[6tisch] TSCH and CCM security proofs
Tero Kivinen <kivinen@iki.fi> Wed, 10 July 2019 21:47 UTC
Return-Path: <kivinen@iki.fi>
X-Original-To: 6tisch@ietfa.amsl.com
Delivered-To: 6tisch@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3AAA31201E5 for <6tisch@ietfa.amsl.com>; Wed, 10 Jul 2019 14:47:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.419
X-Spam-Level:
X-Spam-Status: No, score=-3.419 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_NEUTRAL=0.779, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WoG6Jlqop8-s for <6tisch@ietfa.amsl.com>; Wed, 10 Jul 2019 14:47:12 -0700 (PDT)
Received: from mail.kivinen.iki.fi (fireball.acr.fi [83.145.195.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6F583120025 for <6tisch@ietf.org>; Wed, 10 Jul 2019 14:47:11 -0700 (PDT)
Received: from fireball.acr.fi (localhost [127.0.0.1]) by mail.kivinen.iki.fi (8.15.2/8.15.2) with ESMTPS id x6ALl8Ws007121 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for <6tisch@ietf.org>; Thu, 11 Jul 2019 00:47:08 +0300 (EEST)
Received: (from kivinen@localhost) by fireball.acr.fi (8.15.2/8.14.8/Submit) id x6ALl8qT026084; Thu, 11 Jul 2019 00:47:08 +0300 (EEST)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Message-ID: <23846.23772.363888.302178@fireball.acr.fi>
Date: Thu, 11 Jul 2019 00:47:08 +0300
From: Tero Kivinen <kivinen@iki.fi>
To: 6tisch@ietf.org
X-Mailer: VM 8.2.0b under 25.1.1 (x86_64--netbsd)
X-Edit-Time: 16 min
X-Total-Time: 16 min
Archived-At: <https://mailarchive.ietf.org/arch/msg/6tisch/40DjZyw7J_B5hIGhKhHEvErIYbQ>
Subject: [6tisch] TSCH and CCM security proofs
X-BeenThere: 6tisch@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Discuss link layer model for Deterministic IPv6 over the TSCH mode of IEEE 802.15.4e, and impacts on RPL and 6LoWPAN such as resource allocation" <6tisch.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/6tisch>, <mailto:6tisch-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/6tisch/>
List-Post: <mailto:6tisch@ietf.org>
List-Help: <mailto:6tisch-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/6tisch>, <mailto:6tisch-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 10 Jul 2019 21:47:14 -0000
When I was doing 802.15.4 revision review, I found out that the Annex B says that security proofs for CCM* only apply when nonce contains security level. In TSCH mode nonce, the nonce does NOT include security level so the CCM* security proofs cannot be used, thus it needs to revert back to normal CCM security proofs, and that means that same key cannot be used with different mic lengths. I.e., if you want to use MIC-32, MIC-64, and MIC-128 you must use different keys for each of them. With non-TSCH mode it is safe to use same key for all of them, and the security proofs still work. With TSCH not so much. I do not think there is any practical attack, as the security axiliary header which is part of the MIC does contain the security level even in TSCH case, but perhaps we still want to mandate in 6tisch that different key lengths MUST use different keys just to keep in sync with CCM security proofs. This is text that has been there since 2006, but which I did just noticed now, and which those who specified TSCH nonce generation also had missed. I noticed it now when I started making proposed changes to fix the text and remove all references to M=0 case, as we did remove encrypt only feature in 2015. So from 802.15.4-2015: ---------------------------------------------------------------------- B.4.3 Restrictions All implementations shall limit the total amount of data that is encrypted with a single key. The CCM* encryption and authentication transformation shall invoke not more than 2^61 block cipher encryption function invocations with the same key in total. The CCM* decryption and authentication checking transformation shall not expose any information if any verification check fails. The only information that may be exposed in this case is that the authenticity verification transformation failed; all other information, such as the purported plaintext, shall be destroyed. NOTE 1 — With regard to security of the CCM* mode of operation, the CCM* mode coincides with the original CCM mode specification (ANSI X9.63-2001 [B2]) for messages that require authentication and, possibly, encryption, but also offers support for messages that require only encryption. Moreover, it can be used in implementation environments for which the use of variable-length authentication tags, rather than fixed-length authentication tags only, is beneficial. As with the CCM mode, the CCM* mode requires only one key. The CCM* specification differs from the CCM specification, as follows: — The CCM* mode allows the length of the Authentication field M to be zero as well (the value M = 0 corresponding to disabling authenticity because then the Authentication field is the empty string). — The CCM* mode imposes a further restriction on the nonce N: it shall encode the potential values for M so that one can uniquely determine from N the actually used value of M. As a result, if M is fixed and the value M = 0 is not allowed, then there are no additional restrictions on N, in which case the CCM* mode reduces to the CCM mode. In particular, the proof of the CCM mode applies (Jonsson [B7] and [B8]). For fixed-length authentication tags, the CCM* mode is equally secure as the original CCM mode. For variable-length authentication tags, the CCM* mode completely avoids, by design, the vulnerabilities that do apply to the original CCM mode. For fixed-length authentication tags, the security proof of the original CCM mode carries over to that of the CCM* mode (also for M = 0), by observing that the proof of the original CCM mode relies on the following properties, which slightly relax those stated in Jonsson [B7] and [B8] (relaxed property indicated in italics): — The B_0 field uniquely determines the value of the nonce N. — The authentication transformation operates on input strings B_0 || B_1 || B_2 || ... || B_t from which one can uniquely determine the input strings a and m (as well as the nonce N). In fact, for any two input strings corresponding to distinct triples (N, m, a), neither one is a prefix string of the other. — All the A_i fields are distinct from the B_0 fields that are actually used (over the lifetime of the key), as those have a Flags field with a nonzero encoding of M in the positions where all A_i fields have an all-zero encoding of the integer 0. Hence, if M is fixed, then the CCM* mode offers the same security properties as the original CCM mode: confidentiality over the input string m and data authenticity over the input strings a and m, relative to the length of the authentication tag. Obviously, if M = 0, then no data authenticity is provided by the CCM* mode itself (but may be provided by an external mechanism). For variable-length authentication tags, the original CCM mode is known to be vulnerable to specific attacks (e.g., Section 3.4 of Rogaway and Wagner [B13]). These attacks may arise with the original CCM mode because the decryption transformation does not depend on the length of the authentication tag itself. The CCM* mode avoids these attacks altogether by requiring that one shall be able to uniquely determine the length of the applicable authentication tag from the A_i fields (i.e., from the counters blocks). NOTE 2 — With regard to the interoperability between CCM mode and CCM* mode of operation, the CCM* mode reduces to the CCM mode in all implementation environments where the length of the authentication tag is fixed and where the value M = 0 (encryption-only) is not allowed. In particular, the CCM* mode is compatible with the CCM mode, as specified in IEEE Std 802.11TM-2007 (for WLANs), IEEE Std 802.15.3TM-2003 (for WPANs), and IEEE Std 802.15.4-2003 (for older WPANs). NOTE 3 — Test vectors for cryptographic building blocks are given in Annex C. -- kivinen@iki.fi
- [6tisch] TSCH and CCM security proofs Tero Kivinen
- Re: [6tisch] TSCH and CCM security proofs Pascal Thubert (pthubert)
- Re: [6tisch] TSCH and CCM security proofs Tero Kivinen
- Re: [6tisch] TSCH and CCM security proofs Michael Richardson
- Re: [6tisch] TSCH and CCM security proofs Tero Kivinen
- Re: [6tisch] TSCH and CCM security proofs Michael Richardson
- Re: [6tisch] TSCH and CCM security proofs Tero Kivinen