RE: attack on rfc3211 mode (Re: disk encryption modes)

2002-05-27 Thread Lucky Green 

Peter wrote:
> Yup.  Actually the no-stored-IV encryption was never designed 
> to be a non- malleable cipher mode, the design goal was to 
> allow encryption-with-IV without having to explicitly store 
> an IV.  For PWRI it has the additional nice feature of 
> avoiding collisions when you use a 64-bit block cipher, which 
> is probably going to be the case for some time to come even 
> with AES around.  It was only after all that that I noticed 
> that the first pass was effectively a CBC-MAC, but it didn't 
> seem important enough to mention it in the RFC since it 
> wasn't an essential property (good thing I didn't :-).
> 
> >With a disk mode, unlike with RFC3211 password based 
> encryption for CMS 
> >there is no place to store the structure inside the 
> plaintext which may 
> >to some extent defend against this attack.

Here is a partial list of requirements that I believe apply to drive
encryption cryptographic systems. I am sure that list is incomplete and
may contain errors. The following is what springs to mind:

1) I do not believe that there is a fundamental need to limit the size
of the ciphertext to the size of the plain text. Adding a 1% or even
more space overhead for encryption is acceptable under any day-to-day
scenario that I can think of.

2) The algorithm must be able to decrypt individual sectors without
having to decrypt the entire contents of the drive. Nor must the
algorithm leak any plaintext, even if the attacker were to have
knowledge of all but one byte of the plaintext stored on the drive.

3) The encrypted partition should leak no information about the number,
nature, and size of any files stored on the drive. Unless one has access
to the key, the entire partition should be appear to the observer as a
homogenous block of opaque encrypted data.

4) It would be nice, but is not in the least required, to be able to
convert an existing unencrypted partition to an encrypted partition and
back.

5) It must be possible to pass the encryption key as a parameter to
mount, presumably in the form of a config file containing they key to
prevent the key from showing up in ps.

6) It should be possible to both specify a raw AES key as well as a
passphrase-derived SHA2 generated AES key.

7) Since the key will need to be stored in RAM for extended periods of
time, the key should be protected from forensic recovery by being never
being swapped to disk as well as by periodic bit-flipping.

8) Ideally, and this is definitely a feature for v2.0, each user would
be able to specify a capability that will permit the listing and access
of any files under that user's permissions on the encrypted file system.

9) While steganographic file systems offering multiple levels of
credible distress keys are nice, I don't consider this a feature that
should be included in v1.0.

Re: attack on rfc3211 mode (Re: disk encryption modes)

2002-05-10 Thread Adam Shostack 

On Sat, May 11, 2002 at 04:01:11AM +1200, Peter Gutmann wrote:
| General rant: It's amazing that there doesn't seem to be any published research
|   on such a fundamental crypto mechanism, with the result that everyone has to
|   invent their own way of doing it, usually badly.  We don't even have a decent
|   threat model for this, my attempt at one for password-based key wrap may or
|   may not be appropriate (well, I hope it's more or less right), but it's going
|   to be rather different than for a situation where you have an ephemeral
|   symmetric key rather than a fixed, high-value key wrapping another key.  The
|   same problem exists for things like PRFs, we now have PKCS #5v2, but before
|   that everyone had to invent their own PRF for lack of anything useful, with
|   the result that every single protocol which needs a PRF has its own,
|   incompatible, often little-analysed one.
| 
| More specific rant: Looking at the security standards and protocols deployed in
|   the last decade or so, you'd be forgiven for thinking that the only crypto
|   research done in the last 10 years (beyond basic crypto algorithms) was
|   STS/SPEKE and HMAC.  There seems to be this vast gulf between what crypto
|   researchers are working on and what practitioners actually need, so while
|   conferences are full of papers on group key management and anonymous voting
|   schemes and whatnot, people working on real-world implementations have to
|   home-brew their own mechanisms because there's nothing else available.  The
|   RFC 3211 wrap is actually parameterised so you can slip in something better
|   when it becomes available, but I can't see that ever happening because
|   researchers are too busy cranking out yet another secure multiparty
|   distributed computation paper that nobody except other researchers will ever
|   read.
| 
| (Did I miss offending anyone? :-).

The voting folks? ;)

Adam

-- 
"It is seldom that liberty of any kind is lost all at once."
   -Hume

Re: attack on rfc3211 mode (Re: disk encryption modes)

2002-05-10 Thread Peter Gutmann 

Adam Back <[EMAIL PROTECTED]> writes:

>I can see that, but the security of CBC MAC relies on the secrecy of the
>ciphertexts leading up to the last block.  In the case of the mode you
>describe in RFC3211, the ciphertexts are not revealed directly but they are
>protected under a mode which has the same splicing attack. The splicing attack
>on "CBC MAC with leading ciphertext" works through CBC encryption, here's how
>that works:

Right.  One minor point, the IV is never zero, for disk encryption it's a
cryptographic transform of the sector number, for PWRI it's supplied by the CMS
algorithm parameter (this doesn't affect the attack).

>I would have thought this would be considered a 'break' of a non-malleable
>cipher mode as discussed for disk encryption where each bit of plaintext
>depends on each bit of ciphertext as would be the case with a secure cipher
>matching Mercy's design goals (a block cipher used in ECB mode with a
>different key per block).

Yup.  Actually the no-stored-IV encryption was never designed to be a non-
malleable cipher mode, the design goal was to allow encryption-with-IV without
having to explicitly store an IV.  For PWRI it has the additional nice feature
of avoiding collisions when you use a 64-bit block cipher, which is probably
going to be the case for some time to come even with AES around.  It was only
after all that that I noticed that the first pass was effectively a CBC-MAC,
but it didn't seem important enough to mention it in the RFC since it wasn't an
essential property (good thing I didn't :-).

>With a disk mode, unlike with RFC3211 pasword based encryption for CMS there
>is no place to store the structure inside the plaintext which may to some
>extent defend against this attack.

Even with PWRI you get at most ~32 bits of protection, and can bypass even that
if you encrypt 5 or more 64-bit blocks and mess up the second block, since the
garble will propagate to at most 4 of the 5 blocks.  The 32-bit limit was
deliberate, I was worried about dictionary attacks above all else (in fact the
first version of the wrap was a bit too paranoid in that it had no redundancy
at all, which unfortunately meant that it wasn't possible to catch incorrect
passwords.  User complaints lead to the addition of the 24-bit check value
which is enough to catch virtually all mistyped passwords but not enough to
provide more than a small reduction in the number of guesses necessary for an
attacker.  The length byte is there so an attacker can't perform an iterative
attack where they change the algorithm ID for the wrapped key to 40-bit RC4 and
brute-force it, then 56-bit DES and brute-force the 16-bit difference, then 80-
bit Skipjack, 112-bit two-key 3DES, and finally 128-bit AES.  There was another
key wrap design where this was possible).

Digressing from the original disk-sector-encryption, I'd be interested in some
debate on the requirements for password-based key wrapping.  The design goals
I used were:

  1. Resistance to dictionary/password-guessing attacks above all else.

  2. No need to use additional algorithms like hash algorithms (see the RFC for
 the rationale, to save me typing it all in again).

The reason for 1. is that provided you use a secure cipher the best approach
for an attacker is going to be a dictionary attack or similar attack on the
password used to wrap the key.  Since the wrapping key is going to be used to
protect things like long-term private keys, this is an extremely high-value
item.

Note that the immunity to key-guessing requirement is mutually exclusive with
modification-detection, since (for example) storing a SHA-1 hash would allow
you to immediately verify whether you'd found the password/key.  This is the
exact problem which PKCS #12 has, you don't need to attack the key wrap since
the MAC on the wrapped data is a much easier target.  There's another key wrap
which stores a full SHA-1 hash alongside the wrapped key (to protect against
some problems present in an earlier version of the same key wrap mechanism,
which fell to fairly trivial attacks).  This is great for integrity protection,
but terrible for security, since it allows you to verify with pretty much 100%
accuracy whether you've guessed the password.I also looked at some sort of
OAEP-like wrapping (or, more generally, a Feistel-like construct of the kind
used in OAEP), but it seemed a bit ad-hoc when used with symmetric key wrap
rather than RSA.

Does anyone have any thoughts on symmetric key wrap, and specifically the
differences between high-value and low-value (ephemeral) key wrap requirements?

General rant: It's amazing that there doesn't seem to be any published research
  on such a fundamental crypto mechanism, with the result that everyone has to
  invent their own way of doing it, usually badly.  We don't even have a decent
  threat model for this, my attempt at one for password-based key wrap may or
  may not be appropriate (well, I hope it's more or less right), but it'