[AVTCORE] draft-ietf-avtcore-srtp-aes-gcm-16: Removing cipher with short (8 bytes) authentication tag
Magnus Westerlund <magnus.westerlund@ericsson.com> Wed, 10 June 2015 10:12 UTC
Return-Path: <magnus.westerlund@ericsson.com>
X-Original-To: avt@ietfa.amsl.com
Delivered-To: avt@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A59021ACE48 for <avt@ietfa.amsl.com>; Wed, 10 Jun 2015 03:12:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.201
X-Spam-Level:
X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6q_U2K58Puvz for <avt@ietfa.amsl.com>; Wed, 10 Jun 2015 03:12:32 -0700 (PDT)
Received: from sesbmg23.ericsson.net (sesbmg23.ericsson.net [193.180.251.37]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4F0B11ACE39 for <avt@ietf.org>; Wed, 10 Jun 2015 03:12:32 -0700 (PDT)
X-AuditID: c1b4fb25-f79b66d000001131-94-55780d8d3bd5
Received: from ESESSHC018.ericsson.se (Unknown_Domain [153.88.253.125]) by sesbmg23.ericsson.net (Symantec Mail Security) with SMTP id 26.C3.04401.D8D08755; Wed, 10 Jun 2015 12:12:30 +0200 (CEST)
Received: from [127.0.0.1] (153.88.183.153) by smtp.internal.ericsson.com (153.88.183.74) with Microsoft SMTP Server id 14.3.210.2; Wed, 10 Jun 2015 12:12:29 +0200
Message-ID: <55780D8C.7090503@ericsson.com>
Date: Wed, 10 Jun 2015 12:12:28 +0200
From: Magnus Westerlund <magnus.westerlund@ericsson.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.7.0
MIME-Version: 1.0
To: "draft-ietf-avtcore-srtp-aes-gcm@tools.ietf.org" <draft-ietf-avtcore-srtp-aes-gcm@tools.ietf.org>
References: <20150605133614.11069.62761.idtracker@ietfa.amsl.com>
In-Reply-To: <20150605133614.11069.62761.idtracker@ietfa.amsl.com>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 8bit
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFlrELMWRmVeSWpSXmKPExsUyM+JvrW4fb0WowbEFfBYve1ayW6w9kujA 5LFkyU8mjy+XP7MFMEVx2aSk5mSWpRbp2yVwZbzueMJWsEitYuma00wNjOvkuhg5OSQETCS+ nZrLBmGLSVy4tx7I5uIQEjjKKDHj3xZGCGc5o8SGP5+BHA4OXgFtiaNn/EAaWARUJVqOHAJr ZhOwkLj5oxHMFhWIkpj6eB0LiM0rIChxcuYTMFtEIF1i8ZnvYDazgJDE6TnfWEFsYYE0ifu3 dzOB2EICjhLf7i8Cm8Mp4CTx7W4nG8haZgF7iQdbyyBa5SWat85mhijXlmho6mCdwCg4C8m2 WQgds5B0LGBkXsUoWpxanJSbbmSsl1qUmVxcnJ+nl5dasokRGKgHt/xW3cF4+Y3jIUYBDkYl Hl6FWeWhQqyJZcWVuYcYpTlYlMR5Z2zOCxUSSE8sSc1OTS1ILYovKs1JLT7EyMTBKdXAmN37 W/PMes9SV7dr7vZ725VU5gY1uofdWxsmIGif91anWM/W24/9XdScb0LLys7ftMjL+TmZ93nd SWXF4tAD0sZfWe9flpOs4fu0ouv83n0ZhvfX26r/7+793yVoxdl5+YXtpCObZjD8magn7jkl 4YO7z8v+Vx/s5rIWpm8VSu0TmeLzU7FGiaU4I9FQi7moOBEA+Vc2sDUCAAA=
Archived-At: <http://mailarchive.ietf.org/arch/msg/avt/IXp_RUzd6cak69BTgp_ioR-kgR4>
Cc: avt@ietf.org
Subject: [AVTCORE] draft-ietf-avtcore-srtp-aes-gcm-16: Removing cipher with short (8 bytes) authentication tag
X-BeenThere: avt@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Audio/Video Transport Core Maintenance <avt.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/avt>, <mailto:avt-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/avt/>
List-Post: <mailto:avt@ietf.org>
List-Help: <mailto:avt-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/avt>, <mailto:avt-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 10 Jun 2015 10:12:34 -0000
Authors and WG,
I have heard no feedback on the raised issue and now this version comes
along. I am not happy that a new version is submitted without prior
discussion on the changes when we are at these stages.
Having looked at the changes and the updated disussion of the
authentication tag. According to my understanding this section does
nothing to resolve the raised security issues with short tags. Some
statement also appear to be incorrect. For example:
Third paragraph, last sentence:
"Note that silently discarding invalid packets blocks this attack."
This is not true in SRTP. Because a successful forge can be used to
trigger a response, e.g. sending an RTCP feedback packet or emitting a
RTP header extension, thus allowing the attacker to use the receiver and
sender as an oracle, thus utilizing the Fergueson attack to determine
the authorization key.
Fourth Paragraph:
NIST recommends mitigating this attack by limiting the number of
packets sent to at most 2^37 before the keys must be changed.
Looking at the NIST SP-800-38D specification in section 8.3 I find the
following regarding usage when you do not meet the requirements, which
do applies for shortened tags:
"The total number of invocations of the authenticated encryption
function shall not exceed 2^32, including all IV lengths and
all instances of the authenticated encryption function with
the given key."
Thus the errors in the above statement is three.
1. NIST requires, not recommends
2. The number of packets processed must not be larger than 2^32
3. The above says sent, but the NIST specification is for invocations,
which will apply to a receiver. So if more than 2^32 packets for one RT
stream, valid or not are processed in the receiver the given key must
not be used more.
I think error 3 is very important to understand, as it sets very hard
operational limits on SRTP. As the number of packets that matters are
both the desired traffic and the attack traffic one can reach this limit
quite quickly. This also creates a denial of service possibility on the
session, where an attacker sends bogus traffic simply to exhaust the
allowed invocations. I am also worrying what this invocation limit means
for group scenarios where multiple endpoints share the same key. This
may further reduce the number of invocations with a factor corresponding
to the number of participants.
My understanding of the situation is such that the Fergueson attack on
AES-GCM authentication is possible with SRTP. Therefore, short
authentication tags are simply unsafe with SRTP. Thus, we as WG have no
choice than to remove the short tags.
If anyone disagree with this, you need to speak up before 25th of June.
Regards
Magnus Westerlund
WG chair
internet-drafts@ietf.org skrev den 2015-06-05 15:36:
>
> A New Internet-Draft is available from the on-line Internet-Drafts directories.
> This draft is a work item of the Audio/Video Transport Core Maintenance Working Group of the IETF.
>
> Title : AES-GCM Authenticated Encryption in Secure RTP (SRTP)
> Authors : David A. McGrew
> Kevin M. Igoe
> Filename : draft-ietf-avtcore-srtp-aes-gcm-16.txt
> Pages : 49
> Date : 2015-06-05
>
> Abstract:
> This document defines how the AES-GCM Authenticated Encryption with
> Associated Data family of algorithms can be used to provide
> confidentiality and data authentication in the SRTP protocol.
>
>
>
> The IETF datatracker status page for this draft is:
> https://datatracker.ietf.org/doc/draft-ietf-avtcore-srtp-aes-gcm/
>
> There's also a htmlized version available at:
> https://tools.ietf.org/html/draft-ietf-avtcore-srtp-aes-gcm-16
>
> A diff from the previous version is available at:
> https://www.ietf.org/rfcdiff?url2=draft-ietf-avtcore-srtp-aes-gcm-16
>
>
> Please note that it may take a couple of minutes from the time of submission
> until the htmlized version and diff are available at tools.ietf.org.
>
> Internet-Drafts are also available by anonymous FTP at:
> ftp://ftp.ietf.org/internet-drafts/
>
> _______________________________________________
> Audio/Video Transport Core Maintenance
> avt@ietf.org
> https://www.ietf.org/mailman/listinfo/avt
>
--
Magnus Westerlund
----------------------------------------------------------------------
Services, Media and Network features, Ericsson Research EAB/TXM
----------------------------------------------------------------------
Ericsson AB | Phone +46 10 7148287
Färögatan 6 | Mobile +46 73 0949079
SE-164 80 Stockholm, Sweden | mailto: magnus.westerlund@ericsson.com
----------------------------------------------------------------------
- [AVTCORE] I-D Action: draft-ietf-avtcore-srtp-aes… internet-drafts
- [AVTCORE] draft-ietf-avtcore-srtp-aes-gcm-16: Rem… Magnus Westerlund