View Issue Details

IDProjectCategoryView StatusLast Update
000816910000-004: ServicesSpecpublic2023-06-19 15:41
ReporterBernd Edlinger Assigned ToRandy Armstrong  
PrioritynormalSeveritymajorReproducibilityalways
Status closedResolutionfixed 
Fixed in Version1.05.03 RC1 
Summary0008169: Unclear and/or misleading wording in the ECC Amendment - Need to clarify the Padding for Authenticated Encryption
Description

I refer to this document:

https://reference.opcfoundation.org/src/v104/Core/docs/Amendment4/readme.htm

In chapter "7.36.2.3 EncryptedSecret Format", this is written:

"The PayloadPaddingSize adjusted with the following formula:

    If (Secret.Length + PayloadPaddingSize < InputBlockSize) Then
            PayloadPaddingSize = PayloadPaddingSize + InputBlockSize

Where the InputBlockSize is specified by the SymmetricEncryptionAlgorithm."

The problem here is that InputBlockSize is not well defined for ChaCha20-Poly1305.
And some words about the rationale is why this extra padding is suggested, is also
needed. I think I brought this issue originally up in one of our security working group
meetings, and the reason for it was like this:

This avoids leaking any information about the actual password size in case it is
shorter than 16 characters, to make dictionary attacks somewhat less easy to
accomplish.

Since in the case of ChaCha20-Poly1305 the InputBlockSize can be an arbitrary
value, it is recommended to use 16, as in the case of AES ciphers, since it avoids
the possibility to leak information about the exact password length in case the
same user credential is encrypted according to different security policies.

TagsNo tags attached.
Commit Version
Fix Due Date

Activities

Randy Armstrong

2022-08-03 15:30

administrator   ~0017221

The term "InputBlockSize" is not defined. The SecurityProfiles need to be updated with the InputBlockSize and it should be the same as the InitializationVectorLength for AES.

Randy Armstrong

2023-05-10 23:14

administrator   ~0019311

Updated table 187 to say:

Additional padding added to ensure the size of the encrypted payload is an integer multiple of the InitializationVectorLength specified by the SecurityPolicyUri. If the InitializationVectorLength is less than 16 bytes then 16 bytes used instead.
The value of each byte is the least significant byte of the PayloadPaddingSize.

Jim Luth

2023-05-16 16:59

administrator   ~0019391

Reviewed text in Randy's versions -- needs to be integrated into the official draft from Matthias.

Jim Luth

2023-06-19 15:41

administrator   ~0019524

Agreed to changes in virtual F2F.

Issue History

Date Modified Username Field Change
2022-07-28 11:56 Bernd Edlinger New Issue
2022-07-28 11:56 Bernd Edlinger Status new => assigned
2022-07-28 11:56 Bernd Edlinger Assigned To => Randy Armstrong
2022-07-28 12:05 Randy Armstrong Project Specifications => 10000-006: Mappings
2022-07-28 12:30 Randy Armstrong Status assigned => new
2022-08-03 15:30 Randy Armstrong Note Added: 0017221
2022-08-03 15:49 Randy Armstrong Status new => assigned
2023-05-10 23:14 Randy Armstrong Status assigned => resolved
2023-05-10 23:14 Randy Armstrong Resolution open => fixed
2023-05-10 23:14 Randy Armstrong Fixed in Version => 1.05.03 RC1
2023-05-10 23:14 Randy Armstrong Note Added: 0019311
2023-05-10 23:15 Randy Armstrong Project 10000-006: Mappings => 10000-004: Services
2023-05-16 16:59 Jim Luth Note Added: 0019391
2023-06-19 15:41 Jim Luth Status resolved => closed
2023-06-19 15:41 Jim Luth Note Added: 0019524