IETF Logo Mail Archive

Re: [AVTCORE] Summary of discussion with IESG and call for consensus regarding AES-GCM draft

"Mo Zanaty (mzanaty)" <mzanaty@cisco.com> Thu, 05 March 2015 03:53 UTC

Return-Path: <mzanaty@cisco.com>
X-Original-To: avt@ietfa.amsl.com
Delivered-To: avt@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EC6BF1A8BB6 for <avt@ietfa.amsl.com>; Wed, 4 Mar 2015 19:53:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.51
X-Spam-Level:
X-Spam-Status: No, score=-14.51 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Lt3EPuvtoVbl for <avt@ietfa.amsl.com>; Wed, 4 Mar 2015 19:53:38 -0800 (PST)
Received: from rcdn-iport-4.cisco.com (rcdn-iport-4.cisco.com [173.37.86.75]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 703671A0196 for <avt@ietf.org>; Wed, 4 Mar 2015 19:53:38 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=5305; q=dns/txt; s=iport; t=1425527619; x=1426737219; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=WZC+XueiChGiJSFIqv7HmZU4t3mPel6kYkjcrlgI1bw=; b=aTV0G+cF4p+/4oM3R8p0LyrJKDPQoKHLyO9wkiFKFmLO7hUbnYl+/epp y/M1CLn8AstJcslmf2Q5NfI4enBXqF/Y/6k11DypZQ5RVjhMFEX/Sx+IW UG00jJ5L2e2FG5VGikNvLwWHHABiZI2w/qRlMHgYCNrAwGYgF/D2r2OJw 4=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0BlBgCO0vdU/5pdJa1agj9DgSwEuyOLagKBJU0BAQEBAQF8hBABAQQdXBACAQgEOwcyFBECBAENBYgv12IBAQEBAQEBAQEBAQEBAQEBAQEBAQEXixKEbgeEKwWQA4lNgRqPEINAI4ICHBSBPG+BRH8BAQE
X-IronPort-AV: E=Sophos;i="5.11,344,1422921600"; d="scan'208,217";a="401101078"
Received: from rcdn-core-3.cisco.com ([173.37.93.154]) by rcdn-iport-4.cisco.com with ESMTP; 05 Mar 2015 03:53:38 +0000
Received: from xhc-aln-x14.cisco.com (xhc-aln-x14.cisco.com [173.36.12.88]) by rcdn-core-3.cisco.com (8.14.5/8.14.5) with ESMTP id t253rbjf028348 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Thu, 5 Mar 2015 03:53:37 GMT
Received: from xmb-rcd-x14.cisco.com ([169.254.4.229]) by xhc-aln-x14.cisco.com ([173.36.12.88]) with mapi id 14.03.0195.001; Wed, 4 Mar 2015 21:53:37 -0600
From: "Mo Zanaty (mzanaty)" <mzanaty@cisco.com>
To: John Mattsson <john.mattsson@ericsson.com>, Magnus Westerlund <magnus.westerlund@ericsson.com>
Thread-Topic: [AVTCORE] Summary of discussion with IESG and call for consensus regarding AES-GCM draft
Thread-Index: AQHQVvf1DX7Y91PEn0msP6xfx67VHw==
Date: Thu, 05 Mar 2015 03:53:36 +0000
Message-ID: <D11D217F.46FD4%mzanaty@cisco.com>
References: <54F44F2D.4060803@ericsson.com> <41578C3E-1AD2-4AFE-AC98-EEEC1BD77197@ericsson.com>
In-Reply-To: <41578C3E-1AD2-4AFE-AC98-EEEC1BD77197@ericsson.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.4.8.150116
x-originating-ip: [64.100.32.216]
Content-Type: multipart/alternative; boundary="_000_D11D217F46FD4mzanatyciscocom_"
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/avt/m62GSlgerENHJ02niWo-IpQ5ibg>
Cc: "draft-ietf-avtcore-srtp-aes-gcm@tools.ietf.org" <draft-ietf-avtcore-srtp-aes-gcm@tools.ietf.org>, IETF AVTCore WG <avt@ietf.org>
Subject: Re: [AVTCORE] Summary of discussion with IESG and call for consensus regarding AES-GCM draft
X-BeenThere: avt@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Audio/Video Transport Core Maintenance <avt.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/avt>, <mailto:avt-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/avt/>
List-Post: <mailto:avt@ietf.org>
List-Help: <mailto:avt-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/avt>, <mailto:avt-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Mar 2015 03:53:40 -0000

Where did 2^17 come from? For packets around 1KB, the authentication tag strength is only reduced by 6 bits from 64 to 58 bits. SRTCP would rekey after 2^31 packets, giving a 2^-27 probability of a single successful forgery during the key lifetime if all 2^31 packets were forgeries. SRTP would theoretically rekey after 2^48 packets, giving a 2^-10 probability of a single successful forgery during the key lifetime if all 2^48 packets were forgeries, but in reality, SRTCP will always cause rekey first assuming at least 1 RTCP packet for every 2^17 RTP packets.

And this is only for hypothetical attacks which require auth fail feedback per packet which can’t be realized in SRTP. And it requires extreme packet rates causing a denial-of-service far worse than the impact of compromised auth. And even a successful attack can only forge random data since the decryption key is not compromised.

I see no reason to reduce key lifetime below other modes, even under the most paranoid security considerations. This is not a real-world vulnerability in SRTP applications. Thick tinfoil hats are good, but not so thick that they pin your head to the ground.

Mo


On 3/4/15, 5:10 PM, John Mattsson <john.mattsson@ericsson.com<mailto:john.mattsson@ericsson.com>> wrote:
On 02 Mar 2015, at 12:53, Magnus Westerlund <magnus.westerlund@ericsson.com<mailto:magnus.westerlund@ericsson.com>> wrote:
2. The AES-GCM draft is proposed to contain the following configurations:
      AEAD_AES_128_GCM     (with 16 byte authentication tag)
      AEAD_AES_128_GCM_64  (with 8 byte authentication tag)
Is the proposal then to include the profile from draft-ietf-avtcore-srtp-aes-gcm-12 with a maximum key lifetime  of 2^17 packets? Just so that everybody understands that a rekey would be needed every 43 minutes for a codec with 20 ms payload size.

v2.23.0 | Report a Bug | By Email