aug 11, 2016, at 2:49 PM, Quan Nguyen <quannguyen@google.com> wrote: > > > On Thu, Aug 11, 2016 at 11:47 AM, RFC Errata System <rfc-editor@rfc-editor.org> wrote: > The following errata report has been submitted for RFC5084, > "Using AES-CCM and AES-GCM Authenticated Encryption in the Cryptographic Message Syntax (CMS)". > > -------------------------------------- > You may review the report below and at: > http://www.rfc-editor.org/errata_search.php?rfc=5084&eid=4774 > > -------------------------------------- > Type: Technical > Reported by: QUAN NGUYEN <quannguyen@google.com> > > Section: 3.2 > > Original Text > ------------- > aes-ICVlen AES-GCM-ICVlen DEFAULT 12 > > A length of 12 octets is RECOMMENDED. > > Corrected Text > -------------- > aes-ICVlen AES-GCM-ICVlen DEFAULT 16 > > A length of 16 octets is RECOMMENDED. > > Notes > ----- > Many JCE providers including OpenJDK, BouncyCastle, Conscrypt have a bug to use 12 bytes authentication tag (aes-ICVlen) as default if the code path [1] uses CMS. According to Ferguson's attack (http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/comments/CWC-GCM/Ferguson2.pdf), if a user encrypts 2^32 block length message, then 12 bytes authentication tag length has only 96 - 32 = 64 bits security which is not good enough nowadays. Furthermore, once a forgery happens then authentication is leaked. > > Sorry, I meant "authentication key" is leaked. > > [1] In other code paths, all providers use 16 bytes authentication tag as default. > > Instructions: > ------------- > This erratum is currently posted as "Reported". If necessary, please > use "Reply All" to discuss whether it should be verified or > rejected. When a decision is reached, the verifying party (IESG) > can log in to change the status and edit the report, if necessary. > > -------------------------------------- > RFC5084 (draft-ietf-smime-cms-aes-ccm-and-gcm-03) > -------------------------------------- > Title : Using AES-CCM and AES-GCM Authenticated Encryption in the Cryptographic Message Syntax (CMS) > Publication Date : November 2007 > Author(s) : R. Housley > Category : PROPOSED STANDARD > Source : S/MIME Mail Security > Area : Security > Stream : IETF > Verifying Party : IESG > >
- Re: [smime] [Technical Errata Reported] RFC5084 (… Quan Nguyen
- Re: [smime] [Technical Errata Reported] RFC5084 (… Quan Nguyen
- Re: [smime] [Technical Errata Reported] RFC5084 (… Jim Schaad
- Re: [smime] [Technical Errata Reported] RFC5084 (… Quan Nguyen
- Re: [smime] [Technical Errata Reported] RFC5084 (… Russ Housley
- Re: [smime] [Technical Errata Reported] RFC5084 (… Quan Nguyen
- Re: [smime] [Technical Errata Reported] RFC5084 (… Quan Nguyen
- Re: [smime] [Technical Errata Reported] RFC5084 (… Quan Nguyen
- Re: [smime] [Technical Errata Reported] RFC5084 (… Russ Housley
- Re: [smime] [Technical Errata Reported] RFC5084 (… Russ Housley
- Re: [smime] [Technical Errata Reported] RFC5084 (… Sean Leonard
- Re: [smime] [Technical Errata Reported] RFC5084 (… Paul Hoffman
- Re: [smime] [Technical Errata Reported] RFC5084 (… Jim Schaad
- [smime] [Technical Errata Reported] RFC5084 (4774) RFC Errata System