IETF Logo Mail Archive

Re: [lamps] [EXTERNAL] Re: AD review of draft-ietf-lamps-cms-kemri-05

Falko Strenzke <falko.strenzke@mtg.de> Wed, 25 October 2023 06:49 UTC

Return-Path: <falko.strenzke@mtg.de>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A9FBDC16F3F1 for <spasm@ietfa.amsl.com>; Tue, 24 Oct 2023 23:49:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.105
X-Spam-Level:
X-Spam-Status: No, score=-2.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=mtg.de
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FILDLJe-fh1c for <spasm@ietfa.amsl.com>; Tue, 24 Oct 2023 23:49:45 -0700 (PDT)
Received: from www.mtg.de (www.mtg.de [IPv6:2a02:b98:8:2::2]) (using TLSv1.3 with cipher TLS_CHACHA20_POLY1305_SHA256 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EF070C151065 for <spasm@ietf.org>; Tue, 24 Oct 2023 23:49:43 -0700 (PDT)
Received: from minka.mtg.de (minka [IPv6:2a02:b98:8:1:0:0:0:9]) by www.mtg.de (8.17.2/8.17.2) with ESMTPS id 39P6nTKH032488 (version=TLSv1.3 cipher=TLS_CHACHA20_POLY1305_SHA256 bits=256 verify=NOT); Wed, 25 Oct 2023 08:49:29 +0200
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=mtg.de; s=mail201801; t=1698216569; bh=O8f8pB9C6Zdoq8feT/zRGn1nQfqNOpL7IaICQxVwUFU=; h=Date:Subject:To:Cc:References:From:In-Reply-To; b=ARlsTbk3OsxysnLv4rIeOgthIbKDV++0VeiDO6APlNPGF8Jma5tzv/nlbqMJNfl4C Fezn/FYGJQegltsoVUCkH9/y+uda3dF5ixIo8Qt9Efvb7/4lvgv403M82S7JsgyTWN kUpZuNXx832jsQ9seByBeVEspV2RKU1st4NSMZZIuA4eEiEyvCzebgL8kr01xEbUy2 FbrXLpx1SYfSA89TY3xVFwhwOyNKjaMaIzerWq+THqyRRhtlxfBTS7R7NllDFhfa+7 RPXbn7qilWuU/kzR26FdvQR5v7wWqnUWLSuGOY7BTDIkhfqsYhclbnpVB3e5fRxRRo G3SiKaZAK0uRg==
Received: from [10.8.0.100] (vpn-10-8-0-100 [10.8.0.100]) by minka.mtg.de (8.17.2/8.17.2) with ESMTPS id 39P6nRcp001691 (version=TLSv1.3 cipher=TLS_CHACHA20_POLY1305_SHA256 bits=256 verify=NOT); Wed, 25 Oct 2023 08:49:27 +0200
Message-ID: <4e2b8a55-f244-4a76-aa42-183caf1af442@mtg.de>
Date: Wed, 25 Oct 2023 08:49:27 +0200
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
To: John Gray <John.Gray@entrust.com>, Roman Danyliw <rdd@cert.org>, "spasm@ietf.org" <spasm@ietf.org>
Cc: Johannes Roth <Johannes.roth@mtg.de>
References: <PH1P110MB1116F6A57FF36BF7A2D8991ADCCCA@PH1P110MB1116.NAMP110.PROD.OUTLOOK.COM> <6b815a8d-7ff9-49fd-8339-418b2d7d62c1@mtg.de> <DM6PR11MB2585B728D71886CF2FD75F7EEADFA@DM6PR11MB2585.namprd11.prod.outlook.com>
Content-Language: en-GB
From: Falko Strenzke <falko.strenzke@mtg.de>
In-Reply-To: <DM6PR11MB2585B728D71886CF2FD75F7EEADFA@DM6PR11MB2585.namprd11.prod.outlook.com>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-512"; boundary="------------ms040403020001080005050601"
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/DgZyOsbkrYEY4KCSI8yJzuwy8Zs>
Subject: Re: [lamps] [EXTERNAL] Re: AD review of draft-ietf-lamps-cms-kemri-05
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: This is the mail list for the LAMPS Working Group <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 25 Oct 2023 06:49:49 -0000

Hi John,

I don't see how the ukm field can prevent cross-mode attacks. In a cross 
mode attack, the attacker takes an original AEAD encrypted message, 
applies suitable transformations to it, and then lets the victim decrypt 
it as a CBC message. Since the victim's decrypting client doesn't 
interpret the contents of the ukm field (which the attacker leaves 
unchanged), the derived AES key for the CBC decryption will be the same 
as for the (originally intended) AEAD decryption, and the attacker can 
thus exploit cross-mode relations among the different encryption modes 
(CTR/CBC in this case – CTR is used in both AES-CCM and AES-GCM defined 
for CMS [1] ). See [2] for the general idea but note that these are just 
examples for such attacks and not necessarily report the security 
implications of cross-mode attacks completely.

To defend against such attacks, an input to the key derivation is needed 
that is dependent on the contentEncryptionAlgorithm that is actually 
used in the decryption of that message. Only then it is ensured that 
when the attacker changes the contentEncryptionAlgorithm, a different 
AES key will be used during decryption than that for the original 
message, thus making cross-mode attacks impossible.

- Falko

[1] https://datatracker.ietf.org/doc/html/rfc5084

[2] 
https://www.researchgate.net/publication/45787175_Related-Mode_Attacks_on_CTR_Encryption_Mode

Am 24.10.23 um 23:20 schrieb John Gray:
>
> Hi Falko,
>
> I think we already have accommodation for this in the draft via the 
> optional ukm field:
>
> CMSORIforKEMOtherInfo ::= SEQUENCE {
>
>            wrap KeyEncryptionAlgorithmIdentifier,
>
>            kekLength INTEGER (1..65535),
>
> *           ukm [0] EXPLICIT UserKeyingMaterial OPTIONAL }*
>
> ukm is optional user keying material.  When the ukm value is
>
>       provided, it is used as part of the info structure described in
>
>       Section 5 to provide a context input to the key-derivation
>
>       function. *For example, the ukm value could include a nonce,*
>
> *      application-specific context information, or an identifier for the*
>
> *      originator.*A KEM algorithm may place requirements on the ukm
>
>       value.  Implementations that do not support the ukm field SHOULD
>
>       gracefully discontinue processing when the ukm field is present.
>
>       Note that this requirement expands the original purpose of the ukm
>
>       described in Section 10.2.6 of [RFC5652]; it is not limited to
>
>       being used with key agreement algorithms.
>
> If you wanted to include the contentEncryptionAlgorithm as context 
> information to be used for key derivation, you can already do that 
> with this field.  I think it should achieve what you are looking for 
> (key separation) as it is used as context input to the KDF.
>
> Cheers,
>
> John Gray
>
> *From:* Spasm <spasm-bounces@ietf.org> *On Behalf Of * Falko Strenzke
> *Sent:* Tuesday, October 24, 2023 8:31 AM
> *To:* Roman Danyliw <rdd@cert.org>; spasm@ietf.org
> *Cc:* Johannes Roth <Johannes.roth@mtg.de>
> *Subject:* [EXTERNAL] Re: [lamps] AD review of 
> draft-ietf-lamps-cms-kemri-05
>
> We are aware that the document draft-ietf-lamps-cms-kemri 
> <https://datatracker.ietf.org/doc/draft-ietf-lamps-cms-kemri/> is 
> already in the AD review and thus far progressed in its process of 
> finalisation. We have a good reason to propose a modification to this 
> document still at this late stage. Both the suggested change and the 
> reason for it are explained in the following.
>
>
>       Proposed change
>
> We propose to include the algorithm identifier of the symmetric scheme 
> used for the payload encryption, i.e., the contentEncryptionAlgorithm, 
> in CMSORIforKEMOtherInfo.
>
>
>       Reason for the proposed change
>
> The reason is, besides it generally being best practice to include 
> such contextual information into the key deriviation, that there is 
> the threat of AEAD-to-CBC cross-mode / downgrade attacks against 
> state-of-the-art CMS. The KEM-RI draft has the opportunity to remove 
> this potential weakness at least for KEMs and thus we strongly suggest 
> to make this change. Including the contentEncryptionAlgorithm in the 
> key derivation ensures that one arrives at different content 
> encryption keys if the contentEncryptionAlgorithm is changed (for 
> instance) from AEAD to CBC.
>
> Please note that also the OpenPGP crypto-refresh 
> <https://datatracker.ietf.org/doc/draft-ietf-openpgp-crypto-refresh/> 
> incorporates a key derivation – that deviates in its parameters from 
> what we propose here and is only used in the case of AEAD – that 
> ensures key separation for the newly introduced AEAD and the legacy 
> CFB encrypted data packets.
>
> - Falko Strenzke and Johannes Roth
>
> Am 11.10.23 um 21:58 schrieb Roman Danyliw:
>
>     Hi!
>
>       
>
>     I performed an AD review of draft-ietf-lamps-cms-kemri-05.  Thanks for this very important update to CMS.  This document is in good shape.  As the below are minor, I'll advance this to IETF LC and ask that this feedback be resolved concurrently.
>
>       
>
>     ** Section 2.  Editorial. Should the distribution of the recipient’s public key be made explicit?
>
>     OLD
>
>         In advance, each recipient uses KeyGen() to create a key pair, and
>
>         then obtains a certificate [RFC5280] that includes the public key.
>
>       
>
>     NEW
>
>       
>
>     In advance, each recipient uses the KEM KeyGen() function to create a key pair, and then may obtains a certificate [RFC5280] that includes this newly generated public key.  This public key or associated certificate is them made available.
>
>       
>
>     ** Section 2.  Editorial.  Recommendation for several sections.  When a KEM function, KeyGen()/Encapsulate()/Decapsulate() is mentioned, referred to is as a “KEM <insert function name>”.  For example, s/Encapsulate() function/KEM Encapsulate() function/
>
>       
>
>     ** Section 3.
>
>            The
>
>            RecipientIdentifier provides two alternatives for specifying the
>
>            recipient's certificate [RFC5280]
>
>       
>
>     Isn’t the correct reference for the two mechanisms in RecipientIdentifier (i.e., issuerAndSerialNumber and subjectKeyIdentifier) provided by RFC5652?
>
>       
>
>     ** Section 3.  Editorial
>
>          The issuerAndSerialNumber alternative identifies the
>
>            recipient's certificate by the issuer's distinguished name and the
>
>            certificate serial number; the subjectKeyIdentifier identifies the
>
>            recipient's certificate by a key identifier.
>
>       
>
>     Is there a missing “or” between these two options?  Both don’t need to be present in the RecipientIdentifier structure.
>
>       
>
>     ** Section 3.  Process question.
>
>            Note that this requirement expands the original purpose of the ukm
>
>            described in Section 10.2.6 of [RFC5652]; it is not limited to
>
>            being used with key agreement algorithms.
>
>       
>
>     Does this imply that this RFC should formally “update” RFC5652?
>
>       
>
>     ** Section 6.1.  Since SMIME-CAPS is being used in the formal definition of the KEY-ALGORITHM class, RFC 5912 needs to be a normative reference.  RFC5912 is informational, but it already in the DOWNREF registry.
>
>       
>
>     ** Section 6.1. As an aside, what is the SMIME link to KEMs?
>
>       
>
>     ** Section 7.
>
>         The choice of the KDF SHOULD be made based on the security level
>
>         provided by the KEM.  The KDF SHOULD at least have the security level
>
>         of the KEM.
>
>       
>
>     What is the nuance being conveyed between these two sentences?  What additional considerations exist beyond what is spelled out in the second sentence?  This construct is repeated in the next paragraphs for key-encryption algorithms too.
>
>       
>
>     ** Section 7.  Typo. s/used to by the/used by the/
>
>       
>
>     Regards,
>
>     Roman
>
>     _______________________________________________
>
>     Spasm mailing list
>
>     Spasm@ietf.org
>
>     https://www.ietf.org/mailman/listinfo/spasm
>
> -- 
>
> *MTG AG*
> Dr. Falko Strenzke
> Executive System Architect
>
> Phone: +49 6151 8000 24
> E-Mail: falko.strenzke@mtg.de
> Web: mtg.de <https://www.mtg.de>
>
> ------------------------------------------------------------------------
>
> MTG AG - Dolivostr. 11 - 64293 Darmstadt, Germany
> Commercial register: HRB 8901
> Register Court: Amtsgericht Darmstadt
> Management Board: Jürgen Ruf (CEO), Tamer Kemeröz
> Chairman of the Supervisory Board: Dr. Thomas Milde
>
> This email may contain confidential and/or privileged information. If 
> you are not the correct recipient or have received this email in error,
> please inform the sender immediately and delete this email. 
> Unauthorised copying or distribution of this email is not permitted.
>
> Data protection information: Privacy policy 
> <https://www.mtg.de/en/privacy-policy>
>
> /Any email and files/attachments transmitted with it are intended 
> solely for the use of the individual or entity to whom they are 
> addressed. If this message has been sent to you in error, you must not 
> copy, distribute or disclose of the information it contains. _Please 
> notify Entrust immediately and delete the message from your system._/ 
-- 

*MTG AG*
Dr. Falko Strenzke
Executive System Architect

Phone: +49 6151 8000 24
E-Mail: falko.strenzke@mtg.de
Web: mtg.de <https://www.mtg.de>


------------------------------------------------------------------------

MTG AG - Dolivostr. 11 - 64293 Darmstadt, Germany
Commercial register: HRB 8901
Register Court: Amtsgericht Darmstadt
Management Board: Jürgen Ruf (CEO), Tamer Kemeröz
Chairman of the Supervisory Board: Dr. Thomas Milde

This email may contain confidential and/or privileged information. If 
you are not the correct recipient or have received this email in error,
please inform the sender immediately and delete this email. Unauthorised 
copying or distribution of this email is not permitted.

Data protection information: Privacy policy 
<https://www.mtg.de/en/privacy-policy>

v2.23.0 | Report a Bug | By Email