IETF Logo Mail Archive

Re: [AVTCORE] Summary of discussion with IESG and call for consensus regarding AES-GCM draft

"Mo Zanaty (mzanaty)" <mzanaty@cisco.com> Thu, 05 March 2015 18:09 UTC

Return-Path: <mzanaty@cisco.com>
X-Original-To: avt@ietfa.amsl.com
Delivered-To: avt@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AE8D11A3BA6 for <avt@ietfa.amsl.com>; Thu, 5 Mar 2015 10:09:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.51
X-Spam-Level:
X-Spam-Status: No, score=-14.51 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id k8pQqmIX10Re for <avt@ietfa.amsl.com>; Thu, 5 Mar 2015 10:09:37 -0800 (PST)
Received: from rcdn-iport-4.cisco.com (rcdn-iport-4.cisco.com [173.37.86.75]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 156541A6ED9 for <avt@ietf.org>; Thu, 5 Mar 2015 10:09:36 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=14609; q=dns/txt; s=iport; t=1425578976; x=1426788576; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=3Y28RHCPGq37/AjwnVleVwISP0loubTcBrL6GoGcMvY=; b=Y8O87+URALPvhX4L/AuDspyM68G3ovGY+LyIdT9CmOI5hHM43cLBH4JS ZZ1Bw6QLL2DTUjdcOz0T40cRs4VWD3qbtkuqgIsIBol/TpkjJyvtYmiPR zHLZiY5dk/UTTZg34xah4kasa16YLnaBaI8ufwXb/odNV07uBO8Hvo0c3 s=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0BzCQAjm/hU/51dJa1agkNDUloEuziEBIF6hXACgTpNAQEBAQEBfIQQAQECAh1cEAIBCD8HMhQRAgQOBYgvDdg6AQEBAQEBBAEBAQEBAQEbixeEDWEHhCsFkAeDY4VqgRo5jlqDQiOBfwMcFIE8bwGBAkF/AQEB
X-IronPort-AV: E=Sophos;i="5.11,348,1422921600"; d="scan'208,217";a="401287205"
Received: from rcdn-core-6.cisco.com ([173.37.93.157]) by rcdn-iport-4.cisco.com with ESMTP; 05 Mar 2015 18:09:35 +0000
Received: from xhc-rcd-x02.cisco.com (xhc-rcd-x02.cisco.com [173.37.183.76]) by rcdn-core-6.cisco.com (8.14.5/8.14.5) with ESMTP id t25I9YTk021038 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Thu, 5 Mar 2015 18:09:35 GMT
Received: from xmb-rcd-x14.cisco.com ([169.254.4.229]) by xhc-rcd-x02.cisco.com ([173.37.183.76]) with mapi id 14.03.0195.001; Thu, 5 Mar 2015 12:09:34 -0600
From: "Mo Zanaty (mzanaty)" <mzanaty@cisco.com>
To: John Mattsson <john.mattsson@ericsson.com>
Thread-Topic: [AVTCORE] Summary of discussion with IESG and call for consensus regarding AES-GCM draft
Thread-Index: AQHQV2+I9PDx2QxpQ0WgKiDld7L3YA==
Date: Thu, 05 Mar 2015 18:09:34 +0000
Message-ID: <D11DFD7E.4722D%mzanaty@cisco.com>
References: <54F44F2D.4060803@ericsson.com> <41578C3E-1AD2-4AFE-AC98-EEEC1BD77197@ericsson.com> <D11D217F.46FD4%mzanaty@cisco.com> <7303D044-CE4E-4ACF-B7F6-46D963CD1BC6@ericsson.com> <85733DA9-9EFA-4D91-A988-C207FC6ED24A@cisco.com> <BB863753-4A43-4338-886C-774DC0B4806B@ericsson.com>
In-Reply-To: <BB863753-4A43-4338-886C-774DC0B4806B@ericsson.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.4.8.150116
x-originating-ip: [10.150.31.38]
Content-Type: multipart/alternative; boundary="_000_D11DFD7E4722Dmzanatyciscocom_"
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/avt/arF8ZTLGZwBd03vB7oVJrRePizE>
Cc: Magnus Westerlund <magnus.westerlund@ericsson.com>, "draft-ietf-avtcore-srtp-aes-gcm@tools.ietf.org" <draft-ietf-avtcore-srtp-aes-gcm@tools.ietf.org>, IETF AVTCore WG <avt@ietf.org>
Subject: Re: [AVTCORE] Summary of discussion with IESG and call for consensus regarding AES-GCM draft
X-BeenThere: avt@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Audio/Video Transport Core Maintenance <avt.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/avt>, <mailto:avt-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/avt/>
List-Post: <mailto:avt@ietf.org>
List-Help: <mailto:avt-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/avt>, <mailto:avt-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Mar 2015 18:09:44 -0000

Here is Table 2 from NIST SP 800-38D Appendix C.
http://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf

Table 2: Constraints with 64-bit Tags
Maximum Combined Length of the Ciphertext and AAD In a Single Packet (bytes),
Maximum Invocations of the Authenticated Decryption Function
2^15, 2^32
2^17, 2^29
2^19, 2^26
2^21, 2^23
2^23, 2^20
2^25, 2^17

The last row with packet size of 2^25 bytes is not relevant for SRTP, so 2^17 packets per key makes no sense for SRTP. The relevant packet size is 2^10 bytes, which can be extrapolated from this table to be ~2^40 max invocations (packets), which already exceeds SRTCP key lifetime (2^31 packets) and approaches SRTP key lifetime (2^48 packets). The target probability of a single successful forgery after this max invocations of forged packets used to arrive at these recommendations is not specified, but can be deduced to be ~2^-18. If the target probability is 2^-10, both the SRTP and SRTCP key lifetimes are exceeded.

So even per NIST, there is no need to reduce SRTCP key lifetime, and SRTP key lifetime should only be reduced to 2^40 for 2^-18 target probability of a single successful forgery in this lifetime, or no need to reduce at all for 2^-10 target probability. I suggest the latter, no reduction in SRTP/SRTCP key lifetime.

Mo


On 3/5/15, 12:25 PM, John Mattsson <john.mattsson@ericsson.com<mailto:john.mattsson@ericsson.com>> wrote:


On 05 Mar 2015, at 18:09, Mo Zanaty (mzanaty) <mzanaty@cisco.com<mailto:mzanaty@cisco.com>> wrote:

NIST does not say this. There must be some disconnect.

What do you mean with “this”?

NIST SP 800-38D, Appendix C says “For any implementation that supports 32-bit or 64-bit tags, one of the rows in Table 1 or Table 2, respectively, shall be enforced.”
and one of these rows in Table 2 is "Maximum Invocations of the Authenticated Decryption Function = 2^17”

John


Mo

On Mar 5, 2015, at 11:34 AM, John Mattsson <john.mattsson@ericsson.com<mailto:john.mattsson@ericsson.com>> wrote:


On 05 Mar 2015, at 04:53, Mo Zanaty (mzanaty) <mzanaty@cisco.com<mailto:mzanaty@cisco.com>> wrote:

Where did 2^17 come from?

Nist SP 800-38D, Appendix C (I assume Kevin chosed the longest length).

For packets around 1KB, the authentication tag strength is only reduced by 6 bits from 64 to 58 bits. SRTCP would rekey after 2^31 packets, giving a 2^-27 probability of a single successful forgery during the key lifetime if all 2^31 packets were forgeries. SRTP would theoretically rekey after 2^48 packets, giving a 2^-10 probability of a single successful forgery during the key lifetime if all 2^48 packets were forgeries, but in reality, SRTCP will always cause rekey first assuming at least 1 RTCP packet for every 2^17 RTP packets.

And this is only for hypothetical attacks which require auth fail feedback per packet which can’t be realized in SRTP. And it requires extreme packet rates causing a denial-of-service far worse than the impact of compromised auth. And even a successful attack can only forge random data since the decryption key is not compromised.

I see no reason to reduce key lifetime below other modes, even under the most paranoid security considerations. This is not a real-world vulnerability in SRTP applications. Thick tinfoil hats are good, but not so thick that they pin your head to the ground.

I’m fine with something like that, my only demand is that the draft does not silently ignore the NIST requirements. The draft uses NIST SP 800-38D as the reference for GCM (shouldn’t this be a normative reference just like RFC3610?)

We need to have the discussion you started above, and if the wg agrees, the draft needs to state that the strict NIST requirements does not apply to SRTP, explain why, and state which requirements this puts on packet lengths.

John

Mo


On 3/4/15, 5:10 PM, John Mattsson <john.mattsson@ericsson.com<mailto:john.mattsson@ericsson.com>> wrote:
On 02 Mar 2015, at 12:53, Magnus Westerlund <magnus.westerlund@ericsson.com<mailto:magnus.westerlund@ericsson.com>> wrote:
2. The AES-GCM draft is proposed to contain the following configurations:
      AEAD_AES_128_GCM     (with 16 byte authentication tag)
      AEAD_AES_128_GCM_64  (with 8 byte authentication tag)
Is the proposal then to include the profile from draft-ietf-avtcore-srtp-aes-gcm-12 with a maximum key lifetime  of 2^17 packets? Just so that everybody understands that a rekey would be needed every 43 minutes for a codec with 20 ms payload size.

v2.23.0 | Report a Bug | By Email