CWE-329 and CBC mode

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

CWE-329 and CBC mode

Jeffrey Walton
Hi Everyone,

This caught my eye from a page on wikipedia:
http://cwe.mitre.org/data/definitions/329.html. The 329 page says:

    Not using a random initialization Vector (IV) with Cipher
    Block Chaining (CBC) Mode causes algorithms to be
    susceptible to dictionary attacks.

I don't believe CBC mode needs a random IV. I believe the only
requirement is an unpredictable IV. Also see NIST SP 800-38A, p.8
(https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38a.pdf).

The problem with CBC mode in SSL 3.0 was unpredictability, if I recall
properly. When using CBC mode with SSL 3.0, the next IV used was a
block from previous cipher text. It was not unpredictable. I think the
SSL/TLS folks fixed it by using a random IV in TLS 1.0, but that was
not the requirement for using CBC mode. It was merely one of the
easiest ways to fix it.

This also caught my eye from the 329 page:

    .... If it used to encrypt multiple data streams, dictionary
    attacks are possible, provided that the streams have a
    common beginning sequence.

That sounds like a key reuse problem. Or more generally, reusing
security parameters. Even if you used a random IV, reusing the
security parameters would still cause a problem. I don't think I would
blame an IV for that one.

And this caught my eye from the 329 page:

    CBC is the most commonly used mode of operation for a
    block cipher.

I think the use of authenticated encryption modes has made GCM the
most popular mode of operation nowadays.

Jeff
Reply | Threaded
Open this post in threaded view
|

RE: CWE-329 and CBC mode

Sebastian Ganson
I wonder if the author(s) indicate CBC as "common" to indicate wider compatibility?

Sebastian

-----Original Message-----
From: Jeffrey Walton <[hidden email]>
Sent: Friday, February 26, 2021 6:09 AM
To: [hidden email]
Subject: CWE-329 and CBC mode

Hi Everyone,

This caught my eye from a page on wikipedia:
http://cwe.mitre.org/data/definitions/329.html. The 329 page says:

    Not using a random initialization Vector (IV) with Cipher
    Block Chaining (CBC) Mode causes algorithms to be
    susceptible to dictionary attacks.

I don't believe CBC mode needs a random IV. I believe the only requirement is an unpredictable IV. Also see NIST SP 800-38A, p.8 (https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38a.pdf).

The problem with CBC mode in SSL 3.0 was unpredictability, if I recall properly. When using CBC mode with SSL 3.0, the next IV used was a block from previous cipher text. It was not unpredictable. I think the SSL/TLS folks fixed it by using a random IV in TLS 1.0, but that was not the requirement for using CBC mode. It was merely one of the easiest ways to fix it.

This also caught my eye from the 329 page:

    .... If it used to encrypt multiple data streams, dictionary
    attacks are possible, provided that the streams have a
    common beginning sequence.

That sounds like a key reuse problem. Or more generally, reusing security parameters. Even if you used a random IV, reusing the security parameters would still cause a problem. I don't think I would blame an IV for that one.

And this caught my eye from the 329 page:

    CBC is the most commonly used mode of operation for a
    block cipher.

I think the use of authenticated encryption modes has made GCM the most popular mode of operation nowadays.

Jeff
Reply | Threaded
Open this post in threaded view
|

RE: CWE-329 and CBC mode

Kumar Mangipudi
In reply to this post by Jeffrey Walton

I second Jeff. Yes the only requirement for IV of CBC is not to be re-used, using a random will mostly likely will result in a IV that will never be used again.

 

--Kumar

 

From: Jeffrey Walton <[hidden email]>
Sent: Friday, February 26, 2021 3:09 AM
To: [hidden email]
Subject: CWE-329 and CBC mode

 

ATTENTION:: External email. Do not click links or open attachments unless you recognize the sender and know the content is safe.

Hi Everyone,

This caught my eye from a page on wikipedia:
http://cwe.mitre.org/data/definitions/329.html. The 329 page says:

Not using a random initialization Vector (IV) with Cipher
Block Chaining (CBC) Mode causes algorithms to be
susceptible to dictionary attacks.

I don't believe CBC mode needs a random IV. I believe the only
requirement is an unpredictable IV. Also see NIST SP 800-38A, p.8
(https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38a.pdf).

The problem with CBC mode in SSL 3.0 was unpredictability, if I recall
properly. When using CBC mode with SSL 3.0, the next IV used was a
block from previous cipher text. It was not unpredictable. I think the
SSL/TLS folks fixed it by using a random IV in TLS 1.0, but that was
not the requirement for using CBC mode. It was merely one of the
easiest ways to fix it.

This also caught my eye from the 329 page:

.... If it used to encrypt multiple data streams, dictionary
attacks are possible, provided that the streams have a
common beginning sequence.

That sounds like a key reuse problem. Or more generally, reusing
security parameters. Even if you used a random IV, reusing the
security parameters would still cause a problem. I don't think I would
blame an IV for that one.

And this caught my eye from the 329 page:

CBC is the most commonly used mode of operation for a
block cipher.

I think the use of authenticated encryption modes has made GCM the
most popular mode of operation nowadays.

Jeff

Reply | Threaded
Open this post in threaded view
|

RE: CWE-329 and CBC mode

Steven M Christey
All,

Thank you for your suggestions and comments.  The CWE crypto team is determining what changes need to be made to CWE-329 and related entries.

The team's current analysis is around the following areas:

- we agree that an emphasis on CBC mode needs to be addressed by ensuring that there is broader coverage that includes other algorithms such as GCM or CCM. Since a CWE entry's scope cannot be changed after its release - especially for an entry that's been around since 2006 - this is likely to force the creation of a new, more abstract entry.  Because CWE-329 is a Variant that's a child of a Class, this is a good opportunity to create a new Base entry.

- by coincidence, the team has been discussing randomness, entropy, and predictability, and we are deciding on terminology that's both commonly-understood by CWE users and technically accurate. In that vein, the use of "random" within CWE-329 might need to be adjusted, but we want to better spell out the differences between randomness and predictability.

- there are aspects of key reuse that probably need to be clarified, so we will also consider making other relevant changes.

We plan to implement many of these changes in CWE 4.4 on March 15, and we will update you on our progress in about a week.

All feedback is welcome, and thank you for helping to improve CWE.

Steve and the CWE crypto team

Reply | Threaded
Open this post in threaded view
|

RE: CWE-329 and CBC mode

Steven M Christey
All,

CWE 4.4 was released on Monday, including the following changes:

- CWE-329 has been modified as described.
https://cwe.mitre.org/data/definitions/329.html

- a new parent was created: CWE-1204: Generation of Weak Initialization Vector (IV)
https://cwe.mitre.org/data/definitions/1204.html

The CWE crypto team is continuing to work with randomness/unpredictability overall, and we will have an external inquiry out soon.

Thank you for all your suggestions, and please share any additional feedback you have on these updated/new entries.

- Steve


-----Original Message-----
From: Steven M Christey <[hidden email]>
Sent: Tuesday, March 2, 2021 6:18 PM
To: Mangipudi, Narasimhakumar <[hidden email]>; Walton, Jeffrey <[hidden email]>; CWE Research Discussion <[hidden email]>
Subject: RE: CWE-329 and CBC mode

All,

Thank you for your suggestions and comments.  The CWE crypto team is determining what changes need to be made to CWE-329 and related entries.

The team's current analysis is around the following areas:

- we agree that an emphasis on CBC mode needs to be addressed by ensuring that there is broader coverage that includes other algorithms such as GCM or CCM. Since a CWE entry's scope cannot be changed after its release - especially for an entry that's been around since 2006 - this is likely to force the creation of a new, more abstract entry.  Because CWE-329 is a Variant that's a child of a Class, this is a good opportunity to create a new Base entry.

- by coincidence, the team has been discussing randomness, entropy, and predictability, and we are deciding on terminology that's both commonly-understood by CWE users and technically accurate. In that vein, the use of "random" within CWE-329 might need to be adjusted, but we want to better spell out the differences between randomness and predictability.

- there are aspects of key reuse that probably need to be clarified, so we will also consider making other relevant changes.

We plan to implement many of these changes in CWE 4.4 on March 15, and we will update you on our progress in about a week.

All feedback is welcome, and thank you for helping to improve CWE.

Steve and the CWE crypto team

Reply | Threaded
Open this post in threaded view
|

RE: CWE-329 and CBC mode

Sebastian Ganson
Quick observation - Potential Mitigations section mentions REF-1172 which doesn't appear to be in the References section?

Thanks,
Sebastian

-----Original Message-----
From: Steven M Christey <[hidden email]>
Sent: Tuesday, March 16, 2021 8:36 AM
To: Mangipudi, Narasimhakumar <[hidden email]>; Walton, Jeffrey <[hidden email]>; CWE Research Discussion <[hidden email]>
Subject: RE: CWE-329 and CBC mode

All,

CWE 4.4 was released on Monday, including the following changes:

- CWE-329 has been modified as described.
https://cwe.mitre.org/data/definitions/329.html

- a new parent was created: CWE-1204: Generation of Weak Initialization Vector (IV) https://cwe.mitre.org/data/definitions/1204.html

The CWE crypto team is continuing to work with randomness/unpredictability overall, and we will have an external inquiry out soon.

Thank you for all your suggestions, and please share any additional feedback you have on these updated/new entries.

- Steve


-----Original Message-----
From: Steven M Christey <[hidden email]>
Sent: Tuesday, March 2, 2021 6:18 PM
To: Mangipudi, Narasimhakumar <[hidden email]>; Walton, Jeffrey <[hidden email]>; CWE Research Discussion <[hidden email]>
Subject: RE: CWE-329 and CBC mode

All,

Thank you for your suggestions and comments.  The CWE crypto team is determining what changes need to be made to CWE-329 and related entries.

The team's current analysis is around the following areas:

- we agree that an emphasis on CBC mode needs to be addressed by ensuring that there is broader coverage that includes other algorithms such as GCM or CCM. Since a CWE entry's scope cannot be changed after its release - especially for an entry that's been around since 2006 - this is likely to force the creation of a new, more abstract entry.  Because CWE-329 is a Variant that's a child of a Class, this is a good opportunity to create a new Base entry.

- by coincidence, the team has been discussing randomness, entropy, and predictability, and we are deciding on terminology that's both commonly-understood by CWE users and technically accurate. In that vein, the use of "random" within CWE-329 might need to be adjusted, but we want to better spell out the differences between randomness and predictability.

- there are aspects of key reuse that probably need to be clarified, so we will also consider making other relevant changes.

We plan to implement many of these changes in CWE 4.4 on March 15, and we will update you on our progress in about a week.

All feedback is welcome, and thank you for helping to improve CWE.

Steve and the CWE crypto team