Re: [AVTCORE] FW: I-D Action: draft-ietf-avtcore-srtp-aes-gcm-11.txt
John Mattsson <john.mattsson@ericsson.com> Fri, 25 April 2014 08:05 UTC
Return-Path: <john.mattsson@ericsson.com>
X-Original-To: avt@ietfa.amsl.com
Delivered-To: avt@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C4F211A0484 for <avt@ietfa.amsl.com>; Fri, 25 Apr 2014 01:05:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.201
X-Spam-Level:
X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Gi8WZZRvdfkY for <avt@ietfa.amsl.com>; Fri, 25 Apr 2014 01:05:34 -0700 (PDT)
Received: from sesbmg22.ericsson.net (sesbmg22.ericsson.net [193.180.251.48]) by ietfa.amsl.com (Postfix) with ESMTP id 3FFDC1A047D for <avt@ietf.org>; Fri, 25 Apr 2014 01:05:33 -0700 (PDT)
X-AuditID: c1b4fb30-f791c6d000005f7c-70-535a17466eb0
Received: from ESESSHC002.ericsson.se (Unknown_Domain [153.88.253.124]) by sesbmg22.ericsson.net (Symantec Mail Security) with SMTP id 7C.EE.24444.6471A535; Fri, 25 Apr 2014 10:05:26 +0200 (CEST)
Received: from ESESSMB307.ericsson.se ([169.254.7.20]) by ESESSHC002.ericsson.se ([153.88.183.24]) with mapi id 14.03.0174.001; Fri, 25 Apr 2014 10:05:25 +0200
From: John Mattsson <john.mattsson@ericsson.com>
To: "Igoe, Kevin M." <kmigoe@nsa.gov>, "avt@ietf.org" <avt@ietf.org>
Thread-Topic: [AVTCORE] FW: I-D Action: draft-ietf-avtcore-srtp-aes-gcm-11.txt
Thread-Index: AQHPTbHspUAtozygJEipKqGk6BItqZr9E8iAgARm7oCAAFT1AIASt6KQgAkcgNCABHsrAA==
Date: Fri, 25 Apr 2014 08:05:25 +0000
Message-ID: <CF7FE113.147A2%john.mattsson@ericsson.com>
References: <3C4AAD4B5304AB44A6BA85173B4675CABAA34EF5@MSMR-GH1-UEA03.corp.nsa.gov>
In-Reply-To: <3C4AAD4B5304AB44A6BA85173B4675CABAA34EF5@MSMR-GH1-UEA03.corp.nsa.gov>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.4.1.140326
x-originating-ip: [153.88.183.19]
Content-Type: text/plain; charset="utf-8"
Content-ID: <6CD41220E59DCE4E8E2AEC723979648E@ericsson.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFmphkeLIzCtJLcpLzFFi42KZGfG3RtdNPCrY4OxUGYuXPSvZLSaces3q wOSxZMlPJo/+XS9ZA5iiuGxSUnMyy1KL9O0SuDL2nFjAUvCspuJE+1XmBsYzlV2MnBwSAiYS J28dZ4awxSQu3FvP1sXIxSEkcJRR4t/vzYwQzmJGiYNL77CBVLEJGEjM3dMAZosIuEhMnbeU EcQWFgiQ+PfrCytEPFBi86q/LBB2mMSemZ/ZQWwWAVWJ1Z9egm3jFTCXeDJxJVivkECQxL4/ X8FsToFgibW/zoHNZwS66PupNUwgNrOAuMStJ/OZIC4VkFiy5zzU1aISLx//A9srKqAn8e44 TI2iRPvTBqCZHEC9mhLrd+lDjLGWaPr8lgXCVpSY0v2QHeIcQYmTM5+wTGAUn4Vk2yyE7llI umch6Z6FpHsBI+sqRtHi1OKk3HQjI73Uoszk4uL8PL281JJNjMBoO7jlt8EOxpfPHQ8xCnAw KvHwFn+JDBZiTSwrrsw9xCjNwaIkzvvtrHuwkEB6YklqdmpqQWpRfFFpTmrxIUYmDk6pBkZ/ v6uFy449bblx0051WdIRv6Vuk8XaH6xzuvuuKIvnxOkT63tm/P4z5+jHcOXEeS+inni80uPx 44lo3erGbDu/aK/gVZ0H1yS19lk5vhD92Pz/vpPH1lNSfEkqJkcnu3Un3Il8uM5gwdINdgwq Jx/KL//24cX/j2JR274aGu0JXZnMsv/VK4YtSizFGYmGWsxFxYkA5YNrzpcCAAA=
Archived-At: http://mailarchive.ietf.org/arch/msg/avt/IATm5l5zyISiuPrhVdQZKDzLWRc
Subject: Re: [AVTCORE] FW: I-D Action: draft-ietf-avtcore-srtp-aes-gcm-11.txt
X-BeenThere: avt@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Audio/Video Transport Core Maintenance <avt.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/avt>, <mailto:avt-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/avt/>
List-Post: <mailto:avt@ietf.org>
List-Help: <mailto:avt-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/avt>, <mailto:avt-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 25 Apr 2014 08:05:38 -0000
On 22/04/14 13:44, "Igoe, Kevin M." <kmigoe@nsa.gov> wrote: >Apologies to the mailing list. Apparently when I hit "reply to all" >avt@ietf.org wasn't included on the "To" list. Live and learn! > >> -----Original Message----- >> From: Igoe, Kevin M. >> Sent: Wednesday, April 16, 2014 12:53 PM >> To: 'John Mattsson' >> Subject: RE: [AVTCORE] I-D Action: draft-ietf-avtcore-srtp-aes-gcm- >> 11.txt >> >> John: >> >> Have you ever heard of the Journal of Irreproducible Results? >> When David and I reviewed the P MAX figures, neither of us could >> reproduce the logic that led to onee of the P MAX figures in the draft >> (I believe it was the CCM figure). >> >> Rather than risk publishing an erroneous figure, we decided to avoid >> the issue by removing all references to P MAX. The two figures we had >> calculated only differed by a few bytes and were vastly larger than the >> maximum data size one would see in SRTP. >> Apparently we missed at least one reference. Let me know where you >> found it and I will remove it. >> >> Mea culpa. Hi, Your draft does not mention the term “P_MAX” but it does talk about “Plaintext_len”, “C_MAX", and “block counter”, they are related. Further down in my post I referred to all places that I found that seem to violate the P_MAX value in RFC5116 (there might be more): > - [RFC5116] states that P_MAX is 2^24 - 1 octets for CCM. > > While your draft states > Section 6: P_MAX = 2^28 – 16 > Section 11: C_MAX = 2^28 > Section 14: Maximum block counter = 2^24-1 The exact formulation in your draft are: "Plaintext_len <= (2**28)-16” “C_MAX maximum ciphertext length per invocation GCM: MUST be <= 2^36-16 octets. CCM: MUST be <= 2^28 octets. ” “The block counter is incremented after each block key has been produced, but it MUST NOT be allowed to exceed 2^32-1 for GCM and 2^24-1 for CCM." Hope this helps. John >> >> >> > -----Original Message----- >> > From: avt [mailto:avt-bounces@ietf.org] On Behalf Of John Mattsson >> > Sent: Friday, April 04, 2014 10:42 AM >> > To: avt@ietf.org >> > Subject: Re: [AVTCORE] I-D Action: draft-ietf-avtcore-srtp-aes-gcm- >> > 11.txt >> > >> > After checking more carefully I see that some of my previous comments >> > were only partly fixed. >> > >> > The P_MAX misalignment (or?) with RFC5116 needs to be addressed in >> > some way. >> > >> > Cheers John >> > >> > >> > Previous comments not addressed or only partly fixed >> > --------------------- >> > >> > - [RFC5116] states that P_MAX is 2^24 - 1 octets for CCM. >> > >> > While your draft states >> > Section 6: P_MAX = 2^28 – 16 >> > Section 11: C_MAX = 2^28 >> > Section 14: Maximum block counter = 2^24-1 >> > >> > After reading the NIST specification for CCM I see that P_MAX is not >> > only bound by the length of the block counter but also the variable >> q, >> > which in >> > RFC5116 is set to 3 => P_MAX < 2^24 - 1 octets. The values in RFC5116 >> > therefore seem correct to me and must not be exceeded (unless you >> > increase q). >> > >> > The values in your draft should therefore probably be (assuming you >> > want block length alignment): >> > >> > P_MAX (and keystream) = 2^24-16 octets C_MAX = 2^24 octets Maximum >> > block counter = 2^20-1 >> > >> > As you have not fixed this, can you please comment how the values are >> > in line with RFC5116? Unless they are, this needs to be addressed in >> > some way. >> > >> > > - The values for the maximum number on invocations (2^48 and 2^31) >> > for >> > > GCM_8 do not seem to agree with the constraints in Appendix C of >> > > 800-38D. This seems to be missing in RFC5285 as well. >> > >> > You have only updated parts of the document. Section 11 and Section >> > 13.1, still has (2^48 and 2^31) for GCM_8 and GCM in general. Maybe >> > add a specific value for GCM_8 in section 11. >> > >> > > - The values for the maximum Ciphertext length for GCM_8 do not >> seem >> > > to agree with the constraints in Appendix C of 800-38D: "For any >> > > implementation that supports 32-bit or 64-bit tags, one of the rows >> > in >> > > Table 1 or Table 2, respectively, shall be enforced." This seems to >> > be >> > > missing in RFC5285 as well. >> > >> > To be more specific, I mean the general GCM value 2^36-16 given in >> > Section 11. Maybe add a specific value for GCM_8. >> > >> > > - [s9.2, s10.2, s10.3] The SRT(C)P MKI and the SRT(C)P >> > > authentication tag both have variable lengths (i.e. not 32 bit). >> > >> > 10.2 still states: “The 32-bit optional SRTCP MKI index and 32-bit >> > SRTCP authentication tag” >> > >> > > - [Figure 2,4,5] I suggest writing "SRTP authentication tag" and >> > > "SRTCP authentication tag" instead of just "authentication tag". >> > >> > Figure 6 still has “authentication tag” instead of “SRTCP >> > authentication tag” >> > >> > > - [s13] In the tables, shouldn’t ”Default key lifetime” be ”Maximum >> > > key lifetime” >> > >> > You made this change in 13.2 but not in 13.1 >> > >> > > - [s15.3] If there is a default key length, there should also be a >> > > default "AEAD authentication tag length" >> > >> > You have instead added “Default Auth Tag Length” = 16, which I think >> > is wrong. The default “Authentication tag length” when using AEAD >> > should be 0. >> > >> > > - [s17] If you would like to thank my Ericsson colleagues, their >> > names >> > > are "Westerlund" and "Ohlsson" >> > >> > >> > >> > >> > >> > >> > On 04/04/14 11:37, "John Mattsson" <john.mattsson@ericsson.com> >> wrote: >> > >> > >Hi, >> > > >> > >In general I think this updated version looks good! >> > > >> > >I’ll have at least one remaining issue (relating to RFC5116) that I >> > >commented on before and did not get any reply on, but I’ll make a >> > >separate post about that when I have looked through my previous >> > comments. >> > > >> > >Cheers John >> > > >> > > >> > >Here are some comments on the new text: >> > >-------------------------------------------------------------------- >> - >> > > >> > >- [s3] “AES-GCM and AES-CCM to work with SDES, DTLS and MIKEY” >> > > >> > >-> “AES-GCM and AES-CCM to work with SDES, DTLS-SRTP and MIKEY” >> > > >> > >- [s9.2] “Payload Type PT (8 bits)” >> > >-> “Payload Type PT (7 bits)” >> > > >> > >- [s10.4] “SRTCP cycles back to the starting value” >> > >-> “SRTCP index cycles back to the starting value” >> > > >> > >- “SRTCP MKI”, is for some reason called “SRTCP MKI index”? >> > > >> > >- “optional” and “OPTIONAL” is both used in the figures: >> > > >> > >“SRTP MKI (OPTIONAL)” >> > >“SRTCP MKI (optional)” >> > >“contributing source (CSRC) identifiers (optional)” >> > >“RTP extension (OPTIONAL)” >> > > >> > >- [s14.1] “IV uniqueness is ensured by the inclusion of >> > SSRC/ROC/SEQ or >> > >SRTCP Index in the IV” >> > > >> > >As SSRC is used even for SRTCP, maybe better to write “SSRC/ROC/SEQ >> > >or SSRC/SRTCP Index” >> > > >> > >- [s14.1] “the first block of key produced” >> > >->“the first block of keystream produced” >> > > >> > >- [Table 15] For 16 byte tags, the values for CCM and GCM are >> swapped. >> > > >> > > >> > > >> > >------------------------------------------------------------- >> > > >> > >JOHN MATTSSON >> > >MSc Engineering Physics, MSc Business Administration and Economics >> > >Ericsson IETF Security Coordinator Senior Researcher, Security >> > > >> > >Ericsson AB >> > >Security Research >> > >Färögatan 6 >> > >SE-164 80 Stockholm, Sweden >> > >Phone +46 10 71 43 501 >> > >SMS/MMS +46 76 11 53 501 >> > >john.mattsson@ericsson.com >> > >www.ericsson.com <http://www.ericsson.com/> >> > > >> > > >> > > >> > > >> > > >> > > >> > >On 01/04/14 16:24, "Magnus Westerlund" >> > <magnus.westerlund@ericsson.com> >> > >wrote: >> > > >> > >>WG, >> > >> >> > >>As result of the AD review and some comments within the WG, a >> number >> > >>of changes has been done to this document. I will let the authors >> > >>comment on what changes has been done. >> > >> >> > >>Anyway, before progressing to IETF last call, I like to have the WG >> > >>have one week until the 8th of April to review the changes to this >> > document. >> > >>So please any comments on these changes as soon as possible. >> > >> >> > >>Cheers >> > >> >> > >>Magnus >> > >> >> > >>On 2014-04-01 15:54, internet-drafts@ietf.org wrote: >> > >>> >> > >>> A New Internet-Draft is available from the on-line Internet- >> Drafts >> > >>>directories. >> > >>> This draft is a work item of the Audio/Video Transport Core >> > >>>Maintenance Working Group of the IETF. >> > >>> >> > >>> Title : AES-GCM and AES-CCM Authenticated >> > Encryption >> > >>>in Secure RTP (SRTP) >> > >>> Authors : David A. McGrew >> > >>> Kevin M. Igoe >> > >>> Filename : draft-ietf-avtcore-srtp-aes-gcm-11.txt >> > >>> Pages : 36 >> > >>> Date : 2014-04-01 >> > >>> >> > >>> Abstract: >> > >>> This document defines how AES-GCM and AES-CCM Authenticated >> > >>> Encryption with Associated Data algorithms can be used to >> > provide >> > >>> confidentiality and data authentication in the SRTP protocol. >> > >>> >> > >>> >> > >>> >> > >>> The IETF datatracker status page for this draft is: >> > >>> https://datatracker.ietf.org/doc/draft-ietf-avtcore-srtp-aes-gcm/ >> > >>> >> > >>> There's also a htmlized version available at: >> > >>> http://tools.ietf.org/html/draft-ietf-avtcore-srtp-aes-gcm-11 >> > >>> >> > >>> A diff from the previous version is available at: >> > >>> http://www.ietf.org/rfcdiff?url2=draft-ietf-avtcore-srtp-aes-gcm- >> 1 >> > >>> 1 >> > >>> >> > >>> >> > >>> Please note that it may take a couple of minutes from the time of >> > >>>submission until the htmlized version and diff are available at >> > >>>tools.ietf.org. >> > >>> >> > >>> Internet-Drafts are also available by anonymous FTP at: >> > >>> ftp://ftp.ietf.org/internet-drafts/ >> > >>> >> > >>> _______________________________________________ >> > >>> Audio/Video Transport Core Maintenance avt@ietf.org >> > >>> https://www.ietf.org/mailman/listinfo/avt >> > >>> >> > >>> >> > >> >> > >> >> > >>-- >> > >> >> > >>Magnus Westerlund >> > >> >> > >>------------------------------------------------------------------- >> - >> > >>- >> > - >> > >>Services, Media and Network features, Ericsson Research EAB/TXM >> > >>------------------------------------------------------------------- >> - >> > >>- >> > - >> > >>Ericsson AB | Phone +46 10 7148287 >> > >>Färögatan 6 | Mobile +46 73 0949079 >> > >>SE-164 80 Stockholm, Sweden | mailto: >> magnus.westerlund@ericsson.com >> > >>------------------------------------------------------------------- >> - >> > >>- >> > - >> > >> >> > >>_______________________________________________ >> > >>Audio/Video Transport Core Maintenance avt@ietf.org >> > >>https://www.ietf.org/mailman/listinfo/avt >> > > >> > >> > _______________________________________________ >> > Audio/Video Transport Core Maintenance avt@ietf.org >> > https://www.ietf.org/mailman/listinfo/avt >_______________________________________________ >Audio/Video Transport Core Maintenance >avt@ietf.org >https://www.ietf.org/mailman/listinfo/avt
- [AVTCORE] I-D Action: draft-ietf-avtcore-srtp-aes… internet-drafts
- Re: [AVTCORE] I-D Action: draft-ietf-avtcore-srtp… Magnus Westerlund
- Re: [AVTCORE] I-D Action: draft-ietf-avtcore-srtp… John Mattsson
- Re: [AVTCORE] I-D Action: draft-ietf-avtcore-srtp… John Mattsson
- [AVTCORE] FW: I-D Action: draft-ietf-avtcore-srtp… Igoe, Kevin M.
- Re: [AVTCORE] FW: I-D Action: draft-ietf-avtcore-… John Mattsson
- Re: [AVTCORE] FW: I-D Action: draft-ietf-avtcore-… Igoe, Kevin M.