Re: [AVTCORE] draft-ietf-avtcore-srtp-aes-gcm-15: Issue with short tags
"Ben Campbell" <ben@nostrum.com> Wed, 22 July 2015 11:24 UTC
Return-Path: <ben@nostrum.com>
X-Original-To: avt@ietfa.amsl.com
Delivered-To: avt@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4547C1B2BF3 for <avt@ietfa.amsl.com>; Wed, 22 Jul 2015 04:24:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UkHovw_KnALL for <avt@ietfa.amsl.com>; Wed, 22 Jul 2015 04:24:00 -0700 (PDT)
Received: from nostrum.com (raven-v6.nostrum.com [IPv6:2001:470:d:1130::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 70C7A1B2AF9 for <avt@ietf.org>; Wed, 22 Jul 2015 04:24:00 -0700 (PDT)
Received: from [31.133.176.150] (dhcp-b096.meeting.ietf.org [31.133.176.150]) (authenticated bits=0) by nostrum.com (8.15.2/8.14.9) with ESMTPSA id t6MBNlKl040027 (version=TLSv1 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO); Wed, 22 Jul 2015 06:23:49 -0500 (CDT) (envelope-from ben@nostrum.com)
X-Authentication-Warning: raven.nostrum.com: Host dhcp-b096.meeting.ietf.org [31.133.176.150] claimed to be [31.133.176.150]
From: Ben Campbell <ben@nostrum.com>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Date: Wed, 22 Jul 2015 13:23:41 +0200
Message-ID: <AEF2339A-7953-45BF-A8F4-1046B8A8E1EE@nostrum.com>
In-Reply-To: <55AF7CE0.3080400@cs.tcd.ie>
References: <3C4AAD4B5304AB44A6BA85173B4675CABC80F8F9@MSMR-GH1-UEA03.corp.nsa.gov> <B8FFC532-EC77-4FC3-B141-5BC0553E81E4@nostrum.com> <3C4AAD4B5304AB44A6BA85173B4675CABC80FB8D@MSMR-GH1-UEA03.corp.nsa.gov> <E2CFAEF9-A04F-4868-9819-DCA839E0788F@nostrum.com> <75B0FAB3-532C-45FB-905B-1A650AD8DA99@ericsson.com> <556DB2B8.6060307@ericsson.com> <5574A37B.9050609@cs.tcd.ie> <C5850A6F-0346-47A7-858A-85045AFEAD45@nostrum.com> <5591734E.4060805@cs.tcd.ie> <D75DDFFC-5A07-4EA2-A081-7D5E0DB85ABF@nostrum.com> <55AF7CE0.3080400@cs.tcd.ie>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 8bit
X-Mailer: MailMate (1.9.2r5107)
Archived-At: <http://mailarchive.ietf.org/arch/msg/avt/FICKMIpJgW36RY-N2yZK_uQOWv4>
Cc: Magnus Westerlund <magnus.westerlund@ericsson.com>, Tim Polk <tim.polk@nist.gov>, avt@ietf.org, mcgrew@cisco.com
Subject: Re: [AVTCORE] draft-ietf-avtcore-srtp-aes-gcm-15: Issue with short tags
X-BeenThere: avt@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Audio/Video Transport Core Maintenance <avt.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/avt>, <mailto:avt-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/avt/>
List-Post: <mailto:avt@ietf.org>
List-Help: <mailto:avt-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/avt>, <mailto:avt-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Jul 2015 11:24:06 -0000
I think you already cleared, but you had mentioned re-reviewing after the short tag was removed :-) On 22 Jul 2015, at 13:22, Stephen Farrell wrote: > On 22/07/15 12:20, Ben Campbell wrote: >> Hi Stephen, >> >> It looks like version 17 removed the short tag. Do you still expect >> to >> re-review? > > Nope, will clear soon's I get a chance > S > >> >> Thanks! >> >> Ben. >> >> On 29 Jun 2015, at 18:33, Stephen Farrell wrote: >> >>> Hi Ben, >>> >>> Back from vacation... and I've cleared that. Happy to review >>> when the short tag stuff is taken out of course (and I support >>> taking that out). >>> >>> Cheers, >>> S. >>> >>> On 16/06/15 23:12, Ben Campbell wrote: >>>> Hi Stephen, >>>> >>>> If you are satisfied, please feel free to clear, unless you want to >>>> hold >>>> a discuss on the short tag issue itself. I will not approve until >>>> that >>>> (and some other things) are resolved. >>>> >>>> Thanks! >>>> >>>> Ben. >>>> On 7 Jun 2015, at 15:03, Stephen Farrell wrote: >>>> >>>>> Hi all, >>>>> >>>>> I currently have a discuss on this for a related reason that >>>>> would otherwise be cleared by -16. I also support removal of the >>>>> ciphersuite discussed below. >>>>> >>>>> So for Ben and chairs - I can either clear or keep my discuss >>>>> and am happy to do whichever you prefer - just let me know. >>>>> >>>>> Lastly - thanks all for your forbearance in putting up with me >>>>> trying to trim the list of ciphersuites at the last stage in >>>>> the process. >>>>> >>>>> Cheers, >>>>> S. >>>>> >>>>> >>>>> On 02/06/15 14:42, Magnus Westerlund wrote: >>>>>> WG, >>>>>> >>>>>> I have seen no reactions on this email from John. To my >>>>>> understanding >>>>>> this appears to be a real issue and without anyone disputing his >>>>>> claims >>>>>> I see the way forward is to request that the authors remove the >>>>>> ciphers >>>>>> with short tags. >>>>>> >>>>>> Cheers >>>>>> >>>>>> Magnus Westerlund >>>>>> (As WG chair) >>>>>> >>>>>> >>>>>> John Mattsson skrev den 2015-05-21 17:35: >>>>>>> Hi, >>>>>>> >>>>>>> My previous standpoint was that usage of GCM with short tags was >>>>>>> acceptable if the NIST requirements were followed. Thinking more >>>>>>> about the usage of GCM with short tags in general and the usage >>>>>>> of >>>>>>> GCM in SRTP in particular I have changed my mind. >>>>>>> >>>>>>> I do not think GCM with short tags (i.e. 64 bits) should be >>>>>>> standardized by IETF even if the NIST requirements are followed, >>>>>>> in >>>>>>> fact I think that NIST should revise SP 800-38D. >>>>>>> >>>>>>> I strongly recommend that AEAD_AES_128_GCM_8 is removed from >>>>>>> draft-ietf-avtcore-srtp-aes-gcm. >>>>>>> >>>>>>> (Note that this is only about GCM with short tags. I do fully >>>>>>> recommend GCM for usage with 128-bit tags. I believe that with >>>>>>> its >>>>>>> excellent performance and proven security, it should be the >>>>>>> first >>>>>>> choice for everybody wanting an AEAD algorithm.) >>>>>>> >>>>>>> >>>>>>> >>>>>>> General usage of GCM with short tags: >>>>>>> >>>>>>> Regarding the general usage of GCM with short tags, I wrote a >>>>>>> paper >>>>>>> suggesting improvements to, and analyzing the complexity of, >>>>>>> Ferguson’s method for authentication key recovery. In summary >>>>>>> the >>>>>>> security level (i.e. the effective key lengths) for GCM with >>>>>>> 64-bit >>>>>>> tags are 70–75 bits, far below not only the current NIST >>>>>>> requirement >>>>>>> of 112-bit security, but also the old NIST requirement of 80-bit >>>>>>> security. >>>>>>> >>>>>>> https://eprint.iacr.org/2015/477 >>>>>>> >>>>>>> Note that draft-ietf-avtcore-srtp-aes-gcm-15 does not follow the >>>>>>> NIST >>>>>>> requirements, it choses deliberately to ignore them. This means >>>>>>> that >>>>>>> the security level for 64-bit tags against authentication key >>>>>>> recovery is only 64 bits, down from the already low 70–75 bits >>>>>>> offered by the NIST specification. >>>>>>> >>>>>>> >>>>>>> >>>>>>> Usage of GCM with short tags in SRTP: >>>>>>> >>>>>>> Regarding the usage of GCM in SRTP, Appendix C of SP 800-38D >>>>>>> lists >>>>>>> several guidelines for protocols using GCM with short tags. Two >>>>>>> of >>>>>>> these guidelines are that AAD should be limited to necessary >>>>>>> header >>>>>>> information and that protocols should not provide feedback >>>>>>> regarding >>>>>>> the integrity of individual packets. NIST then makes the >>>>>>> statement: >>>>>>> “An example of a protocol that meets these guidelines is >>>>>>> Secure >>>>>>> Real-time Transport Protocol carrying Voice over Internet >>>>>>> Protocol, >>>>>>> running over User Datagram Protocol”. This is not a correct >>>>>>> statement >>>>>>> and SRTP does in fact violate both of the guidelines mentioned >>>>>>> above: >>>>>>> >>>>>>> - The AAD is not at all limited. In RTP, the associated data >>>>>>> consists >>>>>>> of the RTP header, which is not limited as e.g. the header in >>>>>>> the TLS >>>>>>> record layer. The RTP header is extensible with proprietary >>>>>>> header >>>>>>> extensions carrying any type of information. In RTCP, the scope >>>>>>> of >>>>>>> the AAD depends on the encryption flag E. If the encryption flag >>>>>>> is >>>>>>> '1', the AAD data is limited to necessary header information, >>>>>>> but if >>>>>>> the encryption flag is '0', the AAD consists of the entire RTCP >>>>>>> packet. >>>>>>> >>>>>>> - RTCP receiver reports provide a wealth of information that can >>>>>>> be >>>>>>> used to determine the integrity of individual forged RTP >>>>>>> packages, >>>>>>> e.g. SSRC of the source, cumulative number of packets lost, >>>>>>> extended >>>>>>> highest sequence number received, last SR timestamp, and delay >>>>>>> since >>>>>>> last SR. The RTCP extension for port mapping [RFC6284] is even >>>>>>> worse >>>>>>> as it echoes back the 64-bit nonce received in the request. >>>>>>> >>>>>>> - RTP Rapid Synchronisation [RFC6051] is used, a forged Rapid >>>>>>> Resynchronisation Request results in a RTP header extension with >>>>>>> sync >>>>>>> information sent from the sender. >>>>>>> >>>>>>> - If the RTP header extension Client-to-Mixer Audio Level >>>>>>> Indication >>>>>>> [RFC6464] is used, a forged RTP packet with a high audio level >>>>>>> will >>>>>>> result in the MCU forwarding the SSRC. As the SSRC is not >>>>>>> encrypted, >>>>>>> this is easily detected by the attacker. >>>>>>> >>>>>>> Even if encryption of RTCP is mandated and specific RTP header >>>>>>> extensions and RTCP packets types are forbidden, an attacker may >>>>>>> still in many cases determine whether a forgery was successful >>>>>>> by >>>>>>> looking at the length of packets. Either by looking at the >>>>>>> length of >>>>>>> RTCP packets from the sender or by looking at the length of RTP >>>>>>> packets forwarded by an MCU. >>>>>>> >>>>>>> A further problem with SRTP and GCM is that SRTP is very often >>>>>>> used >>>>>>> in one-to-many scenarios. The maximum number of invocations of >>>>>>> each >>>>>>> instance of the authenticated decryption function would have to >>>>>>> be >>>>>>> restricted to q/r, where q is the maximum total number of >>>>>>> invocations >>>>>>> of the authenticated decryption function, and r is the total >>>>>>> number >>>>>>> of receivers, including any late joiners. >>>>>>> >>>>>>> All in all, SRTP does absolutely not meet the NIST guidelines >>>>>>> for >>>>>>> usage of GCM with short tags. >>>>>>> >>>>>>> Cheers, John >>>>>>> >>>>>> >>>>>> >>>>> >>>>> _______________________________________________ >>>>> Audio/Video Transport Core Maintenance >>>>> avt@ietf.org >>>>> https://www.ietf.org/mailman/listinfo/avt
- [AVTCORE] draft-ietf-avtcore-srtp-aes-gcm-15 Igoe, Kevin M.
- Re: [AVTCORE] draft-ietf-avtcore-srtp-aes-gcm-15 Magnus Westerlund
- Re: [AVTCORE] draft-ietf-avtcore-srtp-aes-gcm-15 Ben Campbell
- Re: [AVTCORE] draft-ietf-avtcore-srtp-aes-gcm-15 Igoe, Kevin M.
- Re: [AVTCORE] draft-ietf-avtcore-srtp-aes-gcm-15 Ben Campbell
- Re: [AVTCORE] draft-ietf-avtcore-srtp-aes-gcm-15 John Mattsson
- [AVTCORE] draft-ietf-avtcore-srtp-aes-gcm-15: Iss… Magnus Westerlund
- Re: [AVTCORE] draft-ietf-avtcore-srtp-aes-gcm-15:… Stephen Farrell
- Re: [AVTCORE] draft-ietf-avtcore-srtp-aes-gcm-15:… Ben Campbell
- Re: [AVTCORE] draft-ietf-avtcore-srtp-aes-gcm-15:… Stephen Farrell
- Re: [AVTCORE] draft-ietf-avtcore-srtp-aes-gcm-15:… Ben Campbell
- Re: [AVTCORE] draft-ietf-avtcore-srtp-aes-gcm-15:… Stephen Farrell
- Re: [AVTCORE] draft-ietf-avtcore-srtp-aes-gcm-15:… Ben Campbell
- Re: [AVTCORE] draft-ietf-avtcore-srtp-aes-gcm-15:… Stephen Farrell
- Re: [AVTCORE] draft-ietf-avtcore-srtp-aes-gcm-15:… Ben Campbell