Re: [AVTCORE] draft-ietf-avtcore-srtp-aes-gcm-15: Issue with short tags

"Ben Campbell" <ben@nostrum.com> Wed, 22 July 2015 11:20 UTC

Return-Path: <ben@nostrum.com>
X-Original-To: avt@ietfa.amsl.com
Delivered-To: avt@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 262701B2A8A for <avt@ietfa.amsl.com>; Wed, 22 Jul 2015 04:20:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id r7ozAHDf1Sy0 for <avt@ietfa.amsl.com>; Wed, 22 Jul 2015 04:20:48 -0700 (PDT)
Received: from nostrum.com (raven-v6.nostrum.com [IPv6:2001:470:d:1130::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A0C4C1B2A68 for <avt@ietf.org>; Wed, 22 Jul 2015 04:20:48 -0700 (PDT)
Received: from [31.133.176.150] (dhcp-b096.meeting.ietf.org [31.133.176.150]) (authenticated bits=0) by nostrum.com (8.15.2/8.14.9) with ESMTPSA id t6MBKWAL039743 (version=TLSv1 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO); Wed, 22 Jul 2015 06:20:34 -0500 (CDT) (envelope-from ben@nostrum.com)
X-Authentication-Warning: raven.nostrum.com: Host dhcp-b096.meeting.ietf.org [31.133.176.150] claimed to be [31.133.176.150]
From: Ben Campbell <ben@nostrum.com>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Date: Wed, 22 Jul 2015 13:20:27 +0200
Message-ID: <D75DDFFC-5A07-4EA2-A081-7D5E0DB85ABF@nostrum.com>
In-Reply-To: <5591734E.4060805@cs.tcd.ie>
References: <3C4AAD4B5304AB44A6BA85173B4675CABC80F8F9@MSMR-GH1-UEA03.corp.nsa.gov> <B8FFC532-EC77-4FC3-B141-5BC0553E81E4@nostrum.com> <3C4AAD4B5304AB44A6BA85173B4675CABC80FB8D@MSMR-GH1-UEA03.corp.nsa.gov> <E2CFAEF9-A04F-4868-9819-DCA839E0788F@nostrum.com> <75B0FAB3-532C-45FB-905B-1A650AD8DA99@ericsson.com> <556DB2B8.6060307@ericsson.com> <5574A37B.9050609@cs.tcd.ie> <C5850A6F-0346-47A7-858A-85045AFEAD45@nostrum.com> <5591734E.4060805@cs.tcd.ie>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 8bit
X-Mailer: MailMate (1.9.2r5107)
Archived-At: <http://mailarchive.ietf.org/arch/msg/avt/Qw7croy5ol3mEuQS1jDdMgv5UXo>
Cc: Magnus Westerlund <magnus.westerlund@ericsson.com>, Tim Polk <tim.polk@nist.gov>, avt@ietf.org, mcgrew@cisco.com
Subject: Re: [AVTCORE] draft-ietf-avtcore-srtp-aes-gcm-15: Issue with short tags
X-BeenThere: avt@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Audio/Video Transport Core Maintenance <avt.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/avt>, <mailto:avt-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/avt/>
List-Post: <mailto:avt@ietf.org>
List-Help: <mailto:avt-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/avt>, <mailto:avt-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Jul 2015 11:20:51 -0000

Hi Stephen,

It looks like version 17 removed the short tag. Do you still expect to 
re-review?

Thanks!

Ben.

On 29 Jun 2015, at 18:33, Stephen Farrell wrote:

> Hi Ben,
>
> Back from vacation... and I've cleared that. Happy to review
> when the short tag stuff is taken out of course (and I support
> taking that out).
>
> Cheers,
> S.
>
> On 16/06/15 23:12, Ben Campbell wrote:
>> Hi Stephen,
>>
>> If you are satisfied, please feel free to clear, unless you want to 
>> hold
>> a discuss on the short tag issue itself. I will not approve until 
>> that
>> (and some other things) are resolved.
>>
>> Thanks!
>>
>> Ben.
>> On 7 Jun 2015, at 15:03, Stephen Farrell wrote:
>>
>>> Hi all,
>>>
>>> I currently have a discuss on this for a related reason that
>>> would otherwise be cleared by -16. I also support removal of the
>>> ciphersuite discussed below.
>>>
>>> So for Ben and chairs - I can either clear or keep my discuss
>>> and am happy to do whichever you prefer - just let me know.
>>>
>>> Lastly - thanks all for your forbearance in putting up with me
>>> trying to trim the list of ciphersuites at the last stage in
>>> the process.
>>>
>>> Cheers,
>>> S.
>>>
>>>
>>> On 02/06/15 14:42, Magnus Westerlund wrote:
>>>> WG,
>>>>
>>>> I have seen no reactions on this email from John. To my 
>>>> understanding
>>>> this appears to be a real issue and without anyone disputing his 
>>>> claims
>>>> I see the way forward is to request that the authors remove the 
>>>> ciphers
>>>> with short tags.
>>>>
>>>> Cheers
>>>>
>>>> Magnus Westerlund
>>>> (As WG chair)
>>>>
>>>>
>>>> John Mattsson skrev den 2015-05-21 17:35:
>>>>> Hi,
>>>>>
>>>>> My previous standpoint was that usage of GCM with short tags was
>>>>> acceptable if the NIST requirements were followed. Thinking more
>>>>> about the usage of GCM with short tags in general and the usage of
>>>>> GCM in SRTP in particular I have changed my mind.
>>>>>
>>>>> I do not think GCM with short tags (i.e. 64 bits) should be
>>>>> standardized by IETF even if the NIST requirements are followed, 
>>>>> in
>>>>> fact I think that NIST should revise SP 800-38D.
>>>>>
>>>>> I strongly recommend that AEAD_AES_128_GCM_8 is removed from
>>>>> draft-ietf-avtcore-srtp-aes-gcm.
>>>>>
>>>>> (Note that this is only about GCM with short tags. I do fully
>>>>> recommend GCM for usage with 128-bit tags. I believe that with its
>>>>> excellent performance and proven security, it should be the first
>>>>> choice for everybody wanting an AEAD algorithm.)
>>>>>
>>>>>
>>>>>
>>>>> General usage of GCM with short tags:
>>>>>
>>>>> Regarding the general usage of GCM with short tags, I wrote a 
>>>>> paper
>>>>> suggesting improvements to, and analyzing the complexity of,
>>>>> Ferguson’s method for authentication key recovery. In summary 
>>>>> the
>>>>> security level (i.e. the effective key lengths) for GCM with 
>>>>> 64-bit
>>>>> tags are 70–75 bits, far below not only the current NIST 
>>>>> requirement
>>>>> of 112-bit security, but also the old NIST requirement of 80-bit
>>>>> security.
>>>>>
>>>>> https://eprint.iacr.org/2015/477
>>>>>
>>>>> Note that draft-ietf-avtcore-srtp-aes-gcm-15 does not follow the 
>>>>> NIST
>>>>> requirements, it choses deliberately to ignore them. This means 
>>>>> that
>>>>> the security level for 64-bit tags against authentication key
>>>>> recovery is only 64 bits, down from the already low 70–75 bits
>>>>> offered by the NIST specification.
>>>>>
>>>>>
>>>>>
>>>>> Usage of GCM with short tags in SRTP:
>>>>>
>>>>> Regarding the usage of GCM in SRTP, Appendix C of SP 800-38D lists
>>>>> several guidelines for protocols using GCM with short tags. Two of
>>>>> these guidelines are that AAD should be limited to necessary 
>>>>> header
>>>>> information and that protocols should not provide feedback 
>>>>> regarding
>>>>> the integrity of individual packets. NIST then makes the 
>>>>> statement:
>>>>> “An example of a protocol that meets these guidelines is Secure
>>>>> Real-time Transport Protocol carrying Voice over Internet 
>>>>> Protocol,
>>>>> running over User Datagram Protocol”. This is not a correct 
>>>>> statement
>>>>> and SRTP does in fact violate both of the guidelines mentioned
>>>>> above:
>>>>>
>>>>> - The AAD is not at all limited. In RTP, the associated data 
>>>>> consists
>>>>> of the RTP header, which is not limited as e.g. the header in the 
>>>>> TLS
>>>>> record layer. The RTP header is extensible with proprietary header
>>>>> extensions carrying any type of information. In RTCP, the scope of
>>>>> the AAD depends on the encryption flag E. If the encryption flag 
>>>>> is
>>>>> '1', the AAD data is limited to necessary header information, but 
>>>>> if
>>>>> the encryption flag is '0', the AAD consists of the entire RTCP
>>>>> packet.
>>>>>
>>>>> - RTCP receiver reports provide a wealth of information that can 
>>>>> be
>>>>> used to determine the integrity of individual forged RTP packages,
>>>>> e.g. SSRC of the source, cumulative number of packets lost, 
>>>>> extended
>>>>> highest sequence number received, last SR timestamp, and delay 
>>>>> since
>>>>> last SR. The RTCP extension for port mapping [RFC6284] is even 
>>>>> worse
>>>>> as it echoes back the 64-bit nonce received in the request.
>>>>>
>>>>> - RTP Rapid Synchronisation [RFC6051] is used, a forged Rapid
>>>>> Resynchronisation Request results in a RTP header extension with 
>>>>> sync
>>>>> information sent from the sender.
>>>>>
>>>>> - If the RTP header extension Client-to-Mixer Audio Level 
>>>>> Indication
>>>>> [RFC6464] is used, a forged RTP packet with a high audio level 
>>>>> will
>>>>> result in the MCU forwarding the SSRC. As the SSRC is not 
>>>>> encrypted,
>>>>> this is easily detected by the attacker.
>>>>>
>>>>> Even if encryption of RTCP is mandated and specific RTP header
>>>>> extensions and RTCP packets types are forbidden, an attacker may
>>>>> still in many cases determine whether a forgery was successful by
>>>>> looking at the length of packets. Either by looking at the length 
>>>>> of
>>>>> RTCP packets from the sender or by looking at the length of RTP
>>>>> packets forwarded by an MCU.
>>>>>
>>>>> A further problem with SRTP and GCM is that SRTP is very often 
>>>>> used
>>>>> in one-to-many scenarios. The maximum number of invocations of 
>>>>> each
>>>>> instance of the authenticated decryption function would have to be
>>>>> restricted to q/r, where q is the maximum total number of 
>>>>> invocations
>>>>> of the authenticated decryption function, and r is the total 
>>>>> number
>>>>> of receivers, including any late joiners.
>>>>>
>>>>> All in all, SRTP does absolutely not meet the NIST guidelines for
>>>>> usage of GCM with short tags.
>>>>>
>>>>> Cheers, John
>>>>>
>>>>
>>>>
>>>
>>> _______________________________________________
>>> Audio/Video Transport Core Maintenance
>>> avt@ietf.org
>>> https://www.ietf.org/mailman/listinfo/avt