Re: authenticated encryption
2003-05-06 21:03:47
Presently, if you want integrity, then a signature is required, which
defeats the attack that is described. I would be interested in looking
into the use of CCM, EAX, CWC, or any other authenticated encryption mode
AFTER the update to RFC 2633 is published. I would not like to delay
publication of the update while this is investigated.
Russ
Security Area Director
At 05:01 PM 5/5/2003 -0700, Trevor Perrin wrote:
Hello S/MIME,
I'm curious what this group thinks about adopting an
authenticated-encryption cipher mode, such as:
EAX:
https://www1.ietf.org/mail-archive/working-groups/cfrg/current/msg00223.html
CWC:
https://www1.ietf.org/mail-archive/working-groups/cfrg/current/msg00224.html
Such a mode could integrity-protect S/MIME encrypted-only messages. It
could also defend against an oracle attack on signed-then-CBC-encrypted
messages. I'm not sure this attack is well known, so I'll describe it:
If the plaintext is a sequence of blocks P[1],P[2],.., and the ciphertext
is a sequence of blocks where C[0] is the IV, followed by C[1],C[2],..,
then we assume the attacker wants to verify a guess G for P[X], and knows
the value of P[1] (the first blocksize bytes of the ContentInfo containing
SignedData, which is just well-known ASN.1 header).
The attacker copies C[X] over C[1], and sets C[0] = G xor C[X-1] xor
P[1]. If his guess is correct, then the new ciphertext C[1] will decrypt
to the same plaintext P[1] it would have without his modifications - if
his guess if wrong, the decrypted P[1] will have bit errors, which will
probably cause an error in the recipient's software.
If the recipient is a person, she might respond saying "I can't read
this". If the recipient is a server (like an S/MIME MTA), it might
respond with an error message, allowing the attack to be iterated.
Might solving these issues in one swoop be a good rationale for
authenticated encryption?
Trevor
|
|