[Cfrg] how to guard against VM rollbacks
"Wei Dai" <weidai@weidai.com> Wed, 10 January 2007 14:20 UTC
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1H4eJj-0000su-0T; Wed, 10 Jan 2007 09:20:39 -0500
Received: from [10.90.34.44] (helo=chiedprmail1.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1H4eJh-0000ro-A8 for cfrg@irtf.org; Wed, 10 Jan 2007 09:20:37 -0500
Received: from wr-out-0506.google.com ([64.233.184.235]) by chiedprmail1.ietf.org with esmtp (Exim 4.43) id 1H4eJe-0006CR-Rh for cfrg@irtf.org; Wed, 10 Jan 2007 09:20:37 -0500
Received: by wr-out-0506.google.com with SMTP id i22so54219wra for <cfrg@irtf.org>; Wed, 10 Jan 2007 06:20:34 -0800 (PST)
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:sender:to:subject:cc:mime-version:content-type:x-google-sender-auth; b=FAgyOO7Lrfn9H3P/2tCMI6XCZe0NRc3cI5gDF/M2yXGh/i0QMiQmThyR+TkMKwsEJAQsNZR931q/wQ2aMiTfJmUeL1rVkT6FdcfywbySRvrPXUdbnF2HhWl2tZ7plqpV5NUNzfB3tWjNNjEt1xrzdnwBm4JJDDradkW68+oZBsE=
Received: by 10.90.72.10 with SMTP id u10mr242105aga.1168438834521; Wed, 10 Jan 2007 06:20:34 -0800 (PST)
Received: by 10.90.56.7 with HTTP; Wed, 10 Jan 2007 06:20:34 -0800 (PST)
Message-ID: <ec22d0e20701100620t37e77e70mda14d1c73930731@mail.gmail.com>
Date: Wed, 10 Jan 2007 22:20:34 +0800
From: Wei Dai <weidai@weidai.com>
To: cfrg@irtf.org
MIME-Version: 1.0
X-Google-Sender-Auth: e5e6f86f41a1bbd7
X-Spam-Score: 0.2 (/)
X-Scan-Signature: f4c2cf0bccc868e4cc88dace71fb3f44
Cc: weidai@weidai.com
Subject: [Cfrg] how to guard against VM rollbacks
X-BeenThere: cfrg@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:cfrg@ietf.org>
List-Help: <mailto:cfrg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=subscribe>
Content-Type: multipart/mixed; boundary="===============1654685440=="
Errors-To: cfrg-bounces@ietf.org
I've mentioned in a previous thread that the security of a nonce-based cryptographic scheme may be compromised due to unintentional nonce reuse caused by rollback of one's virtual machine state to an earlier snapshot. Apparently this problem has been noticed by few others and no one has proposed a solution (that I could find). The only mention I found of this issue is in [1]. I'll throw out some ideas in the hope of bringing more attention to this problem. It seems a fairly serious one given the increasing popularity of virtualization and the fact that virtually every protocol and application software that uses cryptography may be affected. First of all it seems necessary to abandon the use of counter-based and other state-derived nonces, and return to either random nonces or deterministic cryptography. Until we have operating system support (perhaps an API to designate a memory buffer or file as protected from rollbacks?) it's hard to see how we can safely use state-derived nonces when state rollbacks are a possibility. If random nonces are used, care must still be taken to guard against rollbacks. At a minimum, the nonce must be randomly generated *after* the message to be encrypted and/or authenticated has been fixed. This way, if nonce reuse occurs due to a rollback, it will be reused only with the same message that it was used with previously, which should be safe. Where possible, it may be best to go back to deterministic cryptography. For example HMAC does not use a nonce and therefore is not affected by this problem. If faster speed is desired and you want to use a MAC in the Wegman-Carter paradigm, notice that tag=PRF(hash) works just as well as tag=hash xor PRF(nonce) (i.e., they both have collision probabilities that grow as the square of the number of messages) if nonce is generated randomly. tag=PRF(hash) does not suffer from nonce reuse problems, and also lets you save complexity and bandwidth by not having to transport a nonce. [1] Tal Garfinkel and Mendel Rosenblum,"When Virtual is Harder than Real: Security Challenges in Virtual Machine Based Computing Environments" http://www.stanford.edu/~talg/papers/HOTOS05/virtual-harder-hotos05.pdf
_______________________________________________ Cfrg mailing list Cfrg@ietf.org https://www1.ietf.org/mailman/listinfo/cfrg
- RE: [Cfrg] how to guard against VM rollbacks Hallam-Baker, Phillip
- Re: [Cfrg] how to guard against VM rollbacks Wei Dai
- Re: [Cfrg] how to guard against VM rollbacks Jon Callas
- [Cfrg] how to guard against VM rollbacks Wei Dai
- [Cfrg] Re: how to guard against VM rollbacks Wei Dai
- Re: [Cfrg] how to guard against VM rollbacks Hal Finney
- [Cfrg] how to ensure unpredictability (or non-rep… zooko
- Re: [Cfrg] how to guard against VM rollbacks Peter Gutmann
- Re: [Cfrg] how to guard against VM rollbacks Wei Dai
- Re: [Cfrg] how to guard against VM rollbacks Wei Dai
- Re: [Cfrg] how to guard against VM rollbacks Ariel Waissbein
- Re: [CFRG] how to guard against VM rollbacks Phillip Rogaway
- Re: [Cfrg] how to guard against VM rollbacks Paul Hoffman
- Re: [Cfrg] how to guard against VM rollbacks Peter Gutmann
- Re: [Cfrg] how to guard against VM rollbacks Hal Finney
- Re: [Cfrg] how to guard against VM rollbacks Wei Dai
- Re: [Cfrg] how to guard against VM rollbacks Ariel Waissbein
- Re: [Cfrg] how to guard against VM rollbacks Mark Baugher
- RE: [Cfrg] how to guard against VM rollbacks Hallam-Baker, Phillip
- Re: [Cfrg] how to guard against VM rollbacks Hal Finney
- [Cfrg] Re: how to guard against VM rollbacks Simon Josefsson
- Re: [Cfrg] Re: how to guard against VM rollbacks Hal Finney
- Re: [Cfrg] Re: how to guard against VM rollbacks Steven M. Bellovin
- Re: [Cfrg] Re: how to guard against VM rollbacks Jon Callas
- [Cfrg] RE: how to guard against VM rollbacks Hallam-Baker, Phillip
- RE: [Cfrg] Re: how to guard against VM rollbacks Hallam-Baker, Phillip
- RE: [Cfrg] Re: how to guard against VM rollbacks Hallam-Baker, Phillip
- [Cfrg] Re: how to guard against VM rollbacks Simon Josefsson
- Re: [Cfrg] Re: how to guard against VM rollbacks Hal Finney
- Re: [Cfrg] Re: how to guard against VM rollbacks Mark Baugher
- Re: [Cfrg] how to guard against VM rollbacks Peter Gutmann
- RE: [Cfrg] how to guard against VM rollbacks Wei Dai
- Re: [Cfrg] how to guard against VM rollbacks Wei Dai
- Re: [Cfrg] how to guard against VM rollbacks David McGrew