IETF Logo Mail Archive

Re: [lamps] [EXTERNAL] Re: AD review of draft-ietf-lamps-cms-kemri-05

Russ Housley <housley@vigilsec.com> Fri, 27 October 2023 18:51 UTC

Return-Path: <housley@vigilsec.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E1692C14CE53 for <spasm@ietfa.amsl.com>; Fri, 27 Oct 2023 11:51:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.906
X-Spam-Level:
X-Spam-Status: No, score=-6.906 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ptcTvxY_9HKk for <spasm@ietfa.amsl.com>; Fri, 27 Oct 2023 11:51:03 -0700 (PDT)
Received: from mail3.g24.pair.com (mail3.g24.pair.com [66.39.134.11]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 06648C14CE52 for <spasm@ietf.org>; Fri, 27 Oct 2023 11:51:03 -0700 (PDT)
Received: from mail3.g24.pair.com (localhost [127.0.0.1]) by mail3.g24.pair.com (Postfix) with ESMTP id 5FB5B1C6B4F; Fri, 27 Oct 2023 14:51:02 -0400 (EDT)
Received: from smtpclient.apple (unknown [96.241.2.243]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail3.g24.pair.com (Postfix) with ESMTPSA id 3DDC51C6CAB; Fri, 27 Oct 2023 14:51:02 -0400 (EDT)
From: Russ Housley <housley@vigilsec.com>
Message-Id: <DFE19AFA-0113-4359-82A2-7A43C35453F8@vigilsec.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_11BBA4A8-F75B-4137-BEE4-C58EEFCCDA62"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3731.700.6\))
Date: Fri, 27 Oct 2023 14:50:52 -0400
In-Reply-To: <CH0PR11MB573936514CAAA751823C37A99FDCA@CH0PR11MB5739.namprd11.prod.outlook.com>
Cc: Falko Strenzke <falko.strenzke@mtg.de>, "Roman D. Danyliw" <rdd@cert.org>, LAMPS <spasm@ietf.org>, Johannes Roth <Johannes.roth@mtg.de>
To: Mike Ounsworth <Mike.Ounsworth@entrust.com>
References: <PH1P110MB1116F6A57FF36BF7A2D8991ADCCCA@PH1P110MB1116.NAMP110.PROD.OUTLOOK.COM> <6b815a8d-7ff9-49fd-8339-418b2d7d62c1@mtg.de> <7d796f7e-3743-4691-a5bd-5d2cbb90741c@mtg.de> <EB0F6E23-0D11-4AEC-9CFC-7025E3AF8B86@vigilsec.com> <CH0PR11MB573936514CAAA751823C37A99FDCA@CH0PR11MB5739.namprd11.prod.outlook.com>
X-Mailer: Apple Mail (2.3731.700.6)
X-Scanned-By: mailmunge 3.11 on 66.39.134.11
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/pkAuAC0mPeL8dClwbKM7V6g_v3I>
Subject: Re: [lamps] [EXTERNAL] Re: AD review of draft-ietf-lamps-cms-kemri-05
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: This is the mail list for the LAMPS Working Group <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 27 Oct 2023 18:51:07 -0000

Mike:

The AlgorithmIdentifier for the KEK is input to the KDF.

The suggestion that it also include AlgorithmIdentifier for the CEK will not solve the problem, at least not for the other flavors of RecipientInfo.  I'd like to come up with one solution for all of the flavors.

Russ

> On Oct 27, 2023, at 2:32 PM, Mike Ounsworth <Mike.Ounsworth=40entrust.com@dmarc.ietf.org> wrote:
> 
> Pausing WGLC to study this seems prudent.
>  
> If I’m reading the draft correctly, currently the KEK is derived from an HKDF which includes in its input the DER-encoded value of:
>  
>       CMSORIforKEMOtherInfo ::= SEQUENCE {
>         wrap KeyEncryptionAlgorithmIdentifier,
>         kekLength INTEGER (1..65535),
>         ukm [0] EXPLICIT UserKeyingMaterial OPTIONAL }
>  
> Falko and Johannes are proposing to also include contentEncryptionAlgorithm.
>  
> My understanding is that this would be a pretty big abstraction layer violation in CMS since the *RecipientInfo’s job is to transport the CEK material, not to dictate its use. For example, the KEMRecipientInfo structure does not carry the contentEncryptionAlgorithm identifier. In fact, you have to recurse all the way up to EncryptedContentInfo in RFC 5652 to find it, and passing it all the way down into the *RecipientInfo KEK derivation would be a major API overhaul.
>  
> Worth thinking about though.
>  
> ---
> Mike Ounsworth
>  
> From: Spasm <spasm-bounces@ietf.org <mailto:spasm-bounces@ietf.org>> On Behalf Of Russ Housley
> Sent: Friday, October 27, 2023 9:55 AM
> To: Falko Strenzke <falko.strenzke@mtg.de <mailto:falko.strenzke@mtg.de>>
> Cc: Roman D. Danyliw <rdd@cert.org <mailto:rdd@cert.org>>; LAMPS <spasm@ietf.org <mailto:spasm@ietf.org>>; Johannes Roth <Johannes.roth@mtg.de <mailto:Johannes.roth@mtg.de>>
> Subject: [EXTERNAL] Re: [lamps] AD review of draft-ietf-lamps-cms-kemri-05
>  
> Falko and Johannes:
>  
> If I understand this attack correctly, the attacker intercepts a CMS Authenticated-Enveloped-Data content that uses either AES-CCM or AES-GCM as specified in RFC 5084.  Then, the attackers turns it into a "garbage" CMS Enveloped-Data content that uses AES-CBC that is composed of the guess blocks.  This gets sent to the victim, and the victim shares the result of the decryption with the attacker.  If any of the plaintext blocks match Ht, then the attacker learns the plaintext for that block. Please let me know if anything is incorrect.
>  
> The draft-ietf-lamps-cms-kemri draft cannot offer any defense here.  The key under attack is the content-encryption key (CEK).  The KEMRecipientInfo (like all other flavors of RecipientInfo) is about transferring the CEK to one or more recipient.  You are seeking a way to integrity protect the CEK algorithm identifier.  Historically, that is done by signing the ciphertext.  RFC 2634 talks about the reasons that an originator might want to use a sign-encrypt-sign triple wrapper.
>  
> I will give some thought to ways  to integrity protect the CEK algorithm identifier without an additional layer of signature.
>  
> Are you able to make a presentation about this attack at the LAMPS session at IETF 118?  Remote presenters can be accommodated.
>  
> Russ
>  
> 
> 
> On Oct 27, 2023, at 4:50 AM, Falko Strenzke <falko.strenzke@mtg.de <mailto:falko.strenzke@mtg.de>> wrote:
>  
> Johannes and I hereby disclose a novel AEAD-to-CBC downgrade attack against state-of-the-art CMS. This is a summary of what we are planning to publish in an upcoming research paper. We disclose it now as we think it is likely that knowledge of this attack will help the WG to understand the relevance of key separation between legacy block cipher modes and AEAD modes and thus hopefully decides to incorporate this measure in the KEM-RI draft.
> 
> Inverse CBC Decryption Oracle Attack on Low Entropy AEAD Blocks in CMS
> 
> The described attack applies to the modes CCM and GCM that both use CTR encryption. The attack allows to the attacker to determine the content of a low entropy plaintext block in a CMS GCM or CCM (AEAD) encrypted message. The preconditions for the attack are:
> 
> The victim supports also CMS CBC decryption and reveals CBC decrypted messages to the attacker. The plaintext messages that victim reveals in the attack are meaningless “garbage”. This assumption underlies attacks described in literature [1], [2].
> The attacker has sufficiently much information about one plaintext block of the target AEAD ciphertext, so that the number of necessary guesses (each having the size of the block cipher block size) fits into such a CBC message that the victim decrypts for him.
> The attacks is referred to as an inverse oracle attack because it uses the block decryption operation of the victim to attack the block encryption operation of the original message. This implies that the attack is limited to verifying guesses for low entropy blocks in the target plaintext. Such attacks have, to the best of our knowledge, not been described previously in the literature. Formally, this means that CMS AEAD does not achieve CCA2 security in the presence of a CBC decryption oracle.
> 
> The attack could for instance realistically be used to reveal the value of a secret code with a few digits within an otherwise known message.
> 
> Description of the Attack
> 
> In the following, let Eₖ(X) and Dₖ(X) denote the AES block encryption and decryption under the key k and Dₖ-CBC(Xᵢ) the AES-CBC decryption under key k of the plaintext block Xᵢ.
> 
> Generate the set of n guesses {Tᵢ} for i ∈ {1 … n} for the target plaintext block at position t in the original AEAD ciphertext. The corresponding ciphertext block in the target CTR ciphertext is labelled Cₜ.
> Compute the corresponding set of guessed key stream blocks {Gᵢ | Gᵢ = Tᵢ⊕ Cₜ for all i = 1 … n}
> Creation of the CBC ciphertext as the oracle input:
> choose CBC-IV as G₀ arbitrarily
> Form the CBC ciphertext as the sequence of the guess blocks {Gᵢ | for all i = 1 … n}
> Then the CBC decryption oracle will compute the sequence of plaintext blocks:
> {Pᵢ | Pᵢ = Dₖ-CBC(Gᵢ) = Dₖ (Gᵢ) ⊕ Gᵢ₋₁ for all i = 1 … n}
> The attacker receives the plaintext {Pᵢ} and computes
> {Xᵢ | Xᵢ = Pᵢ ⊕ Gᵢ₋₁ for all i = 1 … n}
> Let Hₜ be the counter block at position t in the AEAD ciphertext, i.e., for the correct guess of the target key stream block Gᵥ at index v we have Gᵥ = Eₖ(Hₜ)
> the counter blocks are publicly known, since GCM and CCM both directly use the public nonces in the counter block
> Note that for the correct guess we have Xᵥ = Dₖ (Gᵥ) ⊕ Gᵥ₋₁ ⊕ Gᵥ₋₁ = Dₖ(Gᵥ) = Hₜ
> Thus, if the attacker finds for any of the {Xᵢ} that Xᵥ = Hₜ then
> the guess Gᵥ = Tᵥ ⊕ Cᵥ for the key stream block is correct
> and thus the corresponding guess Tᵥ for the plaintext block is correct
> Effect of CBC Padding Check
> 
> CBC is used in CMS together with PKCS#7 padding. Thus an application that enforces correct padding will make the attack more difficult. The attacker has no way to enforce a correct padding or to influence the length of the padding. But a correct padding of length 1 appears with probability 1/256. Multi-user attacks would be one way to compensate the resulting low success property of the attack.
> 
> [1] Katz, J., Schneier, B.: A Chosen Ciphertext Attack Against Several E-Mail En- cryption Protocols. In: 9th USENIX Security Symposium (USENIX Security 00), Denver, CO, USENIX Association (August 2000)
> 
> [2] Jallad, K., Katz, J., Schneier, B.: Implementation of Chosen-Ciphertext Attacks against PGP and GnuPG. In Chan, A.H., Gligor, V., eds.: Information Security, Berlin, Heidelberg, Springer Berlin Heidelberg (2002) 90–101
> 
>  
> Am 24.10.23 um 14:30 schrieb Falko Strenzke:
> We are aware that the document draft-ietf-lamps-cms-kemri <https://datatracker.ietf.org/doc/draft-ietf-lamps-cms-kemri/> is already in the AD review and thus far progressed in its process of finalisation. We have a good reason to propose a modification to this document still at this late stage. Both the suggested change and the reason for it are explained in the following.
> 
> Proposed change
> 
> We propose to include the algorithm identifier of the symmetric scheme used for the payload encryption, i.e., the contentEncryptionAlgorithm, in CMSORIforKEMOtherInfo.
> 
> Reason for the proposed change
> 
> The reason is, besides it generally being best practice to include such contextual information into the key deriviation, that there is the threat of AEAD-to-CBC cross-mode / downgrade attacks against state-of-the-art CMS. The KEM-RI draft has the opportunity to remove this potential weakness at least for KEMs and thus we strongly suggest to make this change. Including the contentEncryptionAlgorithm in the key derivation ensures that one arrives at different content encryption keys if the contentEncryptionAlgorithm is changed (for instance) from AEAD to CBC.
> 
> Please note that also the OpenPGP crypto-refresh <https://datatracker.ietf.org/doc/draft-ietf-openpgp-crypto-refresh/> incorporates a key derivation – that deviates in its parameters from what we propose here and is only used in the case of AEAD – that ensures key separation for the newly introduced AEAD and the legacy CFB encrypted data packets.
> 
> - Falko Strenzke and Johannes Roth
> 
> Am 11.10.23 um 21:58 schrieb Roman Danyliw:
> Hi!
>  
> I performed an AD review of draft-ietf-lamps-cms-kemri-05.  Thanks for this very important update to CMS.  This document is in good shape.  As the below are minor, I'll advance this to IETF LC and ask that this feedback be resolved concurrently.
>  
> ** Section 2.  Editorial. Should the distribution of the recipient’s public key be made explicit?
> OLD
>    In advance, each recipient uses KeyGen() to create a key pair, and
>    then obtains a certificate [RFC5280] that includes the public key.
>  
> NEW
>  
> In advance, each recipient uses the KEM KeyGen() function to create a key pair, and then may obtains a certificate [RFC5280] that includes this newly generated public key.  This public key or associated certificate is them made available.
>  
> ** Section 2.  Editorial.  Recommendation for several sections.  When a KEM function, KeyGen()/Encapsulate()/Decapsulate() is mentioned, referred to is as a “KEM <insert function name>”.  For example, s/Encapsulate() function/KEM Encapsulate() function/
>  
> ** Section 3.
>       The
>       RecipientIdentifier provides two alternatives for specifying the
>       recipient's certificate [RFC5280]
>  
> Isn’t the correct reference for the two mechanisms in RecipientIdentifier (i.e., issuerAndSerialNumber and subjectKeyIdentifier) provided by RFC5652?
>  
> ** Section 3.  Editorial
>     The issuerAndSerialNumber alternative identifies the
>       recipient's certificate by the issuer's distinguished name and the
>       certificate serial number; the subjectKeyIdentifier identifies the
>       recipient's certificate by a key identifier.
>  
> Is there a missing “or” between these two options?  Both don’t need to be present in the RecipientIdentifier structure.
>  
> ** Section 3.  Process question.
>       Note that this requirement expands the original purpose of the ukm
>       described in Section 10.2.6 of [RFC5652]; it is not limited to
>       being used with key agreement algorithms.
>  
> Does this imply that this RFC should formally “update” RFC5652?
>  
> ** Section 6.1.  Since SMIME-CAPS is being used in the formal definition of the KEY-ALGORITHM class, RFC 5912 needs to be a normative reference.  RFC5912 is informational, but it already in the DOWNREF registry.
>  
> ** Section 6.1. As an aside, what is the SMIME link to KEMs?
>  
> ** Section 7.
>    The choice of the KDF SHOULD be made based on the security level
>    provided by the KEM.  The KDF SHOULD at least have the security level
>    of the KEM.
>  
> What is the nuance being conveyed between these two sentences?  What additional considerations exist beyond what is spelled out in the second sentence?  This construct is repeated in the next paragraphs for key-encryption algorithms too.
>  
> ** Section 7.  Typo. s/used to by the/used by the/
>  
> Regards,
> Roman
> _______________________________________________
> Spasm mailing list
> Spasm@ietf.org <mailto:Spasm@ietf.org>
> https://www.ietf.org/mailman/listinfo/spasm
> -- 
> MTG AG
> Dr. Falko Strenzke
> Executive System Architect
> 
> Phone: +49 6151 8000 24
> E-Mail: falko.strenzke@mtg.de <mailto:falko.strenzke@mtg.de>
> Web: mtg.de <https://www.mtg.de/>
> 
> MTG AG - Dolivostr. 11 - 64293 Darmstadt, Germany
> Commercial register: HRB 8901
> Register Court: Amtsgericht Darmstadt
> Management Board: Jürgen Ruf (CEO), Tamer Kemeröz
> Chairman of the Supervisory Board: Dr. Thomas Milde
> 
> This email may contain confidential and/or privileged information. If you are not the correct recipient or have received this email in error, 
> please inform the sender immediately and delete this email. Unauthorised copying or distribution of this email is not permitted.
> 
> Data protection information: Privacy policy <https://www.mtg.de/en/privacy-policy>
> 
> 
> _______________________________________________
> Spasm mailing list
> Spasm@ietf.org <mailto:Spasm@ietf.org>
> https://www.ietf.org/mailman/listinfo/spasm
> -- 
> 
> MTG AG
> Dr. Falko Strenzke
> Executive System Architect
> 
> 
> Phone: +49 6151 8000 24
> E-Mail: falko.strenzke@mtg.de <mailto:falko.strenzke@mtg.de>
> Web: mtg.de <https://www.mtg.de/>
> 
> MTG AG - Dolivostr. 11 - 64293 Darmstadt, Germany
> Commercial register: HRB 8901
> Register Court: Amtsgericht Darmstadt
> Management Board: Jürgen Ruf (CEO), Tamer Kemeröz
> Chairman of the Supervisory Board: Dr. Thomas Milde
> 
> This email may contain confidential and/or privileged information. If you are not the correct recipient or have received this email in error, 
> please inform the sender immediately and delete this email. Unauthorised copying or distribution of this email is not permitted.
> 
> Data protection information: Privacy policy <https://www.mtg.de/en/privacy-policy>
> _______________________________________________
> Spasm mailing list
> Spasm@ietf.org <mailto:Spasm@ietf.org>
> https://www.ietf.org/mailman/listinfo/spasm
>  
> Any email and files/attachments transmitted with it are intended solely for the use of the individual or entity to whom they are addressed. If this message has been sent to you in error, you must not copy, distribute or disclose of the information it contains. Please notify Entrust immediately and delete the message from your system. _______________________________________________
> Spasm mailing list
> Spasm@ietf.org <mailto:Spasm@ietf.org>
> https://www.ietf.org/mailman/listinfo/spasm

v2.23.0 | Report a Bug | By Email