Re: [AVTCORE] Criticism on draft-ietf-avtcore-srtp-aes-gcm
Magnus Westerlund <magnus.westerlund@ericsson.com> Thu, 24 April 2014 14:51 UTC
Return-Path: <magnus.westerlund@ericsson.com>
X-Original-To: avt@ietfa.amsl.com
Delivered-To: avt@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 143B11A033D for <avt@ietfa.amsl.com>; Thu, 24 Apr 2014 07:51:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.201
X-Spam-Level:
X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zkKVPzCB2LtV for <avt@ietfa.amsl.com>; Thu, 24 Apr 2014 07:51:37 -0700 (PDT)
Received: from sesbmg23.ericsson.net (sesbmg23.ericsson.net [193.180.251.37]) by ietfa.amsl.com (Postfix) with ESMTP id 236FB1A031E for <avt@ietf.org>; Thu, 24 Apr 2014 07:51:36 -0700 (PDT)
X-AuditID: c1b4fb25-f798a6d000005ede-ac-535924f22322
Received: from ESESSHC009.ericsson.se (Unknown_Domain [153.88.253.124]) by sesbmg23.ericsson.net (Symantec Mail Security) with SMTP id D9.64.24286.2F429535; Thu, 24 Apr 2014 16:51:30 +0200 (CEST)
Received: from [127.0.0.1] (153.88.183.153) by smtp.internal.ericsson.com (153.88.183.47) with Microsoft SMTP Server id 14.3.174.1; Thu, 24 Apr 2014 16:51:29 +0200
Message-ID: <535924F1.8000709@ericsson.com>
Date: Thu, 24 Apr 2014 16:51:29 +0200
From: Magnus Westerlund <magnus.westerlund@ericsson.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Thunderbird/24.4.0
MIME-Version: 1.0
To: Florian Zeitz <florob@babelmonkeys.de>, avt@ietf.org
References: <53568695.7090509@babelmonkeys.de>
In-Reply-To: <53568695.7090509@babelmonkeys.de>
X-Enigmail-Version: 1.6
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFlrCLMWRmVeSWpSXmKPExsUyM+Jvje4nlchgg+1/xS1e9qxkt7g3fz6r A5PHhN5WRo8lS34yBTBFcdmkpOZklqUW6dslcGU87zjAUnBcqmLKg01MDYzbRLsYOTkkBEwk /jzYxQhhi0lcuLeerYuRi0NI4CijxJwt09khnOWMEvvfNbCAVPEKaEt8nT8FzGYRUJU4fnwG G4jNJmAhcfNHI5gtKhAssXTOYqh6QYmTM5+A2SICVhI9dw4zgdjCAs4St1o2AC3gAFqgJ/H8 dilImFNAX+LZ3SnMIGEJAXGJnsYgkDAzUMWUqy2MELa8RPPW2cwgthDQNQ1NHawTGAVnIVk2 C0nLLCQtCxiZVzGKFqcWJ+WmGxnrpRZlJhcX5+fp5aWWbGIEBuvBLb9VdzBefuN4iFGAg1GJ h5dNzS9YiDWxrLgy9xCjNAeLkjjvl1s+wUIC6YklqdmpqQWpRfFFpTmpxYcYmTg4pRoY07I2 ykfPWuZsM6uGUXZNl6Hwg9etrBd9tF482WW8/0zDl6lr2qUORV4qZwhpjTMs9TDXi5uxcYFO 80MG8aagp4zd8wL8HVaa/Gk+5L0ph5H3zPnMmFcMoc3P5ljNO9d5Oj99Beel+RYdN+9ccfP5 c8P0yJ6jR023n3+kkW3IN8c8Zw7r6hweJZbijERDLeai4kQAg1QdkjcCAAA=
Archived-At: http://mailarchive.ietf.org/arch/msg/avt/DXVWEIbhezEqFjOw1E9fzlxGxOE
Subject: Re: [AVTCORE] Criticism on draft-ietf-avtcore-srtp-aes-gcm
X-BeenThere: avt@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Audio/Video Transport Core Maintenance <avt.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/avt>, <mailto:avt-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/avt/>
List-Post: <mailto:avt@ietf.org>
List-Help: <mailto:avt-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/avt>, <mailto:avt-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 24 Apr 2014 14:51:40 -0000
Florian, I would like to point out one factual error in your criticism: The draft does mandate support for the longest 128 bit authentication tag if one support the cipher at all. This is a quote from Section 13.1: Any implementation of AES-GCM SRTP MUST support both AEAD_AES_128_GCM and AEAD_AES_256_GCM (the versions with 16 octet AEAD authentication tags), and it MAY support the four other variants shown in table 1. Similarly from 13.2 for AES-CCM Any implementation of AES-CCM SRTP/SRTCP MUST support both AEAD_AES_128_CCM and AEAD_AES_256_CCM (the versions with 16 octet AEAD authentication tags), and MAY support the other four variants. But, to be fair this was changed very recently. I would also note that the draft's security consideration section do discuss the shorter than authentication tag length of actual authentication protection for AES-GCM. It is up to the WG to discuss if it thinks there should be any changes based on your input. And I have to ask you what you think should be the action based on your personal opinion. Cheers Magnus Westerlund WG chair On 2014-04-22 17:11, Florian Zeitz wrote: > Hello, > > I'd like to call this working group's attention to the fact that > yesterday an article in german language[1] was published, harshly > criticising draft-ietf-avtcore-srtp-aes-gcm-11. > > The draft is therein called the NSA's newest attempt at weakening > internet security. > The criticism is largely based on Niels Ferguson's 2005 paper > "Authentication weaknesses in GCM"[2]. > > In particular the points I can identify are: > > Repeated from Ferguson's paper > * GCM should no longer be used > * if GCM has to be used, the authentication tag should be 128-bit > (the draft currently mandates implementation of the 64-bit > variant, the others are purely optional) > * the paper uses telephony as an example in it's "A disastrous scenario" > section. Yet this draft recommends GCM for telephony > > Attributed to Michael Kafka, a "security expert" from Vienna: > * mixing confidentiality and authentication makes attacks easier > * in practice performance gains are negligible on modern smartphones > > The article also insinuates that David McGrew is deliberately > co-authoring a draft he knows to be insecure, somehow under the pressure > of the NSA. > > While I do not necessarily personally agree with the criticism, or the > conclusions, I would like this working group and the authors to address > it in some way. > > Regards, > Florian Zeitz > > [1] http://fm4.orf.at/stories/1737330/ > [2] > http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/comments/CWC-GCM/Ferguson2.pdf > > _______________________________________________ > Audio/Video Transport Core Maintenance > avt@ietf.org > https://www.ietf.org/mailman/listinfo/avt > > -- Magnus Westerlund ---------------------------------------------------------------------- Services, Media and Network features, Ericsson Research EAB/TXM ---------------------------------------------------------------------- Ericsson AB | Phone +46 10 7148287 Färögatan 6 | Mobile +46 73 0949079 SE-164 80 Stockholm, Sweden | mailto: magnus.westerlund@ericsson.com ----------------------------------------------------------------------
- [AVTCORE] Criticism on draft-ietf-avtcore-srtp-ae… Florian Zeitz
- Re: [AVTCORE] Criticism on draft-ietf-avtcore-srt… Magnus Westerlund
- Re: [AVTCORE] Criticism on draft-ietf-avtcore-srt… Florian Zeitz
- [AVTCORE] Criticism on draft-ietf-avtcore-srtp-ae… David McGrew
- Re: [AVTCORE] Criticism on draft-ietf-avtcore-srt… Magnus Westerlund
- Re: [AVTCORE] Criticism on draft-ietf-avtcore-srt… John Mattsson