Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[AES-GCM] Add Key Commitment #206

Closed
commial opened this issue Jul 22, 2024 · 1 comment
Closed

[AES-GCM] Add Key Commitment #206

commial opened this issue Jul 22, 2024 · 1 comment
Labels
enhancement New feature or request
Milestone
Format v2

Comments

@commial
Copy link
Contributor

commial commented Jul 22, 2024
edited
Loading

As described in 1 and 2, AES-GCM does not ensure "key commitment", ie.

ciphertext should only decrypt to a valid plaintext under the key used to generate the
ciphertext

In other words, an attacker could force the recipient to decrypt the ciphertext with a wrong key. Even if the obtained cleartext won't be the original one, it could mislead the user -- which might think it is -- or help reach potentially vulnerable code.

MLA is a target similar to the "Envelope Encryption" section in 1: for a given ciphertext, several recipients must obtain the same plaintext.
Given the format of MLA, this attack is unlikely to be exploitable: one would have to forge a correct footer, which is several bytes long, while keeping "interesting" values in it.

But following the "better be safe than sorry" philosophy, especially regarding the cryptographic part, the following changes are proposed:

  1. based on the "padding fix" idea in 1, add a 512-bits (2x256 bits for 256bits security) long fixed chain at the beginning of the cryptographic layer (encrypted)
  2. on key decapsulation, the chain is decrypted and compared to the original one. Operations continues only if the chain is correct

The chain is at the beginning to ensure repair will still work. Adding an expected clear-text of 512-bits ensure the key used is the expected one (otherwise, it would means that 2 keys decrypt the same ciphertext to the same cleartext under AES-256).

Drawbacks:

  • This addition increase the size of the resulting archive. But a 512-bits addition seems to be negligible in the current uses of MLA
  • It requires an update of the format, at least of the layer, which is a breaking change
  • It gives a decryption oracle (one can test if one key is the correct one), but the key space is expected to be large enough and others decryption oracles (for instance, files contents and their hashes) already exists in MLA

Footnotes

  1. "How to Abuse and Fix Authenticated Encryption Without Key Commitment", Usenix'22 2 3

  2. "Fast Message Franking: From Invisible Salamanders to Encryptment"

@commial commial added the enhancement New feature or request label Jul 22, 2024
@commial commial added this to the Format v2 milestone Jul 22, 2024
This was referenced Jul 22, 2024
Open
Merged
@commial
Copy link
Contributor Author

commial commented Jul 26, 2024

Fixed by #209

@commial commial closed this as completed Jul 26, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
Format v2
Development

No branches or pull requests
1 participant
@commial