lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date:	Thu, 23 Apr 2015 11:26:20 +0800
From:	Herbert Xu <herbert@...dor.apana.org.au>
To:	Steffen Klassert <steffen.klassert@...unet.com>,
	netdev@...r.kernel.org, "David S. Miller" <davem@...emloft.net>,
	Paul Wouters <pwouters@...hat.com>,
	Linux Crypto Mailing List <linux-crypto@...r.kernel.org>
Subject: CCM/GCM implementation defect

Hi:

It looks like our IPsec implementations of CCM and GCM are buggy
in that they don't include the IV in the authentication calculation.

This definitely breaks interoperability with anyone who implements
them correctly.  The fact that there have been no reports on this
probably means that nobody has run into this in the field yet.

On the security side, this is probably not a big deal for CCM
because it always verifies the authentication tag after decryption.
But for GCM this may be a DoS issue as an attacker could modify
the IV without triggering the authentication check and thus cause
an unnecessary decryption.  For both CCM and GCM this will result
in random data injected as a packet into the network stack which
hopefully will be dropped.

In order to fix this without breaking backwards compatibility,
my plan is to introduce new templates such as rfc4106v2 which
implement the RFC correctly.  The existing templates will be
retained so that current users aren't broken by the fix.

Once the kernel side is complete we could then get the user-space
implementors to update their tools to request for the new v2
templates.

Comments?

Cheers,
-- 
Email: Herbert Xu <herbert@...dor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists