IETF Logo Mail Archive

Re: [TLS] [Technical Errata Reported] RFC5288 (4694)

Aaron Zauner <azet@azet.org> Mon, 16 May 2016 09:37 UTC

Return-Path: <azet@azet.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CABFD128E19 for <tls@ietfa.amsl.com>; Mon, 16 May 2016 02:37:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=azet.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2jGZQ-aQROu9 for <tls@ietfa.amsl.com>; Mon, 16 May 2016 02:37:14 -0700 (PDT)
Received: from mail-pa0-x230.google.com (mail-pa0-x230.google.com [IPv6:2607:f8b0:400e:c03::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A08B412D0B7 for <tls@ietf.org>; Mon, 16 May 2016 02:37:14 -0700 (PDT)
Received: by mail-pa0-x230.google.com with SMTP id xk12so63657929pac.0 for <tls@ietf.org>; Mon, 16 May 2016 02:37:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=azet.org; s=gmail; h=subject:mime-version:from:in-reply-to:date:cc:message-id:references :to; bh=JOj7B2BWyp6EfOZRxdCswNiRxlCR3tBlX2P88tU+AeQ=; b=ENSgLsrOjbJDIjAp7kJEsBNUaphuq/B5nHa5qtKN32g35TlyL66y5JKI2gp/Z9orML /4od0ryrvCgYHk57MXhLpBmj4l4L+7QKmec/thFo/cNVi2b+OO8ZvW72/a7a42f1kKk+ fZmKJcHUwoxG5eIeQLn4gFC+MuSeqjoZvhVnw=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:subject:mime-version:from:in-reply-to:date:cc :message-id:references:to; bh=JOj7B2BWyp6EfOZRxdCswNiRxlCR3tBlX2P88tU+AeQ=; b=Xa3WfEhHv9fJLtKvHeYWED/cYIXxQy+aS/UjODqD+yB36nwoB5vVTj0ed4gjwDVlQI 9ga3LiWSLd0oE7O5i14zphJhrJUz62bE7t30jilYr329WGPCw/ZbxLMNzuiisb+iFoL/ kZJkdOZZkRWC9ZXlIIiJxlP2yumUPKR8BL/QtiEyYIa493n51RBPY6f5o2Lko1uEF8JQ Y8VxSFOWx1FWec7RH/C6qvJMPPlYlm7RL/0SnUTOo60+tA5ai13DCa0WQ0h+wppF5RxT 6x6dPrYD41eIFLL1RTSXbxwxRr7Nir3wEBmTnlGdPWy5tSnzN5ZAst1yv2x/uHnS2xya PUdQ==
X-Gm-Message-State: AOPr4FUqjGQ8XuQkv+ehCDT7dShLqhIhOlhuRy89II89oEWsa0vwHFvMxG9gN+ECS9VyHQ==
X-Received: by 10.66.89.228 with SMTP id br4mr43615480pab.110.1463391434145; Mon, 16 May 2016 02:37:14 -0700 (PDT)
Received: from [10.57.13.44] (wf-171-99-101-238.revip9.asianet.co.th. [171.99.101.238]) by smtp.gmail.com with ESMTPSA id pw3sm61207pac.6.2016.05.16.02.37.08 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Mon, 16 May 2016 02:37:12 -0700 (PDT)
Mime-Version: 1.0 (Mac OS X Mail 9.2 \(3112\))
Content-Type: multipart/signed; boundary="Apple-Mail=_6E01BA23-C756-4E86-9D41-24FA8702B7D0"; protocol="application/pgp-signature"; micalg="pgp-sha512"
X-Pgp-Agent: GPGMail 2.6b2
From: Aaron Zauner <azet@azet.org>
In-Reply-To: <D35F4D97.6C5B2%kenny.paterson@rhul.ac.uk>
Date: Mon, 16 May 2016 16:37:00 +0700
Message-Id: <53384A13-5F80-4CF0-BD8F-F68E304ADF15@azet.org>
References: <20160514082717.7997D180004@rfc-editor.org> <9A043F3CF02CD34C8E74AC1594475C73F4C80CD0@uxcn10-5.UoA.auckland.ac.nz> <CAN8NK9EaDQ-Pugi2j=3KcXrn5G-8mcXVs4O2HGCkH7h7GSKbbA@mail.gmail.com> <9A043F3CF02CD34C8E74AC1594475C73F4C80F76@uxcn10-5.UoA.auckland.ac.nz> <CAN8NK9Gn9iK72dBq3opQ2E_HEZyVB+ysCqo5JxMH8vHhy4gEEg@mail.gmail.com> <9A043F3CF02CD34C8E74AC1594475C73F4C817BE@uxcn10-5.UoA.auckland.ac.nz> <a05f1e9d02a96721479a0de75e335cc4@esat.kuleuven.be> <A1FEF4A5-AC64-4832-904A-47768E5D5AF9@gmail.com> <54302B87-4730-4B8E-9F55-B33B89425A51@azet.org> <D35F4D97.6C5B2%kenny.paterson@rhul.ac.uk>
To: "Paterson, Kenny" <Kenny.Paterson@rhul.ac.uk>
X-Mailer: Apple Mail (2.3112)
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/jZoRptiabyDYggUy_5vpndVYDGQ>
Cc: "mcgrew@cisco.com" <mcgrew@cisco.com>, "tls@ietf.org" <tls@ietf.org>, RFC Errata System <rfc-editor@rfc-editor.org>
Subject: Re: [TLS] [Technical Errata Reported] RFC5288 (4694)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 16 May 2016 09:37:16 -0000

Hi Kenny,

> On 16 May 2016, at 16:18, Paterson, Kenny <Kenny.Paterson@rhul.ac.uk> wrote:
> 
> Hi Aaron,
> 
> If AES-GCM ever generates two ciphertexts using the same key and the same
> 96-bit nonce, then the underlying CTR-mode keystreams will be the same.
> XORing the ciphertexts together then produces the XOR of the plaintexts,
> from which the two individual plaintexts can be recovered (usually) with
> high probability using standard techniques (see the paper by Mason et al
> at CCS 2006 for a full account of this step).
> 
> In the TLS context, this means using the same 64-bit nonce_explicit in a
> given connection - because then opaque salt will be the same 32-bit value.
> 
> This condition is detectable by an adversary because the nonce_explicit
> part is sent on the wire (the clue is in the name!).
> 
> You don't need to know the full 96-bit nonce to carry out the attack.

Yes, I understood that, of course. But:

> Once you've recovered a plaintext, you can also recover the corresponding
> CTR-mode keystream. Together with the integrity key, this now enables
> packet forgery attacks for arbitrary plaintexts (of length limited by that
> of the known keystream).

Right. Joux's attack doesn't recover a plaintext of the actual TLS session, we attack GHASH in this case and factor possible candidate polynomials of the /authentication key/. In this context I assume 'confidentiality compromise' with: somebody can recover plaintext from captured TLS records. At least in our attack this isn't the case. We're merely able to inject malicious content. Am I amiss? Or am I just confused about nomenclature?

Thank you,
Aaron

v2.23.0 | Report a Bug | By Email