2021. Security Analysis of SFrame Examples of messaging apps and video conference systems n Signal Protocol u adopted by WhatsApp, Facebook Messenger, Signal n SFrame (Secure Frame) u adopted by Google Duo, Cisco Webex, Jitsi Meet n Others u iMessage (Apple), LINE, Zoom End-to-End Encryption (E2EE) 2 A technology for a secure communication scheme n Only communicating parties can send and read the messages n Nobody except each communicating party, not even the service provider, has access to the encryption keys that are used to encrypt the messages n The Snowden’s revelation: even honest server may be compromised by a powerful intelligence organization, e.g., NSA Background
2021. Security Analysis of SFrame Examples of messaging apps and video conference systems n Signal Protocol u adopted by WhatsApp, Facebook Messenger, Signal n SFrame (Secure Frame) u adopted by Google Duo, Cisco Webex, Jitsi Meet n Others u iMessage (Apple), LINE, Zoom End-to-End Encryption (E2EE) 3 A technology for a secure communication scheme n Only communicating parties can send and read the messages n Nobody except each communicating party, not even the service provider, has access to the encryption keys that are used to encrypt the messages n The Snowden’s revelation: even honest server may be compromised by a powerful intelligence organization, e.g., NSA Background
2021. Security Analysis of SFrame SFrame 4 An E2EE mechanism for real-time communication traffic n proposed by a team of Google and CoSMo software n designed to suppress communication overheads by encrypting the entire media frame instead of per media packet n specified in the Internet draft u defines a cryptographic protocol (authenticated encryptions, hash functions, and signature algorithms), but not a key exchange protocol. u Our target: draft-omara-sframe-01* SFrame *Based on our security analysis, the SFrame designers updated the draft version to draft-omara-sframe-02.
2021. Security Analysis of SFrame SFrame 5 An E2EE mechanism for real-time communication traffic n proposed by a team of Google and CoSMo software n designed to suppress communication overheads by encrypting the entire media frame instead of per media packet n specified in the Internet draft u defines a cryptographic protocol (authenticated encryptions, hash functions, and signature algorithms), but not a key exchange protocol. u Our target: draft-omara-sframe-01* SFrame *Based on our security analysis, the SFrame designers updated the draft version to draft-omara-sframe-02.
2021. Security Analysis of SFrame Cryptographic Protocol 6 No. Name Key length Nonce length Tag length 1 AES_CM_128_HMAC_SHA256_8 16 bytes 12 bytes 8 bytes 2 AES_CM_128_HMAC_SHA256_4 16 bytes 12 bytes 4 bytes 3 AES_GCM_128_SHA256 16 bytes 12 bytes N/A 4 AES_GCM_256_SHA512 32 bytes 12 bytes N/A *CM: Counter Mode n An authenticated encryption with associated data (AEAD) u AES-GCM or AES-CM-HMAC (a generic composition of AES-CTR and HMAC) n A hash function u SHA256 or SHA512 n An optional signature algorithm u EdDSA over Ed25519 or ECDSA over P-521 u computed from a list of AEAD tags SFrame Ciphersuites
2021. Security Analysis of SFrame Cryptographic Protocol 7 No. Name Key length Nonce length Tag length 1 AES_CM_128_HMAC_SHA256_8 16 bytes 12 bytes 8 bytes 2 AES_CM_128_HMAC_SHA256_4 16 bytes 12 bytes 4 bytes 3 AES_GCM_128_SHA256 16 bytes 12 bytes N/A 4 AES_GCM_256_SHA512 32 bytes 12 bytes N/A *CM: Counter Mode n An authenticated encryption with associated data (AEAD) u AES-GCM or AES-CM-HMAC (a generic composition of AES-CTR and HMAC) n A hash function u SHA256 or SHA512 n An optional signature algorithm u EdDSA over Ed25519 or ECDSA over P-521 u computed from a list of AEAD tags SFrame Ciphersuites
2021. Security Analysis of SFrame Our Contributions 8 Security Analysis Result 1: Security of AEAD under SFrame n provably secure in the context of standard AEAD Result 2: Security of AES-CM-HMAC with short tags n an impersonation attack by a malicious group member n exploits a vulnerability of very short tag length Result 3: Security of AES-CM-HMAC with long tags n considered as the second-ciphertext unforgeability (SCU) secure AEAD Result 4: Security of AES-GCM with any long tags n an impersonation attack by a malicious group member n exploits a vulnerability of the linearity of GHASH in the known key setting Result 5: Security of AES-GCM with short tags n an authentication key recovery attack n exploits the fact that there is no restriction for the usage of GCM with short tags
2021. Security Analysis of SFrame Our Contributions 9 Security Analysis Result 1: Security of AEAD under SFrame n provably secure in the context of standard AEAD Result 2: Security of AES-CM-HMAC with short tags n an impersonation attack by a malicious group member n exploits a vulnerability of very short tag length Result 3: Security of AES-CM-HMAC with long tags n considered as the second-ciphertext unforgeability (SCU) secure AEAD Result 4: Security of AES-GCM with any long tags n an impersonation attack by a malicious group member n exploits a vulnerability of the linearity of GHASH in the known key setting Result 5: Security of AES-GCM with short tags n an authentication key recovery attack n exploits the fact that there is no restriction for the usage of GCM with short tags
2021. Security Analysis of SFrame Result 1: Security of AEAD under SFrame 10 Security Analysis Algorithm 2 AEAD encryption by AES-CM-HMAC Input: 𝑀, aad, 𝐾! "#$, 𝐾% "#$, 𝑁 Output: 𝐶, 𝑇 1: procedure AEAD.Encryption(𝐾! "#$, 𝐾% "#$, 𝑁, aad, 𝑀) 2: 𝐶 = AES-CTR.Encryption(𝐾! "#$, 𝑁, 𝑀) 3: 𝑇 = Tag.Generation(𝐾% "#$, aad, 𝐶) Tag.Generation(𝑲𝒂 𝑲𝑰𝑫, 𝑵, 𝐚𝐚𝐝, 𝑪) 4: end procedure Secure under the standard assumptions n AES is a pseudorandom permutation n HMAC is a pseudorandom function AES-CM-HMAC n The lack of 𝑁 is not a problem since aad contains CTR as well as 𝑁 n Alg. 2 itself is not generally secure AEAD as it ignores 𝑁 in the tag generation
2021. Security Analysis of SFrame Result 1: Security of AEAD under SFrame 11 Security Analysis Algorithm 2 AEAD encryption by AES-CM-HMAC Input: 𝑀, aad, 𝐾! "#$, 𝐾% "#$, 𝑁 Output: 𝐶, 𝑇 1: procedure AEAD.Encryption(𝐾! "#$, 𝐾% "#$, 𝑁, aad, 𝑀) 2: 𝐶 = AES-CTR.Encryption(𝐾! "#$, 𝑁, 𝑀) 3: 𝑇 = Tag.Generation(𝐾% "#$, aad, 𝐶) Tag.Generation(𝑲𝒂 𝑲𝑰𝑫, 𝑵, 𝐚𝐚𝐝, 𝑪) 4: end procedure Secure under the standard assumptions n AES is a pseudorandom permutation n HMAC is a pseudorandom function AES-CM-HMAC n The lack of 𝑁 is not a problem since aad contains CTR as well as 𝑁 n Alg. 2 itself is not generally secure AEAD as it ignores 𝑁 in the tag generation
2021. Security Analysis of SFrame Result 1: Security of AEAD under SFrame 12 Security Analysis Algorithm 2 AEAD encryption by AES-CM-HMAC Input: 𝑀, aad, 𝐾! "#$, 𝐾% "#$, 𝑁 Output: 𝐶, 𝑇 1: procedure AEAD.Encryption(𝐾! "#$, 𝐾% "#$, 𝑁, aad, 𝑀) 2: 𝐶 = AES-CTR.Encryption(𝐾! "#$, 𝑁, 𝑀) 3: 𝑇 = Tag.Generation(𝐾% "#$, aad, 𝐶) Tag.Generation(𝑲𝒂 𝑲𝑰𝑫, 𝑵, 𝐚𝐚𝐝, 𝑪) 4: end procedure Secure under the standard assumptions n AES is a pseudorandom permutation n HMAC is a pseudorandom function AES-CM-HMAC n The lack of 𝑁 is not a problem since aad contains CTR as well as 𝑁 n Alg. 2 itself is not generally secure AEAD as it ignores 𝑁 in the tag generation
2021. Security Analysis of SFrame Result 2: Security of AES-CM-HMAC with Short Tags 13 An impersonation attack by a malicious group member n exploits a vulnerability of very short tag length n caused by the digital signature Sig computed only a list of AEAD tags Security Analysis Offline phase 1. chooses the encryption input tuple 𝑁, aad, 𝑀 2. computes a ciphertext 𝐶 and a 𝜏-bit tag 𝑇 for 𝑁, aad, 𝑀 3. stores a set of 𝑀, 𝐶, 𝑇 into the precomputation table 4. repeats Step 1-3 2* times with different messages Target member Other members Malicious member
2021. Security Analysis of SFrame Result 2: Security of AES-CM-HMAC with Short Tags 14 An impersonation attack by a malicious group member n exploits a vulnerability of very short tag length n caused by the digital signature Sig computed only a list of AEAD tags Security Analysis Offline phase 1. chooses the encryption input tuple 𝑵, 𝐚𝐚𝐝, 𝑴 2. computes a ciphertext 𝐶 and a 𝜏-bit tag 𝑇 for 𝑁, aad, 𝑀 3. stores a set of 𝑀, 𝐶, 𝑇 into the precomputation table 4. repeats Step 1-3 2* times with different messages Target member Other members Malicious member
2021. Security Analysis of SFrame Result 2: Security of AES-CM-HMAC with Short Tags 15 An impersonation attack by a malicious group member n exploits a vulnerability of very short tag length n caused by the digital signature Sig computed only a list of AEAD tags Security Analysis Offline phase 1. chooses the encryption input tuple 𝑁, aad, 𝑀 2. computes a ciphertext 𝑪 and a 𝝉-bit tag 𝑻 for 𝑵, 𝐚𝐚𝐝, 𝑴 3. stores a set of 𝑀, 𝐶, 𝑇 into the precomputation table 4. repeats Step 1-3 2* times with different messages Target member Other members Malicious member
2021. Security Analysis of SFrame Result 2: Security of AES-CM-HMAC with Short Tags 16 An impersonation attack by a malicious group member n exploits a vulnerability of very short tag length n caused by the digital signature Sig computed only a list of AEAD tags Security Analysis Offline phase 1. chooses the encryption input tuple 𝑁, aad, 𝑀 2. computes a ciphertext 𝐶 and a 𝜏-bit tag 𝑇 for 𝑁, aad, 𝑀 3. stores a set of 𝑴, 𝑪, 𝑻 into the precomputation table 4. repeats Step 1-3 2* times with different messages Target member Other members Malicious member 𝐶 𝑇 ⋮ ⋮ 𝐶∗ 𝑇∗ ⋮ ⋮
2021. Security Analysis of SFrame Result 2: Security of AES-CM-HMAC with Short Tags 17 An impersonation attack by a malicious group member n exploits a vulnerability of very short tag length n caused by the digital signature Sig computed only a list of AEAD tags Security Analysis Offline phase 1. chooses the encryption input tuple 𝑁, aad, 𝑀 2. computes a ciphertext 𝐶 and a 𝜏-bit tag 𝑇 for 𝑁, aad, 𝑀 3. stores a set of 𝑀, 𝐶, 𝑇 into the precomputation table 4. repeats Step 1-3 𝟐𝝉 times with different messages Target member Other members Malicious member 𝐶 𝑇 ⋮ ⋮ 𝐶∗ 𝑇∗ ⋮ ⋮
2021. Security Analysis of SFrame Result 2: Security of AES-CM-HMAC with Short Tags 18 Target member An impersonation attack by a malicious group member n exploits a vulnerability of very short tag length n caused by the digital signature Sig computed only a list of AEAD tags 𝑁, aad, 𝑪!, 𝑻!, Sig Security Analysis Other members Malicious member Online phase 1. intercepts a target frame 𝑵, 𝐚𝐚𝐝, 𝑪,, 𝑻,, 𝐒𝐢𝐠 sent by the target member 2. searches a tuple 𝑀∗, 𝐶∗, 𝑇∗ in the table such that 𝑇∗ = 𝑇, and 𝐶∗ ≠ 𝐶, 3. finds such a tuple, replaces 𝐶, with 𝐶∗ in the target frame, and sends 𝑁, aad, 𝐶∗, 𝑇′, Sig to other group members 𝐶 𝑇 ⋮ ⋮ 𝐶∗ 𝑇∗ ⋮ ⋮
2021. Security Analysis of SFrame Result 2: Security of AES-CM-HMAC with Short Tags 19 Target member An impersonation attack by a malicious group member n exploits a vulnerability of very short tag length n caused by the digital signature Sig computed only a list of AEAD tags 𝑁, aad, 𝑪!, 𝑻!, Sig 𝐶 𝑇 ⋮ ⋮ 𝑪∗ 𝑻∗ ⋮ ⋮ = 𝑻′ Security Analysis Other members Malicious member Online phase 1. intercepts a target frame 𝑁, aad, 𝐶,, 𝑇,, Sig sent by the target member 2. searches a tuple 𝑴∗, 𝑪∗, 𝑻∗ in the table such that 𝑻∗ = 𝑻, and 𝑪∗ ≠ 𝑪, 3. finds such a tuple, replaces 𝐶, with 𝐶∗ in the target frame, and sends 𝑁, aad, 𝐶∗, 𝑇′, Sig to other group members
2021. Security Analysis of SFrame Result 2: Security of AES-CM-HMAC with Short Tags 20 Target member An impersonation attack by a malicious group member n exploits a vulnerability of very short tag length n caused by the digital signature Sig computed only a list of AEAD tags 𝑁, aad, 𝑪!, 𝑻!, Sig 𝑁, aad, 𝑪∗, 𝑻′, Sig 𝐶 𝑇 ⋮ ⋮ 𝐶∗ 𝑇∗ ⋮ ⋮ = 𝑻′ Security Analysis Other members Malicious member Online phase 1. intercepts a target frame 𝑁, aad, 𝐶,, 𝑇,, Sig sent by the target member 2. searches a tuple 𝑀∗, 𝐶∗, 𝑇∗ in the table such that 𝑇∗ = 𝑇, and 𝐶∗ ≠ 𝐶, 3. finds such a tuple, replaces 𝑪, with 𝑪∗ in the target frame, and sends 𝑵, 𝐚𝐚𝐝, 𝑪∗, 𝑻′, 𝐒𝐢𝐠 to other group members
2021. Security Analysis of SFrame Result 2: Security of AES-CM-HMAC with Short Tags 21 Target member An impersonation attack by a malicious group member n exploits a vulnerability of very short tag length n caused by the digital signature Sig computed only a list of AEAD tags 𝑁, aad, 𝑪!, 𝑻!, Sig 𝑁, aad, 𝑪∗, 𝑻′, Sig 𝐶 𝑇 ⋮ ⋮ 𝐶∗ 𝑇∗ ⋮ ⋮ = 𝑻′ Security Analysis Other members Malicious member Online phase 1. intercepts a target frame 𝑁, aad, 𝐶,, 𝑇,, Sig sent by the target member 2. searches a tuple 𝑀∗, 𝐶∗, 𝑇∗ in the table such that 𝑇∗ = 𝑇, and 𝐶∗ ≠ 𝐶, 3. finds such a tuple, replaces 𝐶, with 𝐶∗ in the target frame, and sends 𝑁, 𝑎𝑎𝑑, 𝐶∗, 𝑇′, Sig to other group members When the tag length is 4 bytes, if the adversary prepares 232 tuples in the table, the success probability is almost one.
2021. Security Analysis of SFrame Result 3: Security of AES-CM-HMAC with Long Tags 22 Security Analysis Theorem 1. Let 𝒜 be a SCU adversary against AES-CM-HMAC with the target encryption output being at most ℓ bits. Then, SCU advantage of 𝒜 against AES-CM-HMAC is bounded as 𝐀𝐝𝐯𝐀𝐄𝐒.𝐂𝐌.𝐇𝐌𝐀𝐂 𝐒𝐂𝐔 𝓐 < 𝟐𝐀𝐝𝐯 𝑯 𝐞𝐒𝐞𝐜 6 ℓ! 𝓐8 for some eSec adversary 𝒜8 against 𝐻, which denotes the underlying SHA256 hash function, where ℓ8 = ℓ+512 (i.e., one block larger). SCU security [DGRW18] n security notion for an unforgeability goal in the known key setting Second-ciphertext Unforgeability (SCU) Secure AEAD [DGRW18] Y. Dodis et al. Fast Message Franking: From Invisible salamanders to encryptment. In CRYPTO 2018. [RS04] P. Rogaway and T. Shrimpton. Cryptographic Hash Function Basics. In FSE 2004. Everywhere Second-Preimage (eSec) Resistance [RS04] n a slight extension of a strong form of second-preimage resistance
2021. Security Analysis of SFrame Result 4: Security of AES-GCM with Any Long Tags 23 Security Analysis An impersonation attack by a malicious group member n exploits a vulnerability of the linearity of GHASH in the known key setting n caused by the digital signature computed only (a list of) AEAD tags Example of GCM encryption n 2-block ciphertext C = (C1 , C2 ) and 1-block aad = aad1 𝑻 = GHASH 𝐿, aad ∥ 𝐶 ∥ Len aad, 𝐶 ⊕ 𝐸" 𝑁 ∥ 1 = 𝐚𝐚𝐝𝟏 J 𝑳𝟒 ⊕ 𝑪𝟏 J 𝑳𝟑 ⊕ 𝑪𝟐 J 𝑳𝟐 ⊕ 𝐋𝐞𝐧 𝐚𝐚𝐝𝟏, 𝑪 J 𝑳 ⊕ 𝑬𝑲 𝑵 ∥ 𝟏 𝐶2 = 𝐸" 𝑁 ∥ 𝑖 + 1 ⊕ 𝑀2 *Authentication key: 𝐿 = 𝐸" 0345 𝑪𝟐 , J 𝑳𝟐 = 𝑻 ⊕ 𝐚𝐚𝐝𝟏 , J 𝑳𝟒 ⊕ 𝑪𝟏 , J 𝑳𝟑 ⊕ 𝐋𝐞𝐧 𝐚𝐚𝐝𝟏 , , 𝑪, J 𝑳 ⊕ 𝑬𝑲 𝑵, ∥ 𝟏 Attack procedure 1. arbitrary chooses 𝑵,, 𝐚𝐚𝐝𝟏 , , and the fake message block 𝑴𝟏 , to compute 𝑪𝟏 , 2. sets the final ciphertext block 𝑪𝟐 , so that the following equation holds
2021. Security Analysis of SFrame Result 4: Security of AES-GCM with Any Long Tags 24 Security Analysis An impersonation attack by a malicious group member n exploits a vulnerability of the linearity of GHASH in the known key setting n caused by the digital signature computed only (a list of) AEAD tags Example of GCM encryption n 2-block ciphertext C = (C1 , C2 ) and 1-block aad = aad1 𝑻 = GHASH 𝐿, aad ∥ 𝐶 ∥ Len aad, 𝐶 ⊕ 𝐸" 𝑁 ∥ 1 = 𝐚𝐚𝐝𝟏 J 𝑳𝟒 ⊕ 𝑪𝟏 J 𝑳𝟑 ⊕ 𝑪𝟐 J 𝑳𝟐 ⊕ 𝐋𝐞𝐧 𝐚𝐚𝐝𝟏, 𝑪 J 𝑳 ⊕ 𝑬𝑲 𝑵 ∥ 𝟏 𝐶2 = 𝐸" 𝑁 ∥ 𝑖 + 1 ⊕ 𝑀2 *Authentication key: 𝐿 = 𝐸" 0345 𝑪𝟐 , J 𝑳𝟐 = 𝑻 ⊕ 𝐚𝐚𝐝𝟏 , J 𝑳𝟒 ⊕ 𝑪𝟏 , J 𝑳𝟑 ⊕ 𝐋𝐞𝐧 𝐚𝐚𝐝𝟏 , , 𝑪, J 𝑳 ⊕ 𝑬𝑲 𝑵, ∥ 𝟏 Attack procedure 1. arbitrary chooses 𝑵,, 𝐚𝐚𝐝𝟏 , , and the fake message block 𝑴𝟏 , to compute 𝑪𝟏 , 2. sets the final ciphertext block 𝑪𝟐 , so that the following equation holds
2021. Security Analysis of SFrame Result 4: Security of AES-GCM with Any Long Tags 25 Security Analysis An impersonation attack by a malicious group member n exploits a vulnerability of the linearity of GHASH in the known key setting n caused by the digital signature computed only (a list of) AEAD tags Example of GCM encryption n 2-block ciphertext C = (C1 , C2 ) and 1-block aad = aad1 𝑻 = GHASH 𝐿, aad ∥ 𝐶 ∥ Len aad, 𝐶 ⊕ 𝐸" 𝑁 ∥ 1 = 𝐚𝐚𝐝𝟏 J 𝑳𝟒 ⊕ 𝑪𝟏 J 𝑳𝟑 ⊕ 𝑪𝟐 J 𝑳𝟐 ⊕ 𝐋𝐞𝐧 𝐚𝐚𝐝𝟏, 𝑪 J 𝑳 ⊕ 𝑬𝑲 𝑵 ∥ 𝟏 𝐶2 = 𝐸" 𝑁 ∥ 𝑖 + 1 ⊕ 𝑀2 *Authentication key: 𝐿 = 𝐸" 0345 𝑪𝟐 , J 𝑳𝟐 = 𝑻 ⊕ 𝐚𝐚𝐝𝟏 , J 𝑳𝟒 ⊕ 𝑪𝟏 , J 𝑳𝟑 ⊕ 𝐋𝐞𝐧 𝐚𝐚𝐝𝟏 , , 𝑪, J 𝑳 ⊕ 𝑬𝑲 𝑵, ∥ 𝟏 Attack procedure 1. arbitrary chooses 𝑵,, 𝐚𝐚𝐝𝟏 , , and the fake message block 𝑴𝟏 , to compute 𝑪𝟏 , 2. sets the final ciphertext block 𝑪𝟐 , so that the following equation holds
2021. Security Analysis of SFrame Result 4: Security of AES-GCM with Any Long Tags 26 Security Analysis An impersonation attack by a malicious group member n exploits a vulnerability of the linearity of GHASH in the known key setting n caused by the digital signature computed only (a list of) AEAD tags Example of GCM encryption n 2-block ciphertext C = (C1 , C2 ) and 1-block aad = aad1 𝑻 = GHASH 𝐿, aad ∥ 𝐶 ∥ Len aad, 𝐶 ⊕ 𝐸" 𝑁 ∥ 1 = 𝐚𝐚𝐝𝟏 J 𝑳𝟒 ⊕ 𝑪𝟏 J 𝑳𝟑 ⊕ 𝑪𝟐 J 𝑳𝟐 ⊕ 𝐋𝐞𝐧 𝐚𝐚𝐝𝟏, 𝑪 J 𝑳 ⊕ 𝑬𝑲 𝑵 ∥ 𝟏 𝐶2 = 𝐸" 𝑁 ∥ 𝑖 + 1 ⊕ 𝑀2 *Authentication key: 𝐿 = 𝐸" 0345 𝑪𝟐 , J 𝑳𝟐 = 𝑻 ⊕ 𝐚𝐚𝐝𝟏 , J 𝑳𝟒 ⊕ 𝑪𝟏 , J 𝑳𝟑 ⊕ 𝐋𝐞𝐧 𝐚𝐚𝐝𝟏 , , 𝑪, J 𝑳 ⊕ 𝑬𝑲 𝑵, ∥ 𝟏 Attack procedure 1. arbitrary chooses 𝑵,, 𝐚𝐚𝐝𝟏 , , and the fake message block 𝑴𝟏 , to compute 𝑪𝟏 , 2. sets the final ciphertext block 𝑪𝟐 , so that the following equation holds
2021. Security Analysis of SFrame Result 5: Security of AES-GCM with Short Tags 27 t 32 64 L q 21 222 22 220 23 218 24 215 25 213 26 211 211 232 213 229 215 226 217 223 219 220 221 217 c 262 262 261 265 266 267 275 274 273 272 271 270 [MW16] J. Mattson et al. Authentication key recovery on galois/counter mode (GCM). In AFRICACRYPT 2016. l t:tag length (bits) l L:maximum combined length of aad and C l q:maximum number of invocations of the authentication decryption function l c:data complexity for the authentication key recovery under each restriction of (L, q) Security Analysis An authentication key recovery attack n exploits the fact that there is no restriction for the usage of GCM with short tags NIST requirements for the use of GCM with short tags [MW16] The specification does not mention the restrictions of (L, q) n The attack is practically feasible with a data complexity of 26 (e.g., 4-byte tag).
2021. Security Analysis of SFrame Summary 28 Conclusion SFrame is not E2EE-secure when using the following ciphersuites n AES-CM-HMAC with short tags, especially 4-byte tag n AES-GCM with any long tags SFrame is E2EE-secure when using AES-CM-HMAC with long tags n The SCU security of it depends on the security of underlying hash function Communication with the SFrame designers n They acknowledged our findings and quickly revised its specification u remove the signature mechanism u extend tag calculation to cover nonces n draft-omara-sframe-01 → draft-omara-sframe-02 (current version)
2021. Security Analysis of SFrame Summary 29 Conclusion SFrame is not E2EE-secure when using the following ciphersuites n AES-CM-HMAC with short tags, especially 4-byte tag n AES-GCM with any long tags SFrame is E2EE-secure when using AES-CM-HMAC with long tags n The SCU security of it depends on the security of underlying hash function Communication with the SFrame designers n They acknowledged our findings and quickly revised its specification u remove the signature mechanism u extend tag calculation to cover nonces n draft-omara-sframe-01 → draft-omara-sframe-02 (current version) Thank you!
2021. Security Analysis of SFrame Recommendations 30 Appendix From the vulnerabilities shown in Results 2-5, we recommend the followings: 1. For AES-CM-HMAC, short tags, especially 4-byte tag, should not be used 2. For AES-GCM, a signature should be computed over a whole frame, not only tags 3. For AES-GCM, the specification should be clearly forbit short tags, or refer to the NIST requirements on the usage of GCM with short tags 4. Switch to other ciphersuite that works as a secure encryptment scheme, such as HFC [DGRW18], with a sufficiently long tag is another option [DGRW18] Dodis et al. Fast message franking: From invisible salamanders to encryptment. In CRYPTO 2018
2021. Security Analysis of SFrame Theorem 1: Security of AES-CM-HMAC with Long Tags 31 Theorem 1. Let 𝒜 be a SCU adversary against AES-CM-HMAC with the target encryption output being at most ℓ bits. Then, SCU advantage of 𝒜 against AES-CM-HMAC is bounded as 𝐀𝐝𝐯𝐀𝐄𝐒.𝐂𝐌.𝐇𝐌𝐀𝐂 𝐒𝐂𝐔 𝓐 < 𝟐𝐀𝐝𝐯 𝑯 𝐞𝐒𝐞𝐜 6 ℓ! 𝓐8 for some eSec adversary 𝒜8 against 𝐻, which denotes the underlying SHA256 hash function, where ℓ8 = ℓ+512 (i.e., one block larger). SCU security [DGRW18] n security notion for an unforgeability goal in the known key setting Second-ciphertext Unforgeability (SCU) Secure AEAD [DGRW18] Y. Dodis et al. Fast Message Franking: From Invisible salamanders to encryptment. In CRYPTO 2018. [RS04] P. Rogaway and T. Shrimpton. Cryptographic Hash Function Basics. In FSE 2004. Everywhere Second-Preimage (eSec) Resistance [RS04] n a slight extension of a strong form of second-preimage resistance Appendix
itorym
kentaitakura
naok615
kmorita1111
ryomasumura
comfortdesignlab
frandle256
nttcom
toshihr
yuta0306
yumulab
gpeyre
tomoshige_n
edds
schacon
jponch
colly
afnizarnur
tmm1
gr2m
marcelosomers
jrom
dougneiner
maggiecrowley
tanoku
