Re: [AVTCORE] Comments on the draft-ietf-avtcore-srtp-aes-gcm-01

["Igoe, Kevin M." <kmigoe@nsa.gov>]

I'd like to thank Woo-Hwang Kim for the effort he put into reviewing

draft-ietf-avtcore-srtp-aes-gcm-01.  He raised many valid points, and
the authors

have a -02 draft nearing completion that addresses his observations.
Many thanks

to Woo-Hwan and the AVTCORE mailing list.

 

From: avt-bounces@ietf.org [mailto:avt-bounces@ietf.org] On Behalf Of
Woo-Hwan Kim
Sent: Monday, July 16, 2012 1:49 AM
To: avt@ietf.org; draft-ietf-avtcore-srtp-aes-gcm@tools.ietf.org
Cc: Daesung Kwon; Je Hong Park
Subject: [AVTCORE] Comments on the draft-ietf-avtcore-srtp-aes-gcm-01

 

Hi.

 

Here are some comments on the draft-ietf-avtcore-srtp-aes-gcm-01.

 

1. typos and minors

 

p.4 DTLS -> DTLS-SRTP

p.8 ROS -> ROC

p.11 the corresponding STRCP encrypted -> the corresponding SRTCP
encrypted

p.13 C_max -> C_MAX

p.18 AEAD_AES_128_CCM -> AEAD_AES_128_GCM

p.18 AEAD_AES_256_CCM -> AEAD_AES_256_GCM

 

2. On the CCM decryption

 

In this draft, there is no separation between GCM and CCM except
"Tag_Size_Flag". 

It means both modes have the same parameters (nonce length, counter
block length etc.) and the same IV format (described in Sections 8.1 and
9.1). 

But that does not hold if the authors intend to apply the interfaces of
CCM described in RFC 5116. 

For example, the counter block length parameter q is not 4 but 3 when
the length of nonce is 12 octets. 

 

According to the InputFormatting Function proposed in NIST SP 800-38C
(and referred by RFC 5116), 

Tag_Size_Flag recommended in this draft is derived when q=3. 

Note that such parameter is related to several AEAD parameters, and so a
large portion of the draft should be revised.

 

3. CCM Tag Validation

 

Section 5.3 says

"The ciphertext MUST NOT be decrypted until the AEAD tag has been
validated. The associated data

MUST NOT be released until the AEAD tag has been validated."

 

The above does not hold for CCM mode of operation, 

because it is required to decrypt ciphertext before confirming the
validation of the AEAD tag.

 

4. Ciphertext length expansion for SRTP

 

Section 9.2 says

"Since the AEAD cipher is larger than the plaintext by exactly the
length of the AEAD authentication 

tag, the corresponding STRCP encrypted packet replaces the plaintext
field with a slightly larger 

field containing the cipher."

 

Does this sentence only hold for SRTCP?

 

5. Input/output data for CCM (Sections 5.2.1 and 5.2.2)

 

Both input and output data for CCM require Tag_Size_Flag, but that is
the value which can be computed 

by three parameters (defined in NIST SP 800-38C). Because Tag_Size_Flag
is not included in SRTP/SRTCP 

packets, the only way to share the same Tag_Size_Flag is to fix
authentication tag length and counter 

block length in advance.

 

Additionally, Section 5.2.1 says the only output of "Encrypt Mode" is
"Ciphertext" with bit string length = legnth
length(ciphertext)-tag_length. 

What is the difference between "ciphertext" and "Ciphertext". If length
of the "Ciphertext" does not consider the length of "authentication
tag", 

where is authentication tag?

 

 

6. CCM tag length specification

 

Section 10.3

 

RFC5116 only defines AEAD_AES_128/256_CCM with 16 octets tag length.

 

Section 13.2

 

"Note that these SRTP Protection Profiles do not specify an
auth_function, auth_key_length, or 

auth_tag_length because all of these profiles use AEAD algorithms, and
thus do not use a separate auth_function, auth_key, or auth_tag."

 

In IANA AEAD registry, there is no entry for AEAD_AES_128/256_CCM_12. 

It means that there is no official reference for AES_CCM with 96-bit
authentication tag. So it is required to define 

AEAD_AES_128/256_CCM_12 independently in this document, similar to
AEAD_AES_128/256_CCM_8 defined for 

TLS usage(internet draft, AES-CCM Cipher Suites for TLS). 

 

For SDES, it may be necessary to add CCM-related crypto suites with 64-
and 96-bit authentication tags.

 

Thanks.

 

Woo-Hwan Kim