No mention against some Oracle Attacks

[kentakayama]

The recipient SHOULD carefully reply on decryption failure to prevent some attacks.

Padding Oracle Attacks (+ Encryption Oracle Attacks)

• What is it?
  • The attacker can obtain the plaintext (and generate arbitrary ciphertext) without knowing the encryption key
  • if the recipient replies the reason of error such as "padding incorrect"
  • Padding Oracle Attacks
• Countermeasure
  • The recipient MUST NOT tell the reason for decryption error in suit-report
  • even if the recipient encrypts it, some attacker may guess the reason from ciphertext of suit-report
• Do we have to mention it?
  • Yes. It is better to add some text to suit-firmware-encryption or suit-report document like "The recipient MUST NOT tell the detailed error message such as padding incorrect to the sender in suit-report."

Decryption Oracle Attacks

• What is it?
  • The attacker can obtain the plaintext without knowing the encryption key
  • if the attacker knows the plaintext pattern
  • It could be practical if there is a low entropy template for plaintext payload
  • and the recipient replies the error itself
  • AEAD-to-CBC Downgrade Attacks on CMS
• Countermeasures against Downgrade Attacks
  • The sender MUST include the algorithm id into the value of suit-encryption-info for AEAD algorithms
  • The recipient MUST verify it before decryption e.g. by verifying the Manifest block in Envelope with suit-authentication-wrapper
• Countermeasures against Decryption Oracle Attacks with AES-CBC
  • Separate AES keys of -CBC and -GCM if the recipient and sender support both of them (from the AEAD-to-CBC Downgrade Attacks on CMS slide)
  • (I think we need to research more and more.)
• Do we have to mention it?
  • Against Downgrade Attacks: It might be better to add "The algorithm identifier MUST be placed in protected or unprotected header." somewhere in the suit-firmware-encryption.
  • Verifying the Manifest block is already mentioned in suit-manifest document

Resources

• Content-Type: multipart/oracle - Tapping into Format Oracles in Email End-to-End Encryption

  In an oracle attack, an attacker queries a system with a cryptographic task and observes a function of the task’s outcome. If the function validates the decrypted plaintext’s padding, it is called a padding oracle [3]. More generally, if the function checks the plaintext’s format, it is called a format oracle [29].

[kentakayama]

@hannestschofenig In the last meeting, we've talked a bit about the Decryption Oracle Attacks presented at LAMPS WG in IETF 118. While researching on it, I found another attack, Padding Oracle Attack, on AES-CBC mode and it seems more realistic. I think it is better to add some notes in security considerations in suit-firmware-encryption or suit-report documents. I'm still wondering the Decryption Oracle Attacks is realistic on SUIT Encrypted Payload case.