RE: Bug # 24410 - AES CTR descriptions from Vijay Bharadwaj on 2014-02-24 (public-webcrypto@w3.org from February 2014)

From: Vijay Bharadwaj <Vijay.Bharadwaj@microsoft.com>
Date: Mon, 24 Feb 2014 20:10:40 +0000
To: Ryan Sleevi <sleevi@google.com>
CC: Mark Watson <watsonm@netflix.com>, Jim Schaad <ietf@augustcellars.com>, "public-webcrypto@w3.org" <public-webcrypto@w3.org>
Message-ID: <82aab9d6b17b4e47b4c085bb26d25438@DFM-CO1MBX15-08.exchange.corp.microsoft.com>

I agree that the implementation cannot detect all cases of counter wrap.

The question is, should it error out in the cases where it can? What is the counter-argument – is it that there is a legitimate use for counter wrap, or is it that catching some cases gives a false sense of security?

From: Ryan Sleevi [mailto:sleevi@google.com]
Sent: Monday, February 24, 2014 10:38 AM
To: Vijay Bharadwaj
Cc: Mark Watson; Jim Schaad; public-webcrypto@w3.org
Subject: Re: Bug # 24410 - AES CTR descriptions

On Mon, Feb 24, 2014 at 8:46 AM, Vijay Bharadwaj <Vijay.Bharadwaj@microsoft.com<mailto:Vijay.Bharadwaj@microsoft.com>> wrote:
[Mark]> So, it's ambiguous to me whether an implementation should consider it an error if the length choice combined with the message size will cause the same counter value to be repeated.

[Mark]> What we should probably look at is what existing library implementations do. If some implementations consider this an error - and fail - then it would improve interoperability if WebCrypto would always fail in this case by including the length check described. If no existing implementations consider this an error, then it should be left to the application as only the application can fully policy the requirement across messages.

Windows crypto APIs (CAPI and CNG) do not expose CTR mode except as a component of GCM or CCM. However it does seem to me like the counter increment rule and message size give a way for the implementation to identify some cases of insecure usage. It seems reasonable to block these cases – I don’t see any legitimate use for them.

I would have to disagree here.

A given Key object can be used for multiple Encryption operations. Further, a Key may wrap-around the counter - there's no guarantee that the counter started initialized to an all zero block, so it's not sufficient to look at whether the high-bit+1 is set when incrementing.

This is exactly why PKCS#11 (NSS) and OpenSSL allow it.

I definitely think it should be left up to the implementation. To me, this is conceptually the same as supporting non-mod-8 RSA moduli. Some implementations do, some don't.

Received on Monday, 24 February 2014 20:11:12 UTC