Re: aes128gcm: why verify padding? from Martin Thomson on 2017-01-30 (ietf-http-wg@w3.org from January to March 2017)

From: Martin Thomson <martin.thomson@gmail.com>
Date: Mon, 30 Jan 2017 14:19:49 +1100
To: "Manger, James" <James.H.Manger@team.telstra.com>
Cc: "ilariliusvaara@welho.com" <ilariliusvaara@welho.com>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Message-ID: <CABkgnnXYc3V3FoVH_TsBUMZes5r3uZaTLs4zdFPXNMg178ppFw@mail.gmail.com>

On 30 January 2017 at 13:30, Manger, James
<James.H.Manger@team.telstra.com> wrote:
>> Actually, if you don't use KDF to obtain the nonce base together with
>> the key, attacker can corrupt messages unless you actually verify that
>> the start block is in its proper place.
>
> Is this because the scheme uses Nonce XOR Index (not Nonce + Index)?

Not exactly.  The theoretical attack (if I understood Ilari correctly)
is if you had an explicit nonce on each record.  For instance, the
nonce is the first 12 octets of the ciphertext.  At that point, an
attacker would be more capable of performing interchanging any two
records.

That's different to your concern regarding dropping of some number of
records and producing a valid sequence of records.

Even assuming that you find an input that produces the same key while
allowing you to control the nonce, you would be stuck with the
interesting problem of finding a pattern of records that fit the XOR
pattern. If there were only two records, dropping the first is
trivial.  If there were three records and you wanted to keep two of
them, you have to switch the second and third to fit the pattern,
which would run afoul of the padding delimiter check.

Given that you would know the key at this point, I'd suggest that
constructing a new message would be easier.

> Given 2 valid AEADs, you can get the XOR of their indices but that isn't enough to tell how far apart they are in a sequence. It isn't even sufficient to tell that one comes right before the other. Hence, you really need to get the AEAD marked "start" first (or get the salt from which the "start" record's nonce is derived).

Are you saying that you can feed random data into your oracle until it
accepts two records?  And that you used the same key to generate that
random data?  Assuming those preconditions, I agree that you can get
the XOR of the indices of these records.  But you must have known
those indices because the oracle we're designing only accepts records
at those indices.

Even if you could do what you suggest (with a different oracle
perhaps), I think that you are right in suggesting that that isn't
much use.  You have just won every lottery on the planet in the same
week, and still that information doesn't seem very useful.

Received on Monday, 30 January 2017 03:20:21 UTC