IETF Logo Mail Archive

[Cfrg] how to guard against VM rollbacks

"Wei Dai" <weidai@weidai.com> Wed, 10 January 2007 14:20 UTC

Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1H4eJj-0000su-0T; Wed, 10 Jan 2007 09:20:39 -0500
Received: from [10.90.34.44] (helo=chiedprmail1.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1H4eJh-0000ro-A8 for cfrg@irtf.org; Wed, 10 Jan 2007 09:20:37 -0500
Received: from wr-out-0506.google.com ([64.233.184.235]) by chiedprmail1.ietf.org with esmtp (Exim 4.43) id 1H4eJe-0006CR-Rh for cfrg@irtf.org; Wed, 10 Jan 2007 09:20:37 -0500
Received: by wr-out-0506.google.com with SMTP id i22so54219wra for <cfrg@irtf.org>; Wed, 10 Jan 2007 06:20:34 -0800 (PST)
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:sender:to:subject:cc:mime-version:content-type:x-google-sender-auth; b=FAgyOO7Lrfn9H3P/2tCMI6XCZe0NRc3cI5gDF/M2yXGh/i0QMiQmThyR+TkMKwsEJAQsNZR931q/wQ2aMiTfJmUeL1rVkT6FdcfywbySRvrPXUdbnF2HhWl2tZ7plqpV5NUNzfB3tWjNNjEt1xrzdnwBm4JJDDradkW68+oZBsE=
Received: by 10.90.72.10 with SMTP id u10mr242105aga.1168438834521; Wed, 10 Jan 2007 06:20:34 -0800 (PST)
Received: by 10.90.56.7 with HTTP; Wed, 10 Jan 2007 06:20:34 -0800 (PST)
Message-ID: <ec22d0e20701100620t37e77e70mda14d1c73930731@mail.gmail.com>
Date: Wed, 10 Jan 2007 22:20:34 +0800
From: Wei Dai <weidai@weidai.com>
To: cfrg@irtf.org
MIME-Version: 1.0
X-Google-Sender-Auth: e5e6f86f41a1bbd7
X-Spam-Score: 0.2 (/)
X-Scan-Signature: f4c2cf0bccc868e4cc88dace71fb3f44
Cc: weidai@weidai.com
Subject: [Cfrg] how to guard against VM rollbacks
X-BeenThere: cfrg@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:cfrg@ietf.org>
List-Help: <mailto:cfrg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=subscribe>
Content-Type: multipart/mixed; boundary="===============1654685440=="
Errors-To: cfrg-bounces@ietf.org

I've mentioned in a previous thread that the security of a nonce-based
cryptographic scheme may be compromised due to unintentional nonce reuse
caused by rollback of one's virtual machine state to an earlier snapshot.
Apparently this problem has been noticed by few others and no one has
proposed a solution (that I could find). The only mention I found of this
issue is in [1].

I'll throw out some ideas in the hope of bringing more attention to this
problem. It seems a fairly serious one given the increasing popularity of
virtualization and the fact that virtually every protocol and application
software that uses cryptography may be affected.

First of all it seems necessary to abandon the use of counter-based and
other state-derived nonces, and return to either random nonces or
deterministic cryptography. Until we have operating system support (perhaps
an API to designate a memory buffer or file as protected from rollbacks?)
it's hard to see how we can safely use state-derived nonces when state
rollbacks are a possibility.

If random nonces are used, care must still be taken to guard against
rollbacks. At a minimum, the nonce must be randomly generated *after* the
message to be encrypted and/or authenticated has been fixed. This way, if
nonce reuse occurs due to a rollback, it will be reused only with the same
message that it was used with previously, which should be safe.

Where possible, it may be best to go back to deterministic cryptography. For
example HMAC does not use a nonce and therefore is not affected by this
problem. If faster speed is desired and you want to use a MAC in the
Wegman-Carter paradigm, notice that tag=PRF(hash) works just as well as
tag=hash xor PRF(nonce) (i.e., they both have collision probabilities that
grow as the square of the number of messages) if nonce is generated
randomly. tag=PRF(hash) does not suffer from nonce reuse problems, and also
lets you save complexity and bandwidth by not having to transport a nonce.

[1] Tal Garfinkel and Mendel Rosenblum,"When Virtual is Harder than Real:
Security Challenges in Virtual Machine Based Computing Environments"
http://www.stanford.edu/~talg/papers/HOTOS05/virtual-harder-hotos05.pdf

_______________________________________________
Cfrg mailing list
Cfrg@ietf.org
https://www1.ietf.org/mailman/listinfo/cfrg

v2.23.0 | Report a Bug | By Email