IETF Logo Mail Archive

Re: [AVTCORE] Stephen Farrell's Discuss on draft-ietf-avtcore-srtp-aes-gcm-14: (with DISCUSS)

Magnus Westerlund <magnus.westerlund@ericsson.com> Tue, 10 February 2015 13:49 UTC

Return-Path: <magnus.westerlund@ericsson.com>
X-Original-To: avt@ietfa.amsl.com
Delivered-To: avt@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 614871A0271; Tue, 10 Feb 2015 05:49:01 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.201
X-Spam-Level:
X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PyijC4mLIrhy; Tue, 10 Feb 2015 05:48:59 -0800 (PST)
Received: from sessmg23.ericsson.net (sessmg23.ericsson.net [193.180.251.45]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4ECC61A026E; Tue, 10 Feb 2015 05:48:56 -0800 (PST)
X-AuditID: c1b4fb2d-f79fc6d000001087-a4-54da0c466001
Received: from ESESSHC013.ericsson.se (Unknown_Domain [153.88.253.124]) by sessmg23.ericsson.net (Symantec Mail Security) with SMTP id B6.C8.04231.64C0AD45; Tue, 10 Feb 2015 14:48:54 +0100 (CET)
Received: from [127.0.0.1] (153.88.183.153) by smtp.internal.ericsson.com (153.88.183.59) with Microsoft SMTP Server id 14.3.210.2; Tue, 10 Feb 2015 14:48:54 +0100
Message-ID: <54DA0C45.2030609@ericsson.com>
Date: Tue, 10 Feb 2015 14:48:53 +0100
From: Magnus Westerlund <magnus.westerlund@ericsson.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Thunderbird/31.4.0
MIME-Version: 1.0
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>, David McGrew <mcgrew@cisco.com>
References: <20141029122825.18943.78129.idtracker@ietfa.amsl.com> <3C4AAD4B5304AB44A6BA85173B4675CABC709A18@MSMR-GH1-UEA03.corp.nsa.gov> <545151F9.9050502@cs.tcd.ie> <B1821703-9D09-41C5-AAC1-5EBB9CE2ACC4@cisco.com> <54516572.8020601@cs.tcd.ie> <D825D4F3-26D3-49BE-9E32-0E4FFF89BC40@cisco.com> <5451737B.6060504@cs.tcd.ie> <2D4BE3ED-840A-444C-9D18-09BC3D937D64@cisco.com> <54CA135D.3020304@ericsson.com> <54D4D840.4080808@cs.tcd.ie> <54D8A297.9090505@ericsson.com> <54D93B9A.9090409@cs.tcd.ie>
In-Reply-To: <54D93B9A.9090409@cs.tcd.ie>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFjrDLMWRmVeSWpSXmKPExsUyM+Jvja4bz60Qg39d6hYve1ayW6z8dp3V Yu2RRIsZfyYyW0w49ZrV4uqqP+wW0/deY3dg95jyeyOrx9ruq2weS5b8ZPLo3/WS1ePL5c9s AaxRXDYpqTmZZalF+nYJXBmXH09nLJgvX7HgxS/GBsbv4l2MnBwSAiYSU5ofMELYYhIX7q1n 62Lk4hASOMIoMe3LHlYIZzmjxJ/FO1lAqngFtCV+XVwM1sEioCrRvn8fG4jNJmAhcfNHI5gt KhAssfj5U1aIekGJkzOfgPWKCARJLG5sA6thFuhkktjTnw5iCwvEScx6uYkdYtkbZok7N96B FXEKaEpMnQGyjAOoQVNi/S59iF55ieats5lBbCGgexqaOlgnMArOQrJuFkLHLCQdCxiZVzGK FqcWF+emGxnrpRZlJhcX5+fp5aWWbGIEBv/BLb91dzCufu14iFGAg1GJh9eg5GaIEGtiWXFl 7iFGaQ4WJXFeO+NDIUIC6YklqdmpqQWpRfFFpTmpxYcYmTg4pRoYXa+el40KzVWLFlX4ZRfO Vp95Z4uK1busT2uDO/RXa+2bUlChvlcwfdXuiW7Cy9JFLssa5T3Mv5KSktDSpDB128y2adnm X/i/Zs4NU9666sTbbw9ftB3R4j3+P0Uh3i+wc0XFv0cHo/qfuES0c6+asDOuR++Kn2D/z+o5 lt3hqqHzC9myb3spsRRnJBpqMRcVJwIApU7Co18CAAA=
Archived-At: <http://mailarchive.ietf.org/arch/msg/avt/8QXRRf_eMaHha8Yriq2t5T-ndWo>
Cc: "avtcore-chairs@tools.ietf.org" <avtcore-chairs@tools.ietf.org>, "draft-ietf-avtcore-srtp-aes-gcm@tools.ietf.org" <draft-ietf-avtcore-srtp-aes-gcm@tools.ietf.org>, The IESG <iesg@ietf.org>, IETF AVTCore WG <avt@ietf.org>
Subject: Re: [AVTCORE] Stephen Farrell's Discuss on draft-ietf-avtcore-srtp-aes-gcm-14: (with DISCUSS)
X-BeenThere: avt@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Audio/Video Transport Core Maintenance <avt.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/avt>, <mailto:avt-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/avt/>
List-Post: <mailto:avt@ietf.org>
List-Help: <mailto:avt-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/avt>, <mailto:avt-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Feb 2015 13:49:01 -0000

Hi,

I would definitely want the authors to step in now and provide their
reasoning for why these options have been included.



On 2015-02-09 23:58, Stephen Farrell wrote:
> 
> Hi Magnus,
> 
> On 09/02/15 12:05, Magnus Westerlund wrote:
>> Hi Stephen,
>>
>> (as individual)
>> I also wished the WG was more active.
> 
> Yep, hard to evaluate consensus with so few commenting.
> 
> Thanks for the good analysis below, I'll respond here as I think
> that's better done in reverse order almost.
> 
> - aes-128 in any flavour is good enough, there's IMO no pressing
>   need for aes-256 here

Despite that we have a definition for AES-256 for SRTP already and
personally I find it a bit difficult to throw away work for something we
are likely to going to need in the future.

> - gcm vs. ccm: those are functionally equivalent as far as this
>   application is concerned I think - the only reason to have both
>   is if one has to deal with systems that only support one and not
>   the other; ccm is all that is available on some very constrained
>   devices for essentially historical reasons and again I don't see
>   why that is an issue here (it could be, but I don't recall anyone
>   saying that it is - apologies if I've forgotten)

Well, if I understand the security analysis then apparently CCM is less
sensitive to a weak authentication, and could use the 64 bit
authentication tag, while GCM needs a stronger one. Thus, from that
perspective, if we at all are going to have a shorter authentication tag
then 128 bits, then why not use the 64 bit CCM then as that is
significant saving, rather than only four bytes for the GCM.

> - I tend to agree with you about the 192 label
> 
> If I were correct in the above then all that'd be really needed is
> 
>           AEAD_AES_128_GCM    = {TBD, TBD }
>           AEAD_AES_128_GCM_12 = {TBD, TBD }
> 
> I'd argue that 2 options vs. 10 options may lead to overall
> better security and interop. as there will be many systems and
> libraries with less code and hence fewer bugs. (It's credible
> to argue that code size reduction might outweigh adding aes-256
> in a case where you don't worry about ciphertext being secure
> for decades.)

I understand the desire to avoid proliferation here. I might not see the
256 bit keys in the same way. Make it clear that they are optional and
that anyone supporting AES-GCM MUST support 128-bit keys. But based on
the above reasoning if we are doing only AES-GCM then I rather see:

            AEAD_AES_128_GCM    = {TBD, TBD }
            AEAD_AES_256_GCM    = {TBD, TBD }

If we based on my above argumentation think we should provide a short
tag version then I think the set to define would become:

         AEAD_AES_128_CCM    = {TBD, TBD }
         AEAD_AES_256_CCM    = {TBD, TBD }
         AEAD_AES_128_CCM_64 = {TBD, TBD }
         AEAD_AES_256_CCM_64 = {TBD, TBD }

Using Martin's suggestion for being consistent in bits vs bytes.

> 
> If we continue to have so few folks engaging on this maybe the
> best way to handle it would be to talk about it on an IESG
> informal telechat if we can get you and David (and Russ) all
> on the call? (Or over a beer in Dallas I guess as that's also
> getting close and there a bunch of IESG calls coming up that
> are devotes to BoFs and the Dallas schedule.)
> 

Yes, unless we get more opinions now, I think the way forward is to go
that road so that we can conclude.


Cheers

Magnus Westerlund

----------------------------------------------------------------------
Services, Media and Network features, Ericsson Research EAB/TXM
----------------------------------------------------------------------
Ericsson AB                 | Phone  +46 10 7148287
Färögatan 6                 | Mobile +46 73 0949079
SE-164 80 Stockholm, Sweden | mailto: magnus.westerlund@ericsson.com
----------------------------------------------------------------------

v2.23.0 | Report a Bug | By Email