[AVTCORE] Comments on the draft-ietf-avtcore-srtp-aes-gcm-02
Woo-Hwan Kim <whkim5@ensec.re.kr> Tue, 28 August 2012 04:14 UTC
Return-Path: <woohwankim@gmail.com>
X-Original-To: avt@ietfa.amsl.com
Delivered-To: avt@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A5DEE21F849D for <avt@ietfa.amsl.com>; Mon, 27 Aug 2012 21:14:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.511
X-Spam-Level:
X-Spam-Status: No, score=-2.511 tagged_above=-999 required=5 tests=[AWL=0.465, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id brQU+iE7n4EK for <avt@ietfa.amsl.com>; Mon, 27 Aug 2012 21:14:38 -0700 (PDT)
Received: from mail-iy0-f172.google.com (mail-iy0-f172.google.com [209.85.210.172]) by ietfa.amsl.com (Postfix) with ESMTP id B4A3B21F8495 for <avt@ietf.org>; Mon, 27 Aug 2012 21:14:37 -0700 (PDT)
Received: by iabz21 with SMTP id z21so10941650iab.31 for <avt@ietf.org>; Mon, 27 Aug 2012 21:14:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:date:x-google-sender-auth:message-id:subject :from:to:cc:content-type; bh=m1hU7iKYuzHaaiLFi111BD+HqLp8QEh9cAV/waouYoc=; b=s7z3Fwj55ftHjPgH2bfe5wwxN6MVvkxxb9Q6mH6QENolykMX5PQoo84vLpSE1/6TMz S8ZI/iO1O8+kD2mCCjSQL4/KAA6eKPFAArAOaSjXaQgjGwZkhxs1HdknkKvZ76fRwutr LVuX52mHRc8OCv9lgXwglMeTD/3c4QDiTFEfBXqoXUuHezk3RXpOJWNVNdgL5dgQ/qbV Xf+Fx/a7TVZ14JFADWMcP69raviM80OjU9RWVmCJv3WRw2zX8Eq3zqhzs5o45TWBGxWV mSf15wyKMiyM6qYqJxN+nWCtaXG49oVRqlXl3xdsAyJT/X4MFjP+Hc8QVfUuHK7lg+LR dPXg==
MIME-Version: 1.0
Received: by 10.50.6.168 with SMTP id c8mr12156848iga.21.1346127274851; Mon, 27 Aug 2012 21:14:34 -0700 (PDT)
Sender: woohwankim@gmail.com
Received: by 10.64.64.164 with HTTP; Mon, 27 Aug 2012 21:14:34 -0700 (PDT)
Date: Tue, 28 Aug 2012 13:14:34 +0900
X-Google-Sender-Auth: 5Js2YVfuBUqRQ-IpVEO6Rk2rUhI
Message-ID: <CAMRi9CcDtM2gqyjYXXTH8X-7Uz8kutXMV_UCBeaQ66nMzZKjYA@mail.gmail.com>
From: Woo-Hwan Kim <whkim5@ensec.re.kr>
To: avt@ietf.org, draft-ietf-avtcore-srtp-aes-gcm@tools.ietf.org
Content-Type: multipart/alternative; boundary="e89a8f6467150a3e2804c84bae43"
Cc: Daesung Kwon <ds_kwon@ensec.re.kr>, Je Hong Park <jhpark@ensec.re.kr>
Subject: [AVTCORE] Comments on the draft-ietf-avtcore-srtp-aes-gcm-02
X-BeenThere: avt@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Audio/Video Transport Core Maintenance <avt.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/avt>, <mailto:avt-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/avt>
List-Post: <mailto:avt@ietf.org>
List-Help: <mailto:avt-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/avt>, <mailto:avt-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Aug 2012 04:14:41 -0000
Hi.
Here are some comments on the draft-ietf-avtcore-srtp-aes-gcm-02.
1. Typos
Sections 5.2.1, 6. length(plaintext) → length(Plaintext) i.e. plaintext =>
Plaintext
Section 5.2.2. length(ciphertext) → length(Ciphertext) i.e. ciphertext
=> Ciphertext
Section 6. 12 octet IV => 12-octet IV
Section 6. ~ to form cipher => to form ciphertext
Section 6(CCM part). 4-octet block counter => 3-octet block counter
Section 6(CCM pseudocode). assert len(plaintext) <= 2**28 => ... (2**28-16)
Section 6. keystream of length of up to 2^24 octets for AES-CCM => ...
2^28-16 octgets ...
* In CCM counter starts from 0 and the first block is used for generation
the tag.
Sections 9.1, 10.1 12 octet initialization vector => 12-octet
initialization vector (IV)
Section 10.3. cipher field => ciphertext field
Section 11.1. C_MAX CCM: MUST be at most 2^24+16 octets => ... 2^28 octets
...
2. Mode of operations
In Section 6, keystream generation parts of GCM and CCM are described.
But, both descriptions have some flaws based on NIST specifications
For GCM, pseudocode should be modified as follows:
====================================================================
def GCM_keystream(Plaintext, IV, Encryption_key): assert len(Plaintext)
<== (2**36 - 32)
key_stream = ""
block_counter = 1
first_key_block = AES_ENC(data = IV || block_counter,
key = Encryption_key)
while len(key_stream) < len(Plaintext):
block_counter = block_counter + 1
key_block = AES_ENC(data = IV || block_counter,
key = Encryption_key)
key_stream = key_stream || key_block
key_stream = truncate(key_stream, len(Plaintext))
return (key_stream, first_key_block)
====================================================================
Here, the role of the "first_key_block" (or pre_counter block stated in
NIST SP 800-38C) is the same as that of the "last_key_block"
For CCM, pseudocode should be modified as follows:
====================================================================
def CCM_keystream(Plaintext, IV, Counter_Flag, Encryption_key): assert
len(Plaintext) <== 2**28
key_stream = ""
block_counter = 0
first_key_block = AES_ENC(data = Counter_block_Flag || IV ||
block_counter,
key = Encryption_key)
while len(key_stream) < len(Plaintext):
block_counter = block_counter + 1
key_block = AES_ENC(data = Counter_Flag || IV || block_counter,
key = Encryption_key)
key_stream = key_stream || key_block
key_stream = truncate(key_stream, len(Plaintext))
return (key_stream, first_key_block)
====================================================================
Tag_Size_Flag is only used as the leading octet of the output value of
InputFormattingFunction.
And there is a separate flag namely Counter_Flag to formatting the counter
block.
Because the pseudocode described in this draft is related to keystream
generation, the flag should be Counter_Block_Flag.
As noted in GCM, the "first_key_block" is used to generate AEAD
authenticated tag.
3. In Section 5.2, AES-CCM uses a Tag_Size_Flag...:
There are two kinds of flags in CCM. One is in the input formatting
function and the other is in the counter block.
"Tag_Size_Flag" seems to be the former and it is determined by the
existence of associated data, tag size and block counter size.
Thus the term "Tag_Size_Flag" seems to be unsuitable.
Moreover, the term "Tag_Size_Flag" does not have to be used, since the
algorithm choice determines the tag size in CCM similarly to GCM,
4. RFC 4771
It seems that there are some differences on implementing RFC 4771 when AEAD
authentication mechanism is used instead of general MAC algorithm.
Though the description of those differences is out of scope of this draft,
it may be possible to make certain of it.
5. In Sections 9.2, 10.2 and 10.3, the length of authentication tags for
SRTP and SRTCP have the same fixed value (32-bit).
In RFC 3711, however, authentication tag length is configurable.
6. In Section 10.2 (Data types in encrypted SRTCP compounded packets), can
the case of empty plaintext field be occurred?
7. Comparing with Figure 4, the only difference of Figure 5 is that the
plaintext field is to be authenticated but not encrypted.
It would be better to unify the description of Sections 10.2 and 10.3 like
Section 3.4 in RFC 3711.
8. In Section 11.2 and 11.3, the tag size of mandatory implementation for
GCM is 8 octets while that for CCM is 16 octets.
Are there any reasons causing this difference?
9. What about addition of the following cipher suites in 14.1 like DTLS?
- AEAD_AES_128_CCM_8, AEAD_AES_128_CCM_12, AEAD_AES_256_CCM_8,
AEAD_AES_256_CCM_12.
Thanks.
Woo-Hwan Kim
- [AVTCORE] Comments on the draft-ietf-avtcore-srtp… Woo-Hwan Kim
- Re: [AVTCORE] Comments on the draft-ietf-avtcore-… Igoe, Kevin M.