IETF Logo Mail Archive

Re: [smime] [Technical Errata Reported] RFC5084 (4774)

Quan Nguyen <quannguyen@google.com> Mon, 15 August 2016 21:01 UTC

Return-Path: <quannguyen@google.com>
X-Original-To: smime@ietfa.amsl.com
Delivered-To: smime@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A6D9B12D73D for <smime@ietfa.amsl.com>; Mon, 15 Aug 2016 14:01:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.247
X-Spam-Level:
X-Spam-Status: No, score=-3.247 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-1.247, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uK1S2HdETQPB for <smime@ietfa.amsl.com>; Mon, 15 Aug 2016 14:01:02 -0700 (PDT)
Received: from mail-ua0-x231.google.com (mail-ua0-x231.google.com [IPv6:2607:f8b0:400c:c08::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BDF7312D518 for <smime@ietf.org>; Mon, 15 Aug 2016 14:01:01 -0700 (PDT)
Received: by mail-ua0-x231.google.com with SMTP id k90so91723371uak.1 for <smime@ietf.org>; Mon, 15 Aug 2016 14:01:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=w/TftVYSoMr33j5crcJKCdUNya7JWc3Uuf1UlL2NdeI=; b=WKnJQM5jC1RLyR3qFWxj8Q6XKcvnzZeMzfisnJQxQeX4cwAuapeHfJvuoiWNnrJr1D c4M2xRdqVROV5CV8qm9W95rgXi36updjiNNET80Mn1YPdYa0z1pt4ChgQl+BDkRGr1TV PI+TNqjpUDAcmi95qdwcUoyanERPWv4bVtnKhSBVOGGC/8e7t4x6hNG6hf7W1myAS1Pe 2rhhXuVtMsVP+5vaGaV7M2QyINkfaE+H8HYhJrCz2atuEBelciyKKHh84lW/ABbfO5fh EbjdTIRO+uXRtTEK+gOjwxU9ScNWi+OuTHr8Fab8ZblesKm1m1EKQsx9d91dg7f5Mp8J WOSQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=w/TftVYSoMr33j5crcJKCdUNya7JWc3Uuf1UlL2NdeI=; b=e3J9QcYKdHkn4yL8VAe7wDHJq3V2BWVBM59/HuX4wDVjSlTlYBhG1N6061vgnR5GQ0 Bk9RDvJcxJotp4TXmUZE/E3u+WekNjUVNiLU2DN3MuoP9aghSowvSL9iLxr6tun7ihHZ +//Ppc6HkCW7WpAOkgnOPTJo90KjQ0kHCxed8xCk8ZGGu+RJBx2nTEV446NskIptm7gK n7oeakq4Up34/Au3Jx8Vn7hdjF+dkTAnI5CKaWpnWRRudjMDQjIhVuRsz0NupO4E82nq Rj7J7pQVEmCQEqCsYJxOuOfJRHYOFFdRilOXibrpolM2AkMLmEb4Pk9t3hQQKNB9tgAk nSGg==
X-Gm-Message-State: AEkoouvuuzTdVvyu+qoUhHutULQu9Rymarp+YYjFXtCHbTT2tVwsv1LvEWHK2qv4XYePcBQkPcHUJuUA24z++O0U
X-Received: by 10.31.8.213 with SMTP id 204mr5837270vki.33.1471294860553; Mon, 15 Aug 2016 14:01:00 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.103.139.131 with HTTP; Mon, 15 Aug 2016 14:00:39 -0700 (PDT)
In-Reply-To: <EA5FD496-53AE-4902-A18F-556F954CD161@vigilsec.com>
References: <20160811184733.4444EB8111E@rfc-editor.org> <CAKkgqz0j3KwQi5ARRmOYf7+iw5W_6zo3qgLT0aoHiARYqUwjqA@mail.gmail.com> <EA5FD496-53AE-4902-A18F-556F954CD161@vigilsec.com>
From: Quan Nguyen <quannguyen@google.com>
Date: Mon, 15 Aug 2016 14:00:39 -0700
Message-ID: <CAKkgqz1sG_UyMiCEPgTgg9=gVMEpd7tCmEqL2qY0hN1HnOmMaw@mail.gmail.com>
To: Russ Housley <housley@vigilsec.com>
Content-Type: multipart/alternative; boundary="001a1142e6e8863615053a228743"
Archived-At: <https://mailarchive.ietf.org/arch/msg/smime/wYO3244y2AcUIH7tvbOSZm6NDmI>
X-Mailman-Approved-At: Mon, 15 Aug 2016 14:47:09 -0700
Cc: IETF SMIME <smime@ietf.org>, Paul Hoffman <paul.hoffman@vpnc.org>, Kathleen Moriarty <Kathleen.Moriarty.ietf@gmail.com>, David McGrew <mcgrew@cisco.com>, RFC Editor <rfc-editor@rfc-editor.org>, Stephen Farrell <stephen.farrell@cs.tcd.ie>
Subject: Re: [smime] [Technical Errata Reported] RFC5084 (4774)
X-BeenThere: smime@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: SMIME Working Group <smime.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/smime>, <mailto:smime-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/smime/>
List-Post: <mailto:smime@ietf.org>
List-Help: <mailto:smime-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/smime>, <mailto:smime-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Aug 2016 21:01:05 -0000

On Mon, Aug 15, 2016 at 1:55 PM, Russ Housley <housley@vigilsec.com> wrote:

> Quan:
>
> I do not think that we can change the DEFAULT value associated with these
> OIDs.  Changing the meaning of an absent aes-ICVlen will result in too many
> interoperability problems.
>

Yeah, I'm aware of it and I understand your concern.


>  However, we could put out a very short RFC that updates RFC 5084 to
> recommend the use of 16 octet authentication tags in all situations.
>

Thanks for doing this :) It's SGTM.

>
> Russ
>
>
> On Aug 11, 2016, at 2:49 PM, Quan Nguyen <quannguyen@google.com> wrote:
>
>
>
> On Thu, Aug 11, 2016 at 11:47 AM, RFC Errata System <
> rfc-editor@rfc-editor.org> wrote:
>
>> The following errata report has been submitted for RFC5084,
>> "Using AES-CCM and AES-GCM Authenticated Encryption in the Cryptographic
>> Message Syntax (CMS)".
>>
>> --------------------------------------
>> You may review the report below and at:
>> http://www.rfc-editor.org/errata_search.php?rfc=5084&eid=4774
>>
>> --------------------------------------
>> Type: Technical
>> Reported by: QUAN NGUYEN <quannguyen@google.com>
>>
>> Section: 3.2
>>
>> Original Text
>> -------------
>> aes-ICVlen       AES-GCM-ICVlen DEFAULT 12
>>
>> A length of 12 octets is RECOMMENDED.
>>
>> Corrected Text
>> --------------
>> aes-ICVlen       AES-GCM-ICVlen DEFAULT 16
>>
>> A length of 16 octets is RECOMMENDED.
>>
>> Notes
>> -----
>> Many JCE providers including OpenJDK, BouncyCastle, Conscrypt have a bug
>> to use 12 bytes authentication tag (aes-ICVlen) as default if the code path
>> [1] uses CMS. According to Ferguson's attack (
>> http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/commen
>> ts/CWC-GCM/Ferguson2.pdf), if a user encrypts 2^32 block length message,
>> then 12 bytes authentication tag length has only 96 - 32 = 64 bits security
>> which is not good enough nowadays. Furthermore, once a forgery happens then
>> authentication is leaked.
>>
>
> Sorry, I meant "authentication *key*" is leaked.
>
>>
>> [1] In other code paths, all providers use 16 bytes authentication tag as
>> default.
>>
>> Instructions:
>> -------------
>> This erratum is currently posted as "Reported". If necessary, please
>> use "Reply All" to discuss whether it should be verified or
>> rejected. When a decision is reached, the verifying party (IESG)
>> can log in to change the status and edit the report, if necessary.
>>
>> --------------------------------------
>> RFC5084 (draft-ietf-smime-cms-aes-ccm-and-gcm-03)
>> --------------------------------------
>> Title               : Using AES-CCM and AES-GCM Authenticated Encryption
>> in the Cryptographic Message Syntax (CMS)
>> Publication Date    : November 2007
>> Author(s)           : R. Housley
>> Category            : PROPOSED STANDARD
>> Source              : S/MIME Mail Security
>> Area                : Security
>> Stream              : IETF
>> Verifying Party     : IESG
>>
>>
>
>

v2.23.0 | Report a Bug | By Email