0008169: Unclear and/or misleading wording in the ECC Amendment - Need to clarify the Padding for Authenticated Encryption - MantisBT

ID	Project	Category	View Status	Date Submitted	Last Update

0008169	10000-004: Services	Spec	public	2022-07-28 11:56	2023-06-19 15:41

Reporter	Bernd Edlinger	Assigned To	Randy Armstrong
Priority	normal	Severity	major	Reproducibility	always
Status	closed	Resolution	fixed
Fixed in Version	1.05.03 RC1

Summary	0008169: Unclear and/or misleading wording in the ECC Amendment - Need to clarify the Padding for Authenticated Encryption
Description	I refer to this document: https://reference.opcfoundation.org/src/v104/Core/docs/Amendment4/readme.htm In chapter "7.36.2.3 EncryptedSecret Format", this is written: "The PayloadPaddingSize adjusted with the following formula: `If (Secret.Length + PayloadPaddingSize < InputBlockSize) Then PayloadPaddingSize = PayloadPaddingSize + InputBlockSize` Where the InputBlockSize is specified by the SymmetricEncryptionAlgorithm." The problem here is that InputBlockSize is not well defined for ChaCha20-Poly1305. And some words about the rationale is why this extra padding is suggested, is also needed. I think I brought this issue originally up in one of our security working group meetings, and the reason for it was like this: This avoids leaking any information about the actual password size in case it is shorter than 16 characters, to make dictionary attacks somewhat less easy to accomplish. Since in the case of ChaCha20-Poly1305 the InputBlockSize can be an arbitrary value, it is recommended to use 16, as in the case of AES ciphers, since it avoids the possibility to leak information about the exact password length in case the same user credential is encrypted according to different security policies.
Tags	No tags attached.

Commit Version
Fix Due Date

Randy Armstrong 2022-08-03 15:30 administrator ~0017221	The term "InputBlockSize" is not defined. The SecurityProfiles need to be updated with the InputBlockSize and it should be the same as the InitializationVectorLength for AES.

Randy Armstrong 2023-05-10 23:14 administrator ~0019311	Updated table 187 to say: Additional padding added to ensure the size of the encrypted payload is an integer multiple of the InitializationVectorLength specified by the SecurityPolicyUri. If the InitializationVectorLength is less than 16 bytes then 16 bytes used instead. The value of each byte is the least significant byte of the PayloadPaddingSize.

Jim Luth 2023-05-16 16:59 administrator ~0019391	Reviewed text in Randy's versions -- needs to be integrated into the official draft from Matthias.

Jim Luth 2023-06-19 15:41 administrator ~0019524	Agreed to changes in virtual F2F.

Date Modified	Username	Field	Change
2022-07-28 11:56	Bernd Edlinger	New Issue
2022-07-28 11:56	Bernd Edlinger	Status	new => assigned
2022-07-28 11:56	Bernd Edlinger	Assigned To	=> Randy Armstrong
2022-07-28 12:05	Randy Armstrong	Project	Specifications => 10000-006: Mappings
2022-07-28 12:30	Randy Armstrong	Status	assigned => new
2022-08-03 15:30	Randy Armstrong	Note Added: 0017221
2022-08-03 15:49	Randy Armstrong	Status	new => assigned
2023-05-10 23:14	Randy Armstrong	Status	assigned => resolved
2023-05-10 23:14	Randy Armstrong	Resolution	open => fixed
2023-05-10 23:14	Randy Armstrong	Fixed in Version	=> 1.05.03 RC1
2023-05-10 23:14	Randy Armstrong	Note Added: 0019311
2023-05-10 23:15	Randy Armstrong	Project	10000-006: Mappings => 10000-004: Services
2023-05-16 16:59	Jim Luth	Note Added: 0019391
2023-06-19 15:41	Jim Luth	Status	resolved => closed
2023-06-19 15:41	Jim Luth	Note Added: 0019524