Re: [AVTCORE] Stephen Farrell's Discuss on draft-ietf-avtcore-srtp-aes-gcm-14: (with DISCUSS)
John Mattsson <john.mattsson@ericsson.com> Wed, 11 February 2015 13:35 UTC
Return-Path: <john.mattsson@ericsson.com>
X-Original-To: avt@ietfa.amsl.com
Delivered-To: avt@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2D0981A88AD; Wed, 11 Feb 2015 05:35:48 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ST4vAzMo3y_b; Wed, 11 Feb 2015 05:35:44 -0800 (PST)
Received: from sesbmg22.ericsson.net (sesbmg22.ericsson.net [193.180.251.48]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C88FC1A8899; Wed, 11 Feb 2015 05:35:42 -0800 (PST)
X-AuditID: c1b4fb30-f79106d000001184-04-54db5aac5465
Received: from ESESSHC003.ericsson.se (Unknown_Domain [153.88.253.124]) by sesbmg22.ericsson.net (Symantec Mail Security) with SMTP id 69.AE.04484.CAA5BD45; Wed, 11 Feb 2015 14:35:40 +0100 (CET)
Received: from ESESSMB307.ericsson.se ([169.254.7.21]) by ESESSHC003.ericsson.se ([153.88.183.27]) with mapi id 14.03.0210.002; Wed, 11 Feb 2015 14:35:40 +0100
From: John Mattsson <john.mattsson@ericsson.com>
To: Alissa Cooper <alissa@cooperw.in>
Thread-Topic: [AVTCORE] Stephen Farrell's Discuss on draft-ietf-avtcore-srtp-aes-gcm-14: (with DISCUSS)
Thread-Index: AQHQQh5oJgFl6m3W+E63IOWS9grYL5zoLHSAgAC2aACAAPjAgIAAbZCAgAEhFAA=
Date: Wed, 11 Feb 2015 13:35:39 +0000
Message-ID: <F318B214-21B2-4CD0-A511-DAB6C05DACD6@ericsson.com>
References: <20141029122825.18943.78129.idtracker@ietfa.amsl.com> <3C4AAD4B5304AB44A6BA85173B4675CABC709A18@MSMR-GH1-UEA03.corp.nsa.gov> <545151F9.9050502@cs.tcd.ie> <B1821703-9D09-41C5-AAC1-5EBB9CE2ACC4@cisco.com> <54516572.8020601@cs.tcd.ie> <D825D4F3-26D3-49BE-9E32-0E4FFF89BC40@cisco.com> <5451737B.6060504@cs.tcd.ie> <2D4BE3ED-840A-444C-9D18-09BC3D937D64@cisco.com> <54CA135D.3020304@ericsson.com> <54D4D840.4080808@cs.tcd.ie> <54D8A297.9090505@ericsson.com> <54D93B9A.9090409@cs.tcd.ie> <54DA0C45.2030609@ericsson.com> <214AB7CA-19B4-4CB6-B60A-A31478FB00DD@cooperw.in>
In-Reply-To: <214AB7CA-19B4-4CB6-B60A-A31478FB00DD@cooperw.in>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [153.88.183.17]
Content-Type: multipart/alternative; boundary="_000_F318B21421B24CD0A511DAB6C05DACD6ericssoncom_"
MIME-Version: 1.0
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFtrFIsWRmVeSWpSXmKPExsUyM+Jvje6aqNshBnteallMP/OX0eJlz0p2 i5XfrrNarD2SaDHjz0Rmi6ur/rBbTN97jd2B3WPK742sHl+evGTyWNt9lc1jyZKfTB5fLn9m C2CN4rJJSc3JLEst0rdL4MpouHKJqWDyLuaK3l0dzA2Mf/8xdTFycEgImEi8nuTRxcgJZIpJ XLi3nq2LkYtDSOAIo8TjzR8YIZzFjBJr7rxhAqliEzCQmLungQ3EFhFQlbh67AdYB7PACyaJ 42uXMYIkhAUyJH72v2WFKMqUOPp2PpTtJ3H1+VJmEJsFqHnrtd/sIFfwCthL7OxjhVh2hUVi ypTtYHM4Bewkvq1dALaMEei876fWgB3BLCAucevJfCaIswUkluw5zwxhi0q8fPyPFeIzRYnl /XIQ5ckSfydtAzuBV0BQ4uTMJywTGEVnIZk0C0nZLCRlEHEDiffn5jND2NoSyxa+hrL1JTZ+ OcsIYVtLrGtvY0VWs4CRYxWjaHFqcVJuupGRXmpRZnJxcX6eXl5qySZGYGQf3PLbYAfjy+eO hxgFOBiVeHg3HL0VIsSaWFZcmXuIUZqDRUmc1874UIiQQHpiSWp2ampBalF8UWlOavEhRiYO TqkGxlrbqtiEjhc+Su4Kd/XDprZbf2nM3Sn0aNvUO7M/x3uzaqQn/F+SHjs1RM9CJt1xmSd3 6e15P3sXiqz6teH589qHIZW5GnfXdPbXb71++NHp196mS213n1l3bPUuk0gPh9cXp7ZKVlTr veb7d0I45PrSLSLn2J8/VoltT+vPmca2cLoOc8KGf0osxRmJhlrMRcWJAF6eUWvNAgAA
Archived-At: <http://mailarchive.ietf.org/arch/msg/avt/UYNlBc9tm7r6q8I-A6iBsXxd-30>
Cc: Magnus Westerlund <magnus.westerlund@ericsson.com>, "draft-ietf-avtcore-srtp-aes-gcm@tools.ietf.org" <draft-ietf-avtcore-srtp-aes-gcm@tools.ietf.org>, David McGrew <mcgrew@cisco.com>, IETF AVTCore WG <avt@ietf.org>, "avtcore-chairs@tools.ietf.org" <avtcore-chairs@tools.ietf.org>, IESG <iesg@ietf.org>, Stephen Farrell <stephen.farrell@cs.tcd.ie>
Subject: Re: [AVTCORE] Stephen Farrell's Discuss on draft-ietf-avtcore-srtp-aes-gcm-14: (with DISCUSS)
X-BeenThere: avt@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Audio/Video Transport Core Maintenance <avt.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/avt>, <mailto:avt-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/avt/>
List-Post: <mailto:avt@ietf.org>
List-Help: <mailto:avt-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/avt>, <mailto:avt-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Feb 2015 13:35:48 -0000
My view is that we should standardize GCM and CCM as well as both 128-bit and 256-bit keys, but not necessarily all combinations. Having the option of 64-bit tags also makes a lot of sense. 10 protection profiles are a bit much. If I were to choose a bare minimum set of needed protection profiles, my choice would be: AEAD_AES_128_CCM_64 AEAD_AES_128_GCM_96 AEAD_AES_256_GCM Regarding 256-bit keys, there are such requirements for national security. I definitely think we should have a 256-bit option (and currently there are no such protection profile). I think users of 256-bit keys would like 128-bit tags and GCM. Regarding CCM, it is currently used mostly in constrained devices where it is a better fit that GCM. CCM_64 is currently the default TLS cipher suite for COAP. I think we should have an SRTP option for these devices and then CCM_64 makes sense. Regarding tag lengths, I don’t see the practical security need for long tag lengths, long authentication tags is less important in SRTP than in TLS or IPsec. Even 64-bit tags offer very good protection as an attacker would need to send 2^64 randomly forged messages before a single one (with a random plaintext) would be validated. Receiving 2^64 packages is far more serious then accepting 20 ms of random noise. I think 96-bit authentication tags make sense for most users of AES_128_GCM. (BTW, SRTP has only 4 registered protection profiles. TLS has 327 registered cipher suites! Why is IESG suddenly reacting when SRTP is getting some well-needed AEAD algorithms? ;) John On 10 Feb 2015, at 21:21, Alissa Cooper <alissa@cooperw.in<mailto:alissa@cooperw.in>> wrote: For scheduling purposes I put this on the agenda for the next informal (Feb 26 at 16:30 UTC) and have reached out to the authors separately to see if they are available. If it gets resolved before then we can remove it from the agenda. Alissa On Feb 10, 2015, at 5:48 AM, Magnus Westerlund <magnus.westerlund@ericsson.com<mailto:magnus.westerlund@ericsson.com>> wrote: Hi, I would definitely want the authors to step in now and provide their reasoning for why these options have been included. On 2015-02-09 23:58, Stephen Farrell wrote: Hi Magnus, On 09/02/15 12:05, Magnus Westerlund wrote: Hi Stephen, (as individual) I also wished the WG was more active. Yep, hard to evaluate consensus with so few commenting. Thanks for the good analysis below, I'll respond here as I think that's better done in reverse order almost. - aes-128 in any flavour is good enough, there's IMO no pressing need for aes-256 here Despite that we have a definition for AES-256 for SRTP already and personally I find it a bit difficult to throw away work for something we are likely to going to need in the future. - gcm vs. ccm: those are functionally equivalent as far as this application is concerned I think - the only reason to have both is if one has to deal with systems that only support one and not the other; ccm is all that is available on some very constrained devices for essentially historical reasons and again I don't see why that is an issue here (it could be, but I don't recall anyone saying that it is - apologies if I've forgotten) Well, if I understand the security analysis then apparently CCM is less sensitive to a weak authentication, and could use the 64 bit authentication tag, while GCM needs a stronger one. Thus, from that perspective, if we at all are going to have a shorter authentication tag then 128 bits, then why not use the 64 bit CCM then as that is significant saving, rather than only four bytes for the GCM. - I tend to agree with you about the 192 label If I were correct in the above then all that'd be really needed is AEAD_AES_128_GCM = {TBD, TBD } AEAD_AES_128_GCM_12 = {TBD, TBD } I'd argue that 2 options vs. 10 options may lead to overall better security and interop. as there will be many systems and libraries with less code and hence fewer bugs. (It's credible to argue that code size reduction might outweigh adding aes-256 in a case where you don't worry about ciphertext being secure for decades.) I understand the desire to avoid proliferation here. I might not see the 256 bit keys in the same way. Make it clear that they are optional and that anyone supporting AES-GCM MUST support 128-bit keys. But based on the above reasoning if we are doing only AES-GCM then I rather see: AEAD_AES_128_GCM = {TBD, TBD } AEAD_AES_256_GCM = {TBD, TBD } If we based on my above argumentation think we should provide a short tag version then I think the set to define would become: AEAD_AES_128_CCM = {TBD, TBD } AEAD_AES_256_CCM = {TBD, TBD } AEAD_AES_128_CCM_64 = {TBD, TBD } AEAD_AES_256_CCM_64 = {TBD, TBD } Using Martin's suggestion for being consistent in bits vs bytes. If we continue to have so few folks engaging on this maybe the best way to handle it would be to talk about it on an IESG informal telechat if we can get you and David (and Russ) all on the call? (Or over a beer in Dallas I guess as that's also getting close and there a bunch of IESG calls coming up that are devotes to BoFs and the Dallas schedule.) Yes, unless we get more opinions now, I think the way forward is to go that road so that we can conclude. Cheers Magnus Westerlund ---------------------------------------------------------------------- Services, Media and Network features, Ericsson Research EAB/TXM ---------------------------------------------------------------------- Ericsson AB | Phone +46 10 7148287 Färögatan 6 | Mobile +46 73 0949079 SE-164 80 Stockholm, Sweden | mailto: magnus.westerlund@ericsson.com<mailto:magnus.westerlund@ericsson.com> ---------------------------------------------------------------------- _______________________________________________ Audio/Video Transport Core Maintenance avt@ietf.org<mailto:avt@ietf.org> https://www.ietf.org/mailman/listinfo/avt
- Re: [AVTCORE] Stephen Farrell's Discuss on draft-… Stephen Farrell
- Re: [AVTCORE] Stephen Farrell's Discuss on draft-… Magnus Westerlund
- Re: [AVTCORE] Stephen Farrell's Discuss on draft-… Magnus Westerlund
- Re: [AVTCORE] Stephen Farrell's Discuss on draft-… Stephen Farrell
- Re: [AVTCORE] Stephen Farrell's Discuss on draft-… Martin Thomson
- Re: [AVTCORE] Stephen Farrell's Discuss on draft-… Magnus Westerlund
- Re: [AVTCORE] Stephen Farrell's Discuss on draft-… Alissa Cooper
- Re: [AVTCORE] Stephen Farrell's Discuss on draft-… John Mattsson
- Re: [AVTCORE] Stephen Farrell's Discuss on draft-… David McGrew
- Re: [AVTCORE] Stephen Farrell's Discuss on draft-… Magnus Westerlund
- Re: [AVTCORE] Stephen Farrell's Discuss on draft-… Igoe, Kevin M.
- Re: [AVTCORE] Stephen Farrell's Discuss on draft-… Mo Zanaty (mzanaty)
- Re: [AVTCORE] Stephen Farrell's Discuss on draft-… Stephen Farrell
- Re: [AVTCORE] Stephen Farrell's Discuss on draft-… Mo Zanaty (mzanaty)
- Re: [AVTCORE] Stephen Farrell's Discuss on draft-… John Mattsson