[AVTCORE] Short Authentication tagsd in AES-GCM for SRTP

"Igoe, Kevin M." <kmigoe@nsa.gov> Fri, 19 June 2015 11:39 UTC

Return-Path: <kmigoe@nsa.gov>
X-Original-To: avt@ietfa.amsl.com
Delivered-To: avt@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com []) by ietfa.amsl.com (Postfix) with ESMTP id 045CE1A89B5 for <avt@ietfa.amsl.com>; Fri, 19 Jun 2015 04:39:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.011
X-Spam-Status: No, score=-5.011 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, RCVD_IN_DNSWL_HI=-5, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id 0Wy4gsHgw_1Y for <avt@ietfa.amsl.com>; Fri, 19 Jun 2015 04:39:30 -0700 (PDT)
Received: from emvm-gh1-uea09.nsa.gov (emvm-gh1-uea09.nsa.gov []) by ietfa.amsl.com (Postfix) with ESMTP id 52E951A89AA for <avt@ietf.org>; Fri, 19 Jun 2015 04:39:30 -0700 (PDT)
X-TM-IMSS-Message-ID: <ad972a5a0002b825@nsa.gov>
Received: from MSHT-GH1-UEA01.corp.nsa.gov (msht-gh1-uea01.corp.nsa.gov []) by nsa.gov ([]) with ESMTP (TREND IMSS SMTP Service 7.1; TLSv1/SSLv3 AES128-SHA (128/128)) id ad972a5a0002b825 ; Fri, 19 Jun 2015 07:43:18 -0400
Received: from MSMR-GH1-UEA05.corp.nsa.gov ( by MSHT-GH1-UEA01.corp.nsa.gov ( with Microsoft SMTP Server (TLS) id 14.2.347.0; Fri, 19 Jun 2015 07:39:28 -0400
Received: from MSMR-GH1-UEA03.corp.nsa.gov ([]) by MSMR-GH1-UEA05.corp.nsa.gov ([]) with mapi id 14.02.0347.000; Fri, 19 Jun 2015 07:39:27 -0400
From: "Igoe, Kevin M." <kmigoe@nsa.gov>
To: "avt@ietf.org" <avt@ietf.org>
Thread-Topic: Short Authentication tagsd in AES-GCM for SRTP
Thread-Index: AdCqhGMebW36IQSUS9CRfYCyWxpeTQ==
Date: Fri, 19 Jun 2015 11:39:27 +0000
Message-ID: <3C4AAD4B5304AB44A6BA85173B4675CABD223465@MSMR-GH1-UEA03.corp.nsa.gov>
Accept-Language: en-US
Content-Language: en-US
x-originating-ip: []
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/avt/VOAJlmbvKpIjOn706vzizocxv34>
Subject: [AVTCORE] Short Authentication tagsd in AES-GCM for SRTP
X-BeenThere: avt@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Audio/Video Transport Core Maintenance <avt.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/avt>, <mailto:avt-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/avt/>
List-Post: <mailto:avt@ietf.org>
List-Help: <mailto:avt-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/avt>, <mailto:avt-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 19 Jun 2015 11:39:32 -0000

After discussions with Magnus, we have decided it would be prudent to remove the option of short tags
 (8-octet) from AES-GCM.  Here is the reasoning:

  -  Following Appendix C of NIST 38-D us that using 8-octet tags with  2^k octet long packets constrains
    the  number of packets that can be sent before the key is changed 2^T  where T = (109-3k)/2.  
  -  Magnus points out that IPv6 will conceivably allow packets up to 2^32 octets in length.

Putting these two observations together we find that  2^32 octets long  IPv6 packets, would only allow 
2^6.5 = 90.5 packets/key.  Not at all practical.
I feel that pursuing the use of short tags with AES-GCM in SRTP is a losing proposition and wish to remove 
them from the ID, only allowing the use of a full 16-bytes tag.  Any objections?