[AVTCORE] FW: Stephen Farrell's Discuss on draft-ietf-avtcore-srtp-aes-gcm-14: (with DISCUSS) - CCM as MTI?
"Roni Even" <ron.even.tlv@gmail.com> Sat, 27 December 2014 10:10 UTC
Return-Path: <ron.even.tlv@gmail.com>
X-Original-To: avt@ietfa.amsl.com
Delivered-To: avt@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 18FB61AD4BF for <avt@ietfa.amsl.com>; Sat, 27 Dec 2014 02:10:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 2.854
X-Spam-Level: **
X-Spam-Status: No, score=2.854 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, FRT_BELOW2=2.154, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id R6tClLUj66St for <avt@ietfa.amsl.com>; Sat, 27 Dec 2014 02:10:29 -0800 (PST)
Received: from mail-wi0-x231.google.com (mail-wi0-x231.google.com [IPv6:2a00:1450:400c:c05::231]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9C5A41AD4B9 for <avt@ietf.org>; Sat, 27 Dec 2014 02:10:28 -0800 (PST)
Received: by mail-wi0-f177.google.com with SMTP id l15so18443026wiw.10 for <avt@ietf.org>; Sat, 27 Dec 2014 02:10:27 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:to:subject:date:message-id:mime-version:content-type :content-transfer-encoding:thread-index:content-language; bh=BMyhRHZn/KyH7vsRAr7QBT2YPb9c9wOOaWaTRg0yvwA=; b=gV+qbfDYCSph6AC2eLdja2RgGRA8rZEyI+WY07ViknCrrXbm/1jrt8HFP76/z8XYax jIg5pt0GZ56OnqWFkXeq6qAsEP1/Oux7tbGagZ051LJbgTqk9tzGZLC4QueDRTJ8iLNz qSSG4Z6RegPRz5tz20xcjFGxDj2tdYlmM2we0xbpSe+feymkfendqkil/GoZcdKxBQbp BoJpPqh8fg500VKgZkTanhI3P7hc3GC/uyEwhWWwpUOgGlxOtS3+d9sS5k+G3ntx/faC loc+Ih9YeelL81vm+lUSOiJBMyaw21oiPrOIc/Mn0JlgRK4SBmh8dfm2IPyJ/yH/TxtX 1WuQ==
X-Received: by 10.194.191.227 with SMTP id hb3mr90812807wjc.79.1419675027305; Sat, 27 Dec 2014 02:10:27 -0800 (PST)
Received: from RoniE (bzq-79-178-183-48.red.bezeqint.net. [79.178.183.48]) by mx.google.com with ESMTPSA id ep9sm31273609wid.3.2014.12.27.02.10.25 for <avt@ietf.org> (version=TLSv1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Sat, 27 Dec 2014 02:10:26 -0800 (PST)
From: Roni Even <ron.even.tlv@gmail.com>
To: avt@ietf.org
Date: Sat, 27 Dec 2014 12:10:21 +0200
Message-ID: <0ad601d021bd$5466e770$fd34b650$@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AdAhuOP88Q3h3n2pQ+2/2FCJE86Quw==
Content-Language: en-us
Archived-At: http://mailarchive.ietf.org/arch/msg/avt/_7WpYTDDPit_VtgXfoe2gBwOPFE
Subject: [AVTCORE] FW: Stephen Farrell's Discuss on draft-ietf-avtcore-srtp-aes-gcm-14: (with DISCUSS) - CCM as MTI?
X-BeenThere: avt@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Audio/Video Transport Core Maintenance <avt.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/avt>, <mailto:avt-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/avt/>
List-Post: <mailto:avt@ietf.org>
List-Help: <mailto:avt-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/avt>, <mailto:avt-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 27 Dec 2014 10:10:32 -0000
Hi, The document has been in IESG review and there is an open discuss about the need for CCM as MTI. Since this has not been discussed on the AVTcore mailing list we have only response from David McGrew who is one of the authors. The discuss thread is given bellow The open question is if we want to keep CCM as MTI, make CCM optional or remove it from the document. I will appreciate any opinion so we can decide on way forward BTW; the original discuss is also https://datatracker.ietf.org/doc/draft-ietf-avtcore-srtp-aes-gcm/ballot/ but the issue to address is the need for CCM? Thanks Roni Even Hi Kevin, Following your format: 1a) I could buy both 128 and 256 being defined 1b) AFAIK CCM is in other protocols mainly due to IEEE h/w that can only do CCM, if that doesn't apply here (and why would it?) then I think GCM only should work 1c) goes away if you ditch CCM:-) 2) As per above, ditch CCM and its all easy:-) So - do we have real reasons to need CCM for this? CCM is preferable when short authentication tags are used, because it is less vulnerable to repeat-forgery attacks. If I remember right, I'm the person that put CCM there, and that's why. My experience with SRTP users makes me think that some will go for the shortest tag possible, and we should avoid security issues (and even the perception of security issues). So my question is whether all the options introduced as a direct result vs. that "less vulnerable" difference is really a good trade off if the complexity means that a bunch of folks won't use any of this. I think it is worthwhile to keep those definitions. The additional implementation work for the longer CCM tags is not much (assuming that we use CCM for a short tag). Do we have anyone who would scream if CCM were taken out for example? If not, isn't that, and the fact that CCM could be added later if really needed, indicative that taking it out now would be better? Another fair question to ask is: do we have anyone saying "I won't implement this specification unless CCM is removed"? Is that really as good a question? Isn't taking things out until no more can be taken out a better design principle? Granted, my question isn't really based on any technical argument. I asked it in response to your comment "if the complexity means that a bunch of folks won't use any of this". I had not heard anyone object to the complexity of including CCM in SRTP, so I was genuinely wondering. It is important that we don't dismiss the effort required to have CCM "added later"; That's outweighed significantly by implementer effort, I think you misunderstand my meaning here. In any case, if CCM were listed as optional, that would impose no cost implementers who didn't want CCM, while retaining the normative definition. and much moreso with CC/FIPS eval. Sorry, I don't understand about the CC/FIPS issue. Maybe I missed something, it is not a big deal to me. look how much time and effort has gone into the current draft. If people are really against having CCM being mandatory to implement, then CCM could be described as "optional" or something like that. But there is a lot of value in retaining the normative definitions as they have been crafted. To answer your question: I don't know anyone who would scream if CCM was taken out, except that there are people that want 8 byte authentication, and other people that think GCM should never be used for 8 byte authentication. Do we have list traffic to that effect? Be interested in pointers if so. On the need for short tags: SRTP currently allows four-byte HMAC authentication, and many people using that length will not want to move to eight, much less 16. There was discussion on the AVT list in the year before RFC 3711 was published. I know at least one person who will use the shortest tag length that the SRTP standard allows. I bet that asking on the AVTCORE list would reveal people who favor minimal overhead, who care most about VoIP, and VoIP over wireless. On the inapplicability of GCM for short authentication tags: see for instance Procter and Cid "On Weak Keys and Forgery Attacks against Polynomial-based MAC Schemes". If bet that asking on the CFRG list would get at least one person who would say that GCM should not be used with 8-byte tags. David Meanwhile, I'll think on it some more - I don't like the added options, but if I'm alone in that, then I'll likely get out of the way. As of now, I'm not sure if I'm alone in that or not. On 29/10/14 20:41, Igoe, Kevin M. wrote: On 20 October Stephen Farrell wrote: Before I move to a yes ballot, I want to chat about two things... (1)There are perhaps too many choices being offered here to be useful. It is very possible so much choice can harm interop and hence security. a) Do we *need* the 256 bit key options now? b) Is CCM really *needed* here? (Surprised the IEEE or h/w argument applies tbh) c) And why so many auth. tag lengths? Who really *needs* all of those? The DISCUSS point here is to validate that all of those options really *need* (as opposed to can) be defined, which may have been done already or may (and we have seen this) simply be a case of defining everything in the hope that something gets used. That can cause potential harm to interop. if different coders pick up different options. And the "but the USG will use all of these" is not IMO a sufficiently good argument for defining all of them - we also have experience with PKI that adding every option that the most complex deployments may want is not the recipe for success (e.g. with enrolment protocols). (2) Unless discuss point (1) results in there being only one remaining option, (which I doubt:-), which of the options specified here are MTI, and if you argue that that needs to be done elsewhere, then where will that be done? (We already had a major extended discussion about SRTP MTI things in general.) I would suggest that saying something like "128 bit GCM with a tag length of 16 MUST be implemented by any general purpose implementation of this specification" or something similar. 1.a (key sizes): Quoting chapter and verse, the NSA Mobility Capability Package, which can be found at https://www.nsa.gov/ia/_files/Mobility_Capability_Pkg_Vers_2_0.pdf, lays out a requirement for a Suite B compliant implementation of SRTP. You'll be shocked to hear that my primary goal is supporting that requirement. The corresponding Mobile Fundamentals Protection Profile: https://www.niap-ccevs.org/pp/pp_md_v2.0.pdf contains the requirement for 256-bit key sizes after September 2015. So basically, both 128 bits (for the typical user) and 256 bits (for the truly paranoid user) are either being used now or will be used in the near future. 1.b. (Both GCM and CCM) You can probably tell from the title of the I-D what my personal preference is on this issue. But I haven't been appointed crypto czar, and in other protocols people I consider to be rational professionals have expressed a preference for CCM over GCM. Also, as mentioned below, only CCM can support the shortest allowable tag size (8 bytes). 1.c. (tag sizes) We can't have a "one size fits all" solution for SRTP due to the inherent conflict between latency and security. I put in a table in section 14.2 (which I'm certain is a paragon of clarity) laying out the various options. The level or risk (probability of a compromise) is very much dependent upon the application - some times the authentication is protecting a service of little value but one where even a single byte of additional data has a measurable impact, and sometimes the service being protected is of extraordinary value and the cost of a few more bytes of data [ales in comparison. byte of data impacts your performance. I believe the spectrum of tag size we support is needed to give the system integrator the flexibility needed to met their requirements. [ Note: the shortest tag size, 8 bytes, is only available with CCM]. 2. Default Mandatory to Implement Configuration We have four, one for CCM-126, one for CCM-256, one for GCM-128 and one for GCM-256. Yes I know, 4 != 1, but its close! ----------------+-------------------------------------------------- Kevin M. Igoe | "We can't solve problems by using the same kind kmigoe@nsa.gov | of thinking we used when we created them." | - Albert Einstein - ----------------+-------------------------------------------------- -----Original Message----- From: Stephen Farrell [mailto:stephen.farrell@cs.tcd.ie] Sent: Wednesday, October 29, 2014 8:28 AM To: The IESG Cc: avtcore-chairs@tools.ietf.org; draft-ietf-avtcore-srtp-aes-gcm@tools.ietf.org Subject: Stephen Farrell's Discuss on draft-ietf-avtcore-srtp-aes-gcm-14: (with DISCUSS) Stephen Farrell has entered the following ballot position for draft-ietf-avtcore-srtp-aes-gcm-14: Discuss When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to http://www.ietf.org/iesg/statement/discuss-criteria.html for more information about IESG DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: http://datatracker.ietf.org/doc/draft-ietf-avtcore-srtp-aes-gcm/ ---------------------------------------------------------------------- DISCUSS: ---------------------------------------------------------------------- Before I move to a yes ballot, I want to chat about two things... (1) There are perhaps too many choices being offered here to be useful. It is very possible so much choice can harm interop and hence security. Do we *need* the 256 bit key options now? Is CCM really *needed* here? (Surprised the IEEE or h/w argument applies tbh) And why so many auth. tag lengths? Who really *needs* all of those? The DISCUSS point here is to validate that all of those options really *need* (as opposed to can) be defined, which may have been done already or may (and we have seen this) simply be a case of defining everything in the hope that something gets used. That can cause potential harm to interop. if different coders pick up different options. And the "but the USG will use all of these" is not IMO a sufficiently good argument for defining all of them - we also have experience with PKI that adding every option that the most complex deployments may want is not the recipe for success (e.g. with enrolment protocols). (2) Unless discuss point (1) results in there being only one remaining option, (which I doubt:-), which of the options specified here are MTI, and if you argue that that needs to be done elsewhere, then where will that be done? (We already had a major extended discussion about SRTP MTI things in general.) I would suggest that saying something like "128 bit GCM with a tag length of 16 MUST be implemented by any general purpose implementation of this specification" or something similar. Paging and Bottom Toolbar Previous Item Next Item Connected to Microsoft Exchange