Re: [6tisch] TSCH and CCM security proofs
"Pascal Thubert (pthubert)" <pthubert@cisco.com> Thu, 11 July 2019 07:44 UTC
Return-Path: <pthubert@cisco.com>
X-Original-To: 6tisch@ietfa.amsl.com
Delivered-To: 6tisch@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 880071201AA for <6tisch@ietfa.amsl.com>; Thu, 11 Jul 2019 00:44:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.5
X-Spam-Level:
X-Spam-Status: No, score=-14.5 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=in/9sZWp; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=Lc3pbFJ/
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Zx1jiAlbyNJK for <6tisch@ietfa.amsl.com>; Thu, 11 Jul 2019 00:44:45 -0700 (PDT)
Received: from rcdn-iport-8.cisco.com (rcdn-iport-8.cisco.com [173.37.86.79]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1292512025D for <6tisch@ietf.org>; Thu, 11 Jul 2019 00:44:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=9122; q=dns/txt; s=iport; t=1562831084; x=1564040684; h=from:to:subject:date:message-id:references:in-reply-to: content-transfer-encoding:mime-version; bh=xHIjT78/EmWR/cNiJF8qLtFYu8BGCUcJITI0W3oWruM=; b=in/9sZWpGcAY4GJph+jRrpsEDgMRtE/IWUvxz8NiCvuq5UPhON+P6wPw /xifdzEDcjCdpDgXAsODjZ+BmrNQTZgY+EeWDpGnf5iUUJ404Ho9s4Lst bknoHGDmzTOa/XOisF5nQLNzhJOI3C7ae5w+9ZXR6ywFpnAh6px2EILSC I=;
IronPort-PHdr: 9a23:PxawJRcbgvRbY6/dIF0Vr0l1lGMj4e+mNxMJ6pchl7NFe7ii+JKnJkHE+PFxlwGQD57D5adCjOzb++D7VGoM7IzJkUhKcYcEFnpnwd4TgxRmBceEDUPhK/u/dzA6Ac5PTkNN9HCgOk8TE8H7NBXf
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0BIAACu5yZd/5BdJa1kHAEBAQQBAQcEAQGBUwcBAQsBgUNQA2pVIAQLKIQcg0cDhFKJdEyCD5dKgS6BJANUCQEBAQwBARgLCgIBAYN6RgIXgjcjNAkOAQMBAQQBAQIBBW2FPAyFSgEBAQEDAQEQEREMAQElBwwLBAIBCBEEAQEDAiYCAgIlCxUICAIEARIIGoMBgWoDHQECDKFYAoE4iGBxgTKCeQEBBYEyAYNSGIISAwaBDCgBiRWBFYEWAR0XgUA/gRFGgkw+gmEBAYE7KBWCczKCJowXCoJShyiUQAkCghmUI5gBjTGXQwIEAgQFAg4BAQWBUDiBWHAVO4JsgkEMF4NOhRSFP3KBKYwYglEBAQ
X-IronPort-AV: E=Sophos;i="5.63,476,1557187200"; d="scan'208";a="591941128"
Received: from rcdn-core-8.cisco.com ([173.37.93.144]) by rcdn-iport-8.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 11 Jul 2019 07:44:43 +0000
Received: from XCH-RCD-002.cisco.com (xch-rcd-002.cisco.com [173.37.102.12]) by rcdn-core-8.cisco.com (8.15.2/8.15.2) with ESMTPS id x6B7ihew005324 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Thu, 11 Jul 2019 07:44:43 GMT
Received: from xhs-rcd-002.cisco.com (173.37.227.247) by XCH-RCD-002.cisco.com (173.37.102.12) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Thu, 11 Jul 2019 02:44:42 -0500
Received: from xhs-aln-001.cisco.com (173.37.135.118) by xhs-rcd-002.cisco.com (173.37.227.247) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Thu, 11 Jul 2019 02:44:42 -0500
Received: from NAM01-BN3-obe.outbound.protection.outlook.com (173.37.151.57) by xhs-aln-001.cisco.com (173.37.135.118) with Microsoft SMTP Server (TLS) id 15.0.1473.3 via Frontend Transport; Thu, 11 Jul 2019 02:44:42 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=xHIjT78/EmWR/cNiJF8qLtFYu8BGCUcJITI0W3oWruM=; b=Lc3pbFJ/IRllpzihzC/4Sf+lrcZ68LCcSandcUsl4wqiK8fKPDI921jcxCb467djbIToQnHhqI7OpEBQ3tIERdpCepFXFIbbYti+LhzvNn17KqBWYxjbcpFx4bJyKqKg3pLqgzaa3Ph6asquh1KxG8x9RQI5Db0A3U6pGvFVafw=
Received: from MN2PR11MB3565.namprd11.prod.outlook.com (20.178.250.159) by MN2PR11MB3840.namprd11.prod.outlook.com (20.178.254.147) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2052.18; Thu, 11 Jul 2019 07:44:41 +0000
Received: from MN2PR11MB3565.namprd11.prod.outlook.com ([fe80::1ce9:1582:146c:c50a]) by MN2PR11MB3565.namprd11.prod.outlook.com ([fe80::1ce9:1582:146c:c50a%6]) with mapi id 15.20.2052.022; Thu, 11 Jul 2019 07:44:41 +0000
From: "Pascal Thubert (pthubert)" <pthubert@cisco.com>
To: Tero Kivinen <kivinen@iki.fi>, "6tisch@ietf.org" <6tisch@ietf.org>
Thread-Topic: [6tisch] TSCH and CCM security proofs
Thread-Index: AQHVN2kbtSz0WKIaPk+lRA58Z5ws06bFCViw
Date: Thu, 11 Jul 2019 07:44:20 +0000
Deferred-Delivery: Thu, 11 Jul 2019 07:43:31 +0000
Message-ID: <MN2PR11MB3565CBB6A212C64388B3AA28D8F30@MN2PR11MB3565.namprd11.prod.outlook.com>
References: <23846.23772.363888.302178@fireball.acr.fi>
In-Reply-To: <23846.23772.363888.302178@fireball.acr.fi>
Accept-Language: fr-FR, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=pthubert@cisco.com;
x-originating-ip: [2001:420:c0c0:1002::1b3]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 331b9259-232f-40d8-a1e7-08d705d3a24e
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600148)(711020)(4605104)(1401327)(2017052603328)(7193020); SRVR:MN2PR11MB3840;
x-ms-traffictypediagnostic: MN2PR11MB3840:
x-ms-exchange-purlcount: 1
x-microsoft-antispam-prvs: <MN2PR11MB3840C83386A7AEFBC045A73BD8F30@MN2PR11MB3840.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 0095BCF226
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(39860400002)(346002)(136003)(396003)(376002)(366004)(189003)(199004)(13464003)(102836004)(186003)(110136005)(15650500001)(7696005)(52536014)(316002)(256004)(33656002)(86362001)(5660300002)(14444005)(68736007)(66946007)(76116006)(66446008)(64756008)(76176011)(66476007)(66556008)(229853002)(53546011)(6506007)(446003)(11346002)(486006)(2906002)(2501003)(476003)(6306002)(9686003)(53936002)(6436002)(81166006)(81156014)(25786009)(55016002)(71200400001)(7736002)(8676002)(71190400001)(305945005)(46003)(74316002)(6666004)(6246003)(6116002)(99286004)(966005)(8936002)(14454004)(478600001); DIR:OUT; SFP:1101; SCL:1; SRVR:MN2PR11MB3840; H:MN2PR11MB3565.namprd11.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: cisco.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: ykm6pOHEXnvkOLAaWH3YIUuJhYKKsDg0+3idsWIPb01oZMdkExkvy+B4FOXkJyFvzJackewCrx56RlEuTaF82r5WWrCWphcV2vzyXb8CXIOTL5v/TKQDYcur4VKMGQNsAKIUyRkZ3u8Km2jjF+C0TTA5DKOJYVYcGgHVziy02CLP6zZS4NgGkr2gTgN2s7rXYp8maUldII56RBEy0MUKy71L2Jk2D2e1Sci1GaWZuNpLomu8sU2N3o8LSIpCjxaEhP2QE3zejyc2LST1EyvmTQMYdsDyDubQPzOqxOvDdi4xGrHUEuFHYRBwqeRJCGVUjlKng/tX5roxitDVVneYUMNpPWGrgsmro0nw7sv4wpUX8xbgI4aRCftkBOmof8sFkmOcHNYJg7qwriOnD5ghA9sWrCC41/jX2lWME1/Bi04=
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 331b9259-232f-40d8-a1e7-08d705d3a24e
X-MS-Exchange-CrossTenant-originalarrivaltime: 11 Jul 2019 07:44:41.4505 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: pthubert@cisco.com
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN2PR11MB3840
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.37.102.12, xch-rcd-002.cisco.com
X-Outbound-Node: rcdn-core-8.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/6tisch/MDA8EwchiCaDiqkWoV4UcPDyk30>
Subject: Re: [6tisch] TSCH and CCM security proofs
X-BeenThere: 6tisch@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Discuss link layer model for Deterministic IPv6 over the TSCH mode of IEEE 802.15.4e, and impacts on RPL and 6LoWPAN such as resource allocation" <6tisch.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/6tisch>, <mailto:6tisch-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/6tisch/>
List-Post: <mailto:6tisch@ietf.org>
List-Help: <mailto:6tisch-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/6tisch>, <mailto:6tisch-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 11 Jul 2019 07:44:48 -0000
Many thanks Tero. Do you have an intention to add text like this in a draft or in annex of a draft? All the best, Pascal > -----Original Message----- > From: 6tisch <6tisch-bounces@ietf.org> On Behalf Of Tero Kivinen > Sent: mercredi 10 juillet 2019 23:47 > To: 6tisch@ietf.org > Subject: [6tisch] TSCH and CCM security proofs > > When I was doing 802.15.4 revision review, I found out that the Annex B says > that security proofs for CCM* only apply when nonce contains security level. > In TSCH mode nonce, the nonce does NOT include security level so the CCM* > security proofs cannot be used, thus it needs to revert back to normal CCM > security proofs, and that means that same key cannot be used with different > mic lengths. I.e., if you want to use MIC-32, MIC-64, and MIC-128 you must > use different keys for each of them. > > With non-TSCH mode it is safe to use same key for all of them, and the > security proofs still work. With TSCH not so much. > > I do not think there is any practical attack, as the security axiliary header > which is part of the MIC does contain the security level even in TSCH case, but > perhaps we still want to mandate in 6tisch that different key lengths MUST > use different keys just to keep in sync with CCM security proofs. > > This is text that has been there since 2006, but which I did just noticed now, > and which those who specified TSCH nonce generation also had missed. I > noticed it now when I started making proposed changes to fix the text and > remove all references to M=0 case, as we did remove encrypt only feature in > 2015. > > So from 802.15.4-2015: > > ---------------------------------------------------------------------- > B.4.3 Restrictions > > All implementations shall limit the total amount of data that is encrypted > with a single key. The CCM* encryption and authentication transformation > shall invoke not more than 2^61 block cipher encryption function invocations > with the same key in total. > > The CCM* decryption and authentication checking transformation shall not > expose any information if any verification check fails. The only information > that may be exposed in this case is that the authenticity verification > transformation failed; all other information, such as the purported plaintext, > shall be destroyed. > > NOTE 1 — With regard to security of the CCM* mode of operation, the > CCM* mode coincides with the original CCM mode specification (ANSI > X9.63-2001 [B2]) for messages that require authentication and, possibly, > encryption, but also offers support for messages that require only encryption. > Moreover, it can be used in implementation environments for which the use > of variable-length authentication tags, rather than fixed-length authentication > tags only, is beneficial. As with the CCM mode, the CCM* mode requires only > one key. The CCM* specification differs from the CCM specification, as > follows: > > — The CCM* mode allows the length of the Authentication field M to be > zero as well (the value M = 0 corresponding to disabling > authenticity because then the Authentication field is the empty > string). > > — The CCM* mode imposes a further restriction on the nonce N: it shall > encode the potential values for M so that one can uniquely determine > from N the actually used value of M. > > As a result, if M is fixed and the value M = 0 is not allowed, then there are no > additional restrictions on N, in which case the CCM* mode reduces to the > CCM mode. In particular, the proof of the CCM mode applies (Jonsson [B7] > and [B8]). > > For fixed-length authentication tags, the CCM* mode is equally secure as the > original CCM mode. For variable-length authentication tags, the > CCM* mode completely avoids, by design, the vulnerabilities that do apply to > the original CCM mode. > > For fixed-length authentication tags, the security proof of the original CCM > mode carries over to that of the CCM* mode (also for M = 0), by observing > that the proof of the original CCM mode relies on the following properties, > which slightly relax those stated in Jonsson [B7] and [B8] (relaxed property > indicated in italics): > > > — The B_0 field uniquely determines the value of the nonce N. > > — The authentication transformation operates on input strings B_0 || > B_1 || B_2 || ... || B_t from which one can uniquely determine the > input strings a and m (as well as the nonce N). In fact, for any two > input strings corresponding to distinct triples (N, m, a), neither > one is a prefix string of the other. > > — All the A_i fields are distinct from the B_0 fields that are > actually used (over the lifetime of the key), as those have a Flags > field with a nonzero encoding of M in the positions where all A_i > fields have an all-zero encoding of the integer 0. > > Hence, if M is fixed, then the CCM* mode offers the same security properties > as the original CCM mode: confidentiality over the input string m and data > authenticity over the input strings a and m, relative to the length of the > authentication tag. Obviously, if M = 0, then no data authenticity is provided > by the CCM* mode itself (but may be provided by an external mechanism). > > For variable-length authentication tags, the original CCM mode is known to > be vulnerable to specific attacks (e.g., Section 3.4 of Rogaway and Wagner > [B13]). These attacks may arise with the original CCM mode because the > decryption transformation does not depend on the length of the > authentication tag itself. The CCM* mode avoids these attacks altogether by > requiring that one shall be able to uniquely determine the length of the > applicable authentication tag from the A_i fields (i.e., from the counters > blocks). > > NOTE 2 — With regard to the interoperability between CCM mode and CCM* > mode of operation, the CCM* mode reduces to the CCM mode in all > implementation environments where the length of the authentication tag is > fixed and where the value M = 0 (encryption-only) is not allowed. > In particular, the CCM* mode is compatible with the CCM mode, as specified > in IEEE Std 802.11TM-2007 (for WLANs), IEEE Std > 802.15.3TM-2003 (for WPANs), and IEEE Std 802.15.4-2003 (for older > WPANs). > > NOTE 3 — Test vectors for cryptographic building blocks are given in Annex C. > -- > kivinen@iki.fi > > _______________________________________________ > 6tisch mailing list > 6tisch@ietf.org > https://www.ietf.org/mailman/listinfo/6tisch
- [6tisch] TSCH and CCM security proofs Tero Kivinen
- Re: [6tisch] TSCH and CCM security proofs Pascal Thubert (pthubert)
- Re: [6tisch] TSCH and CCM security proofs Tero Kivinen
- Re: [6tisch] TSCH and CCM security proofs Michael Richardson
- Re: [6tisch] TSCH and CCM security proofs Tero Kivinen
- Re: [6tisch] TSCH and CCM security proofs Michael Richardson
- Re: [6tisch] TSCH and CCM security proofs Tero Kivinen