IAuthenticatedEncryptor subkey derivation and Key commitment

[Fasjeit]

Hello.

I have a question concerning the proposed AEAD encryption scheme (KDF + GCM, as described here).

As stated in the description, the main idea behind this scheme is to create AEAD key using keyModifier, 'contextHeaderandAAD, and then use that key in GCM encryption for data`.

To ensure the security of an AEAD cipher, it must provide the following properties:
• Secrecy for encrypted data (at least CPA security).
• Integrity of ciphertext and AAD using the authTag.

Recently, there have been attacks proposed in the context of key-commitment for AEAD ciphers. It has been demonstrated that GCM is not key-committing. In other words:

• for an GCM cipher (E, D)
• key k
• plaintext m
• ciphertext c
• authTag t, (t,c)=E(k,m)

there exists

• some other key k'
• plaintext m'

s.t. D(k', (t, c)) = m' (i.e. (t,c) is the correct tag-ciphertext pair for GCM cipher (E,D) under some key k' and message m'). This implies that the same tag-ciphertext pair could correspond to multiple keys.

So, for the proposed KDF + GCM scheme the authTag does not guarantee the uniqueness of the key K_E. As AAD is only used as input for the K_E key generation, it seems like the proposed construction does not guarantee the uniqueness of AAD.

The attacker can potentially (somehow) obtain (t,c) = KDF+GCM_ENC(AAD, ...), and then construct their own AAD', which can be decrypted and verified using KDF+GCM_DEC, compromising security of AAD.

While this attack (probably) be almost impossible to execute in practice (as the attacker would not have access to the KDF oracle, and the KDF itself is a PRF, so the attacker cannot force the usage of arbitrary GCM key of his own choice), it's essential to consider potential security implications.
My question is whether this type of attack has been taken into account during the design of the KDF+GCM scheme.

More on AEAD key-commitment
https://eprint.iacr.org/2020/1153.pdf
https://eprint.iacr.org/2022/1260.pdf

[yodasad]

Hello!

Our security team is analyzing the details of the DPAPI implementation now, they came to the same conclusion that the risk of this types of attacks exist.

For instance, if DPAPI is used to protect authentication cookies there is a possibility that an attacker can compose his own key modifier and construct his own cookie which upon receiving at the server side will be successfully decrypted and authenticated as someone's credentials.

If the scheme used in DPAPI is key committing, the server cannot successfully decrypt and authenticate received data because it does not possess the key the attacker used to construct his cookie.

Can you provide your opinion regarding this?