Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

No mention against some Oracle Attacks #52

Open
kentakayama opened this issue Jan 30, 2024 · 1 comment
Open

No mention against some Oracle Attacks #52

kentakayama opened this issue Jan 30, 2024 · 1 comment
Assignees
@kentakayama

Comments

@kentakayama
Copy link
Contributor

kentakayama commented Jan 30, 2024
edited
Loading

The recipient SHOULD carefully reply on decryption failure to prevent some attacks.

Padding Oracle Attacks (+ Encryption Oracle Attacks)

  • What is it?
    • The attacker can obtain the plaintext (and generate arbitrary ciphertext) without knowing the encryption key
    • if the recipient replies the reason of error such as "padding incorrect"
    • Padding Oracle Attacks
  • Countermeasure
    • The recipient MUST NOT tell the reason for decryption error in suit-report
    • even if the recipient encrypts it, some attacker may guess the reason from ciphertext of suit-report
  • Do we have to mention it?
    • Yes. It is better to add some text to suit-firmware-encryption or suit-report document like "The recipient MUST NOT tell the detailed error message such as padding incorrect to the sender in suit-report."

Decryption Oracle Attacks

  • What is it?
    • The attacker can obtain the plaintext without knowing the encryption key
    • if the attacker knows the plaintext pattern
      • It could be practical if there is a low entropy template for plaintext payload
    • and the recipient replies the error itself
    • AEAD-to-CBC Downgrade Attacks on CMS
  • Countermeasures against Downgrade Attacks
    • The sender MUST include the algorithm id into the value of suit-encryption-info for AEAD algorithms
    • The recipient MUST verify it before decryption e.g. by verifying the Manifest block in Envelope with suit-authentication-wrapper
  • Countermeasures against Decryption Oracle Attacks with AES-CBC
    • Separate AES keys of -CBC and -GCM if the recipient and sender support both of them (from the AEAD-to-CBC Downgrade Attacks on CMS slide)
    • (I think we need to research more and more.)
  • Do we have to mention it?
    • Against Downgrade Attacks: It might be better to add "The algorithm identifier MUST be placed in protected or unprotected header." somewhere in the suit-firmware-encryption.

Resources

In an oracle attack, an attacker queries a system with a cryptographic task and observes a function of the task’s outcome. If the function validates the decrypted plaintext’s padding, it is called a padding oracle [3]. More generally, if the function checks the plaintext’s format, it is called a format oracle [29].
@kentakayama kentakayama changed the title No mention against Decryption Oracle Attacks a No mention against Decryption Oracle Attacks Jan 30, 2024
@kentakayama kentakayama changed the title No mention against Decryption Oracle Attacks No mention against some Oracle Attacks Jan 30, 2024
@kentakayama
Copy link
Contributor Author

@hannestschofenig
In the last meeting, we've talked a bit about the Decryption Oracle Attacks presented at LAMPS WG in IETF 118.
While researching on it, I found another attack, Padding Oracle Attack, on AES-CBC mode and it seems more realistic.
I think it is better to add some notes in security considerations in suit-firmware-encryption or suit-report documents.
I'm still wondering the Decryption Oracle Attacks is realistic on SUIT Encrypted Payload case.

@kentakayama kentakayama mentioned this issue Jan 8, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@kentakayama kentakayama

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@kentakayama