IETF Logo Mail Archive

Re: [AVTCORE] Summary of discussion with IESG and call for consensus regarding AES-GCM draft

John Mattsson <john.mattsson@ericsson.com> Thu, 05 March 2015 18:56 UTC

Return-Path: <john.mattsson@ericsson.com>
X-Original-To: avt@ietfa.amsl.com
Delivered-To: avt@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2BFC31A7022 for <avt@ietfa.amsl.com>; Thu, 5 Mar 2015 10:56:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nALDYGj79oiO for <avt@ietfa.amsl.com>; Thu, 5 Mar 2015 10:56:17 -0800 (PST)
Received: from sesbmg23.ericsson.net (sesbmg23.ericsson.net [193.180.251.37]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2337D1A1DFA for <avt@ietf.org>; Thu, 5 Mar 2015 10:56:15 -0800 (PST)
X-AuditID: c1b4fb25-f79b76d00000113a-3c-54f8a6cda59d
Received: from ESESSHC008.ericsson.se (Unknown_Domain [153.88.253.124]) by sesbmg23.ericsson.net (Symantec Mail Security) with SMTP id 3C.82.04410.DC6A8F45; Thu, 5 Mar 2015 19:56:14 +0100 (CET)
Received: from ESESSMB307.ericsson.se ([169.254.7.112]) by ESESSHC008.ericsson.se ([153.88.183.42]) with mapi id 14.03.0210.002; Thu, 5 Mar 2015 19:56:13 +0100
From: John Mattsson <john.mattsson@ericsson.com>
To: "Mo Zanaty (mzanaty)" <mzanaty@cisco.com>
Thread-Topic: [AVTCORE] Summary of discussion with IESG and call for consensus regarding AES-GCM draft
Thread-Index: AQHQVN+IDiuRyXO3Gk667nz/Zy+CcJ0M1ZWAgABf0gCAANSbgIAAGpHD///zswCAAAxIAIAADQgA
Date: Thu, 05 Mar 2015 18:56:13 +0000
Message-ID: <7686FF49-95BF-4638-9CBE-DF533F654D72@ericsson.com>
References: <54F44F2D.4060803@ericsson.com> <41578C3E-1AD2-4AFE-AC98-EEEC1BD77197@ericsson.com> <D11D217F.46FD4%mzanaty@cisco.com> <7303D044-CE4E-4ACF-B7F6-46D963CD1BC6@ericsson.com> <85733DA9-9EFA-4D91-A988-C207FC6ED24A@cisco.com> <BB863753-4A43-4338-886C-774DC0B4806B@ericsson.com> <D11DFD7E.4722D%mzanaty@cisco.com>
In-Reply-To: <D11DFD7E.4722D%mzanaty@cisco.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [153.88.183.150]
Content-Type: multipart/alternative; boundary="_000_7686FF4995BF46389CBEDF533F654D72ericssoncom_"
MIME-Version: 1.0
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFprPIsWRmVeSWpSXmKPExsUyM+Jvje65ZT9CDJr6uC1e9qxkt1h7JNHi xYM5TA7MHlN+b2T1WLLkJ5PHl8uf2QKYo7hsUlJzMstSi/TtErgybhy8yVRwcTpjxcnVKxgb GA80MHYxcnJICJhITF43jx3CFpO4cG89WxcjF4eQwBFGiefTv7BCOIsZJS5cuARWxSZgIDF3 TwMbiC0ioCvx7vczRpAiZoH9jBL/X05lBUkIC6RLzF5xjxWiKENi1orpTBB2lMTy/iNgcRYB FYnbm86ADeIVsJe4tfcG1LZTTBL//s0AS3AK6EucP7MU7FZGoPu+n1oDNohZQFzi1pP5TBB3 C0gs2XOeGcIWlXj5+B8rhK0ksWL7JUaI+mSJf3f3M0EsE5Q4OfMJywRG0VlIRs1CUjYLSRlE 3EDi/bn5zBC2tsSyha+hbH2JjV/OMkLY1hKbLlxhQ1azgJFjFaNocWpxUm66kbFealFmcnFx fp5eXmrJJkZgjB7c8lt1B+PlN46HGAU4GJV4eAvyf4QIsSaWFVfmHmKU5mBREue1Mz4UIiSQ nliSmp2aWpBaFF9UmpNafIiRiYNTqoHRboa5WYLiZyWp6ivL+9eXh1ukmj2OCHX4Lxbaz/jz UdjnN41Pl4aZNS3S3XDR58Gvl2uMz9yYve73N9/QzE9HTlR/uBy1M4JTtWPC+d2WnV9OT+15 95U1Vs+eIzCEb/a2BxuK4x777w9a7DX1ScS/p2vS69S37Nsk/4LF5LXJ5cUHX9q0vbh8W4ml OCPRUIu5qDgRAMw9KEOyAgAA
Archived-At: <http://mailarchive.ietf.org/arch/msg/avt/bpcYjLvqNRgTHG4j0PXYInWgcEY>
Cc: Magnus Westerlund <magnus.westerlund@ericsson.com>, "draft-ietf-avtcore-srtp-aes-gcm@tools.ietf.org" <draft-ietf-avtcore-srtp-aes-gcm@tools.ietf.org>, IETF AVTCore WG <avt@ietf.org>
Subject: Re: [AVTCORE] Summary of discussion with IESG and call for consensus regarding AES-GCM draft
X-BeenThere: avt@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Audio/Video Transport Core Maintenance <avt.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/avt>, <mailto:avt-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/avt/>
List-Post: <mailto:avt@ietf.org>
List-Help: <mailto:avt-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/avt>, <mailto:avt-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Mar 2015 18:56:22 -0000

On 05 Mar 2015, at 19:09, Mo Zanaty (mzanaty) <mzanaty@cisco.com<mailto:mzanaty@cisco.com>> wrote:

Here is Table 2 from NIST SP 800-38D Appendix C.
http://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf

Table 2: Constraints with 64-bit Tags
Maximum Combined Length of the Ciphertext and AAD In a Single Packet (bytes),
Maximum Invocations of the Authenticated Decryption Function
2^15, 2^32
2^17, 2^29
2^19, 2^26
2^21, 2^23
2^23, 2^20
2^25, 2^17

The last row with packet size of 2^25 bytes is not relevant for SRTP, so 2^17 packets per key makes no sense for SRTP. The relevant packet size is 2^10 bytes, which can be extrapolated from this table to be ~2^40 max invocations (packets), which already exceeds SRTCP key lifetime (2^31 packets) and approaches SRTP key lifetime (2^48 packets). The target probability of a single successful forgery after this max invocations of forged packets used to arrive at these recommendations is not specified, but can be deduced to be ~2^-18. If the target probability is 2^-10, both the SRTP and SRTCP key lifetimes are exceeded.

So even per NIST, there is no need to reduce SRTCP key lifetime, and SRTP key lifetime should only be reduced to 2^40 for 2^-18 target probability of a single successful forgery in this lifetime, or no need to reduce at all for 2^-10 target probability. I suggest the latter, no reduction in SRTP/SRTCP key lifetime.

Mo

I agree, that is a much better tradeoff (reducing the payload length instad of key lifetime). If there are applications using large payload lengths, they could chose a larger tag length.

On 05 Mar 2015, at 04:53, Mo Zanaty (mzanaty) <mzanaty@cisco.com<mailto:mzanaty@cisco.com>> wrote:
And this is only for hypothetical attacks which require auth fail feedback per packet which can’t be realized in SRTP.

I don’t know if we can make any strong feedback assumptions for RTP header extensions, they don't even require standardisation.

My suggestion would be to simply chose (2^15, 2^32), then we would follow NIST and could still send 2^47 B = 128 TB of data.

John


On 3/5/15, 12:25 PM, John Mattsson <john.mattsson@ericsson.com<mailto:john.mattsson@ericsson.com>> wrote:


On 05 Mar 2015, at 18:09, Mo Zanaty (mzanaty) <mzanaty@cisco.com<mailto:mzanaty@cisco.com>> wrote:

NIST does not say this. There must be some disconnect.

What do you mean with “this”?

NIST SP 800-38D, Appendix C says “For any implementation that supports 32-bit or 64-bit tags, one of the rows in Table 1 or Table 2, respectively, shall be enforced.”
and one of these rows in Table 2 is "Maximum Invocations of the Authenticated Decryption Function = 2^17”

John


Mo

On Mar 5, 2015, at 11:34 AM, John Mattsson <john.mattsson@ericsson.com<mailto:john.mattsson@ericsson.com>> wrote:


On 05 Mar 2015, at 04:53, Mo Zanaty (mzanaty) <mzanaty@cisco.com<mailto:mzanaty@cisco.com>> wrote:

Where did 2^17 come from?

Nist SP 800-38D, Appendix C (I assume Kevin chosed the longest length).

For packets around 1KB, the authentication tag strength is only reduced by 6 bits from 64 to 58 bits. SRTCP would rekey after 2^31 packets, giving a 2^-27 probability of a single successful forgery during the key lifetime if all 2^31 packets were forgeries. SRTP would theoretically rekey after 2^48 packets, giving a 2^-10 probability of a single successful forgery during the key lifetime if all 2^48 packets were forgeries, but in reality, SRTCP will always cause rekey first assuming at least 1 RTCP packet for every 2^17 RTP packets.

And this is only for hypothetical attacks which require auth fail feedback per packet which can’t be realized in SRTP. And it requires extreme packet rates causing a denial-of-service far worse than the impact of compromised auth. And even a successful attack can only forge random data since the decryption key is not compromised.

I see no reason to reduce key lifetime below other modes, even under the most paranoid security considerations. This is not a real-world vulnerability in SRTP applications. Thick tinfoil hats are good, but not so thick that they pin your head to the ground.

I’m fine with something like that, my only demand is that the draft does not silently ignore the NIST requirements. The draft uses NIST SP 800-38D as the reference for GCM (shouldn’t this be a normative reference just like RFC3610?)

We need to have the discussion you started above, and if the wg agrees, the draft needs to state that the strict NIST requirements does not apply to SRTP, explain why, and state which requirements this puts on packet lengths.

John

Mo


On 3/4/15, 5:10 PM, John Mattsson <john.mattsson@ericsson.com<mailto:john.mattsson@ericsson.com>> wrote:
On 02 Mar 2015, at 12:53, Magnus Westerlund <magnus.westerlund@ericsson.com<mailto:magnus.westerlund@ericsson.com>> wrote:
2. The AES-GCM draft is proposed to contain the following configurations:
      AEAD_AES_128_GCM     (with 16 byte authentication tag)
      AEAD_AES_128_GCM_64  (with 8 byte authentication tag)
Is the proposal then to include the profile from draft-ietf-avtcore-srtp-aes-gcm-12 with a maximum key lifetime  of 2^17 packets? Just so that everybody understands that a rekey would be needed every 43 minutes for a codec with 20 ms payload size.

v2.23.0 | Report a Bug | By Email