- From: Martin Thomson <martin.thomson@gmail.com>
- Date: Mon, 30 Jan 2017 14:19:49 +1100
- To: "Manger, James" <James.H.Manger@team.telstra.com>
- Cc: "ilariliusvaara@welho.com" <ilariliusvaara@welho.com>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
On 30 January 2017 at 13:30, Manger, James <James.H.Manger@team.telstra.com> wrote: >> Actually, if you don't use KDF to obtain the nonce base together with >> the key, attacker can corrupt messages unless you actually verify that >> the start block is in its proper place. > > Is this because the scheme uses Nonce XOR Index (not Nonce + Index)? Not exactly. The theoretical attack (if I understood Ilari correctly) is if you had an explicit nonce on each record. For instance, the nonce is the first 12 octets of the ciphertext. At that point, an attacker would be more capable of performing interchanging any two records. That's different to your concern regarding dropping of some number of records and producing a valid sequence of records. Even assuming that you find an input that produces the same key while allowing you to control the nonce, you would be stuck with the interesting problem of finding a pattern of records that fit the XOR pattern. If there were only two records, dropping the first is trivial. If there were three records and you wanted to keep two of them, you have to switch the second and third to fit the pattern, which would run afoul of the padding delimiter check. Given that you would know the key at this point, I'd suggest that constructing a new message would be easier. > Given 2 valid AEADs, you can get the XOR of their indices but that isn't enough to tell how far apart they are in a sequence. It isn't even sufficient to tell that one comes right before the other. Hence, you really need to get the AEAD marked "start" first (or get the salt from which the "start" record's nonce is derived). Are you saying that you can feed random data into your oracle until it accepts two records? And that you used the same key to generate that random data? Assuming those preconditions, I agree that you can get the XOR of the indices of these records. But you must have known those indices because the oracle we're designing only accepts records at those indices. Even if you could do what you suggest (with a different oracle perhaps), I think that you are right in suggesting that that isn't much use. You have just won every lottery on the planet in the same week, and still that information doesn't seem very useful.
Received on Monday, 30 January 2017 03:20:21 UTC