Replace the block cipher mode used in the Network module

Question

Replace the block cipher mode used in the Network module

HoOngEe opened this issue 6 years ago · 6 comments

Currently, the Network module is using the block cipher mode aes-256-cbc. It does not contain message authentication so replace it with aes-gcm mode which is an authenticated message encryption method. Here is the rust implementation of the mode

Answer 1 · 2020-01-22T09:59:23.000Z

Hi @HoOngEe,
To support CodeChain, you should support aec-256-cbc mode also.

Answer 2 · 2020-01-22T11:24:20.000Z

Moreover, aes-gcm is not superior to aes-cbc. It has pros and cons.
The most significant cons of aes-gcm for us is that it leaks the key when you use the same iv twice.
CodeChain uses the nonce shared on a handshake step, so you must modify this logic too.

Answer 3 · 2020-01-28T08:15:19.000Z

Thanks, I had not considered the actual usage in Foundry at that time. I checked the Foundry code. Just a replacement of the function is not enough and a design seems to be needed to introduce aes-gcm-siv. I'll think about the issue.

Answer 4 · 2020-01-29T05:47:26.000Z

The purpose of introducing aes-gcm-siv is to prevent adaptive chosen cipher text attack. It assumes an attacker can tamper with cipher text adaptive to the response of the player on the decryption side. However, I had not considered this threat model in accordance with our actual usage. Of course, getting rid of the possibility is meaningful. But if it has to accompany p2p protocol change, I think we should be more careful about the change.
@sgkim126 What do you think of the pros and cons of the introduction?

Answer 5 · 2020-01-30T02:41:53.000Z

@HoOngEe I agree with you.
If there is a possible threat scenario, we should change the protocol immediately, but if not, I think we should investigate more to change the protocol.

Answer 6 · 2020-02-06T16:41:14.000Z

CodeChain is using AES-CBC mode in the Network module. AES-CBC doesn’t contain message authentication, so we need to apply AEAD to avoid the adaptive chosen ciphertext attack. However, in our p2p protocol, we use the nonce shared in the handshake step. So if we use AES-GCM, it leaks the key when the same iv is used twice.

I proposed to apply AES-GCM-SIV because using it can prevent the worst-case in AES-GCM. However, AES-GCM-SIV also recommends that we don’t use iv more than once. Therefore, it is necessary to change our p2p protocol to use AES-GCM-SIV for Foundry.

I investigated examples related to the network or p2p protocol using AES-GCM-SIV to refer to examples in creating the new protocol. However, I don’t find such protocols or examples in real-world applications. It’s a relatively new cipher, so it seems difficult to find a protocol that is using it yet.

Therefore, since there is no immediate way to add new modes or change protocols, I close this PR. Getting rid of the attack possibility and using AEAD is meaningful, so if a new way to apply AEAD is devised, then it will continue from there.

From PR #7