IETF Logo Mail Archive

[jose] FW: GCM nonce reuse question

"Jim Schaad" <ietf@augustcellars.com> Fri, 29 March 2013 02:02 UTC

Return-Path: <ietf@augustcellars.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B1D1821F89AF for <jose@ietfa.amsl.com>; Thu, 28 Mar 2013 19:02:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.298
X-Spam-Level:
X-Spam-Status: No, score=-3.298 tagged_above=-999 required=5 tests=[AWL=-0.300, BAYES_00=-2.599, HTML_MESSAGE=0.001, J_CHICKENPOX_33=0.6, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id m-2cgVkjrWNR for <jose@ietfa.amsl.com>; Thu, 28 Mar 2013 19:02:35 -0700 (PDT)
Received: from smtp1.pacifier.net (smtp1.pacifier.net [64.255.237.171]) by ietfa.amsl.com (Postfix) with ESMTP id 7015921F8967 for <jose@ietf.org>; Thu, 28 Mar 2013 19:02:35 -0700 (PDT)
Received: from Philemon (mail.augustcellars.com [50.34.17.238]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: jimsch@nwlink.com) by smtp1.pacifier.net (Postfix) with ESMTPSA id 154122CA20 for <jose@ietf.org>; Thu, 28 Mar 2013 19:02:35 -0700 (PDT)
From: Jim Schaad <ietf@augustcellars.com>
To: jose@ietf.org
References: <006a01ce2b3c$8f0d03b0$ad270b10$@augustcellars.com> <747787E65E3FBD4E93F0EB2F14DB556B183EF2E3@xmb-rcd-x04.cisco.com>
In-Reply-To: <747787E65E3FBD4E93F0EB2F14DB556B183EF2E3@xmb-rcd-x04.cisco.com>
Date: Thu, 28 Mar 2013 19:01:58 -0700
Message-ID: <006701ce2c21$65accf10$31066d30$@augustcellars.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_0068_01CE2BE6.B950B630"
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQDc/nSECiQAb+v2IzCf58qtgKDeAZqeRckw
Content-Language: en-us
Subject: [jose] FW: GCM nonce reuse question
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 29 Mar 2013 02:02:36 -0000

For those people not on the CFRG list -

 

Jim

 

 

From: David McGrew (mcgrew) [mailto:mcgrew@cisco.com] 
Sent: Thursday, March 28, 2013 4:15 AM
To: Jim Schaad
Cc: cfrg@irtf.org
Subject: Re: GCM nonce reuse question

 

Hi Jim,

 

From: Jim Schaad <jimsch@augustcellars.com>
Date: Wednesday, March 27, 2013 6:43 PM
To: David McGrew <mcgrew@cisco.com>
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: GCM nonce reuse question

 

David,

 

In doing a write up I became worried about a security property of the GCM
encryption mode in the way that the JOSE group is currently using it.

 

There are known problems with not having a unique set of values for IVs and
Key pairings.  Do these problems apply to having a different set of
auxiliary data as well as the plain text?

 

 

Yes.  The security issues are summarized in
http://tools.ietf.org/html/rfc5116#section-5.1.1  but apparently they are
not described generally enough.   They should read "plaintext or associated
data values".

 

Specifically the current way that GCM mode is being used in JOSE is

 

Recipient #1 authentication tag = GCM(Key, Recipient #1 data, nonce, plain
text)

Recipient #2 authentication tag = GCM(Key, Recipient #2 data, nonce, plain
text)

 

As the key, nonce and plain text are fixed it would produce the same
encrypted text value but different authentication tags.

 

 

Can't do that.   Each invocation of the encryption operation needs a
distinct nonce, unless all of the encryption operation inputs are identical.

 

Many thanks for calling this out, Jim.

 

David

 

Jim

v2.23.0 | Report a Bug | By Email