New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Simplify and improve the session key management #269
Comments
PR #276 looks very good, also as a starting point for other updates. One comment by the ETH team [0] was
To address this we could replace this:
with something like this:
Another comment in [0]:
So, for example, this part:
could be changed into something like this:
We'll make one of more PRs for this. [0] https://mailarchive.ietf.org/arch/msg/lake/i2NYxn3vchQ1jUv91frlcqQ4sP0/ |
@charlie-j For clarity: The four cases of "Breaking TH_4 Authentication" you mention above, they are all mitigated by PR #276, right? Just a remark about item 1:
Note that the different representations you list are in the |
Yes. By strongly tying together the session key and the transcript in the session key, we then avoid any of those issues about the transcript authentication.
Thanks for the explanation! |
As is, the session key PRK_4x3m offers much weaker properties than
the final exported keys.
Reason 1: session keys don't have "contributiveness" or "key control": even if Alice produces good randomness each time, keys may not be unique (if Bob sends low order points or the identity point - see footnote 1). Exported keys fix this by inclusion of transcript, which also gives a better binding to the protocol execution.
Reason 2:
PRK_4x3m
does not authenticateTH_4
as it is independent of it. If there are ways "to play with"MESSAGE_3
in order to obtain distinct values ofTH_4
on both sides (we discuss this further below), any application key derivation not usingTH_4
and onlyPRK_4x3m
will break the authentication claim overTH_4
.As an additional remark, the current construction makes it difficult to identify in cryptographic terms what is the session key of the protocol, as the stored key material at the end is both
TH_4
andPRK_4x3m
.Our suggestion is to follow a design similar to e.g. TLS, and to have a final key derivation, that combines both
TH_4
andPRK_4x3m
into a final key. This has multiple advantages:PRK_4x3m
;TH_4
andPRK_4x3m
, only the final key is stored;To make this proposal a bit more concrete, we provide a first draft of a commit that could implement this solution here: charlie-j@9f4843a
Breaking TH_4 authentication
We discuss here some subtle ways that may lead to a breach of authentication for
TH_4
, which could make the authentication very implementation dependent. Those mostly rely on the fact that usingciphertext_3
inside the transcript instead of the underlying payload may allow the attacker some leeway in changing the concrete value ofciphertext_3
, thus leading to an initiator and a responder disagreeing on the vlaue ofTH_4
after verification of message 3.According to Appendix B, there appear to exist multiple valid encodings of the same bitstring value. Typically,
'12cd'
can be encoded as'12cd'
,h'12cd'
or<< '12cd' >>
. If that is the case, by converting between those multiple encodings, an attacker can change the value of theciphertext_3
that is included insideTH_4
(unless the implementation does a COSE decoding to obtain the actual value of the ciphertext, then does a new COSE encoding to put back the value inside the COSE sequence used forTH_4
).The standard specifies a way to interface with the COSE encryption, where after computing a
COSE_Encrypt0
object the protected and unprotected fields are dropped to only keep the ciphertext field. This may be error prone on the implementation side: if the fullCOSE_Encrpyt0
is used inside the implementation instead of the ciphertext field, the message becomes malleable through the unprotected header.An encryption scheme based on the MacThenEncrypt paradigm may only provide integrity of the plaintext, and not integrity of the ciphertext itself. This would lead to two different values of
ciphertext_3
each being a valid ciphertext for the same plaintext. This implies in term of a computational analysis that stronger security assumptions are required to prove the security of the key exchange. (Disclaimer: I incorrectly claimed that AES-CCM does not provide ciphertext integrity during the ietf 113 presentation, based on the fact that it is a MacThenEncrypt paradigm, but there is actually a proof of ciphertext integrity for CCM).Related to Issue Avoid key and IV reuse for AEADs #268, where a randomized signature may force a responder to send two distinct
MESSAGE_3
(different randomization), we could forward the first copy to I (while R keeps the second one). Both agents would derive the samePRK_4x3m
but not the sameTH_4
.-> As a side remark, using the plaintext inside of the ciphertext inside
TH_4
would resolve points 1,2 and 3).Footnotes
h
thus such thath^x=h
with high probability. A particular case is the identity of the group, which is such thate^x=e
always.The text was updated successfully, but these errors were encountered: