[AVTCORE] Criticism on draft-ietf-avtcore-srtp-aes-gcm
David McGrew <mcgrew@cisco.com> Thu, 24 April 2014 20:08 UTC
Return-Path: <mcgrew@cisco.com>
X-Original-To: avt@ietfa.amsl.com
Delivered-To: avt@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6148E1A038E for <avt@ietfa.amsl.com>; Thu, 24 Apr 2014 13:08:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.772
X-Spam-Level:
X-Spam-Status: No, score=-14.772 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.272, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DSwwUds3633O for <avt@ietfa.amsl.com>; Thu, 24 Apr 2014 13:08:50 -0700 (PDT)
Received: from mtv-iport-3.cisco.com (mtv-iport-3.cisco.com [173.36.130.14]) by ietfa.amsl.com (Postfix) with ESMTP id D7EEF1A03E1 for <avt@ietf.org>; Thu, 24 Apr 2014 13:08:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=19190; q=dns/txt; s=iport; t=1398370124; x=1399579724; h=message-id:date:from:mime-version:to:subject; bh=pVVvnzU6oHvu9OtFrTZgT3F+GurMQpKffGfYlN/KInU=; b=PccJ1YKfNXcAgRuXj2tkcYod3zOJDS/2A3ZyFlj0hGTFnAhXmjNkaRwz Scbpv7DCI5kIk1HIKBPKxFopsdDohi5HKQY71Xzc+8LCKsrbAgaVLk+hW +Uhopvxnc5iYA1MY2nGelafOXKFjr4N7/aZKUGX4/3/iiLuIj9AFrNXaG w=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: Ak0QAIFuWVOrRDoJ/2dsb2JhbABPCoMGT4lDt06ECoEfFnSCJQEBAQIBbAEMBicDAQIKFhgDAgECAT0OAQwGAgKINQcOy0IXjXcGBAcBPx6EMwSYeYE4hSOLfoNNIYEsAgcXBg
X-IronPort-AV: E=Sophos; i="4.97,921,1389744000"; d="scan'208,217"; a="108513970"
Received: from mtv-core-4.cisco.com ([171.68.58.9]) by mtv-iport-3.cisco.com with ESMTP; 24 Apr 2014 20:08:42 +0000
Received: from [10.0.2.15] (dhcp-10-33-176-74.cisco.com [10.33.176.74]) by mtv-core-4.cisco.com (8.14.5/8.14.5) with ESMTP id s3OK8fbJ030091; Thu, 24 Apr 2014 20:08:41 GMT
Message-ID: <53596F49.3040004@cisco.com>
Date: Thu, 24 Apr 2014 16:08:41 -0400
From: David McGrew <mcgrew@cisco.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20131103 Icedove/17.0.10
MIME-Version: 1.0
To: avt@ietf.org, Magnus Westerlund <magnus.westerlund@ericsson.com>, florob@babelmonkeys.de
Content-Type: multipart/alternative; boundary="------------000009040804090203050303"
Archived-At: http://mailarchive.ietf.org/arch/msg/avt/odaTmP_orQZ2dNJggKVtbqC83WQ
X-Mailman-Approved-At: Thu, 24 Apr 2014 23:31:15 -0700
Subject: [AVTCORE] Criticism on draft-ietf-avtcore-srtp-aes-gcm
X-BeenThere: avt@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Audio/Video Transport Core Maintenance <avt.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/avt>, <mailto:avt-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/avt/>
List-Post: <mailto:avt@ietf.org>
List-Help: <mailto:avt-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/avt>, <mailto:avt-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 24 Apr 2014 20:08:53 -0000
Hi Florian, thanks for calling this to the attention of the list. I had not seen it before, and I had not been contacted by Erich Möchel (the author of the post you cite) or anyone else in regard to these speculations. The post is wrong on many important points; please see more inline: > From: Florian Zeitz <florob@babelmonkeys.de> > Subject: [AVTCORE] Criticism on draft-ietf-avtcore-srtp-aes-gcm > Date: April 22, 2014 at 8:11:17 AM PDT > To: avt@ietf.org > > Hello, > > I'd like to call this working group's attention to the fact that > yesterday an article in german language[1] was published, harshly > criticising draft-ietf-avtcore-srtp-aes-gcm-11. > > The draft is therein called the NSA's newest attempt at weakening > internet security. The criticism is largely based on Niels Ferguson's > 2005 paper "Authentication weaknesses in GCM"[2]. > Ferguson's critique refers to the initial submission to NIST on GCM; please note that the submission was later revised and clarified. For background, see the comments on that work in Section 2 of the "GCM update" that was submitted to NIST along with the revised version of that specification back in 2005, which are online at http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/comments/CWC-GCM/gcm-update.pdf The reference on multiple-forgery attacks, which is cited in the NIST submission, is online at https://eprint.iacr.org/2005/161.pdf Also, the NIST specification of GCM, which is the authoritative one, includes guidance on tag lengths that was absent from the version of the specification to which the critique refers. > In particular the points I can identify are: > > Repeated from Ferguson's paper > * GCM should no longer be used > * if GCM has to be used, the authentication tag should be 128-bit (the > draft currently mandates implementation of the 64-bit variant, the > others are purely optional) The statement on tag lengths is wrong, as Magnus recently pointed out on the list. Earlier versions of the draft had 64-bit tags as mandatory to implement and 128-bit tags as optional, but the current version reverses that. We made this change after discussion between the authors, reviewers and the chairs. In more detail: on 11/03, John Mattsson reviewed draft-ietf-avtcore-srtp-aes-gcm, and provided comments to Magnus Westerlund, Richard Barnes, Kevin Igoe, and myself. John and Kevin decided that the mandatory-to-implement GCM tag size should be changed to 128 bits. (John, Magnus, Richard and Kevin, please check for Kevin's email on this subject dated 2/19/14). Of course, this is a working group draft and should reflect the consensus of AVTCORE. But it currently has strong mandatory-to-implement options and good guidance on parameter choices, as noted below. > * the paper uses telephony as an example in it's "A disastrous scenario" > section. Yet this draft recommends GCM for telephony > > Attributed to Michael Kafka, a "security expert" from Vienna: > * mixing confidentiality and authentication makes attacks easier This statement is wrong. Authenticated encryption as provided by dedicated algorithms like GCM is widely regarded as better than loosely bound authentication and encryption. To appreciate why a loose binding between authentication and encryption is a bad idea, see for instance the padding oracle attacks against CBC in TLS and other protocols, which are possible because of the loose binding, as first described by Vaudenay and developed in BEAST and Lucky-13. > * in practice performance gains are negligible on modern smartphones > > The article also insinuates that David McGrew is deliberately > co-authoring a draft he knows to be insecure, somehow under the > pressure of the NSA. This is also not true. I'm not under any pressure from the NSA, and the draft provides an adequate level of security. Importantly, the draft very explicitly describes the authentication strength that one can expect from a given choice of tag length, in Section 14.2 http://tools.ietf.org/html/draft-ietf-avtcore-srtp-aes-gcm-11#section-14.2 It would be disingenuous to suggest that the draft has some sort of hidden weakness regarding authentication strength, as the draft is very clear about the authentication strength one can expect for different parameter choices. For perspective, one should also consider the authentication strength of some existing standards. SDP Security Descriptions (RFC 4568) includes the option of a 32-bit authentication tag http://tools.ietf.org/html/rfc4568#section-6.2.2 And Secure RTP itself (RFC 3711) allows encryption with *no* authentication. The rationale for this is outlined in Section 7.5 of that RFC, and Section 9.5.1 outlines the security considerations of weak or NULL authentication in SRTP. Just to be clear: the standards cited above provide much less authentication strength than the weakest option in draft-ietf-avtcore-srtp-aes-gcm. For more perspective, let's go through an example based on the table in the section of the GCM and CCM draft. Consider an scenario in which a receiver in an audio session with a typical rate of 50 packets per second receives a steady stream of forged messages for an entire day, which are protected by 64-bit GCM authentication tags. If the receiver is patient enough to listen to an entire day's worth of silence (due to the fact that SRTP will discard forged packets), the attacker will have a one in a billion probability of successfully forging a message. Many people would be OK with this level of risk. Others would not, in which case they should use a larger GCM tag size, which they could choose from the table. Or they could use CCM, which is also described in the draft, or SRTP with HMAC authentication. Please also note that the table in the draft takes the conservative approach of assuming that packets are large (and thus per-packet authentication is slightly weaker). I personally favor the use of large authentication tags, both in SRTP and for GCM, but I grudgingly concede that short tags are adequate for some scenarios where bandwidth matters a lot. When SRTP was developed and standardized, around 2003, it was necessary to allow weak authentication options because of bandwidth constraints faced by some RTP users. To put it plainly: some RTP users at the time said that they would not use SRTP if it required long authentication tags. The discussions on this tradeoff took place within AVT and are well documented. In any case, it is reasonable to debate whether or not short authentication tags are ever appropriate, but it would be wrong to claim that any version of draft-ietf-avtcore-srtp-aes-gcm described authentication options that are weaker than those already present in the SRTP standard. This is somewhat off topic, but I did participate in some recent work that aims to provide better security within limited bandwidth, which was submitted to the IETF last year and presented at the last IRTF CFRG meeting: "Authenticated Encryption with Replay prOtection (AERO)" http://tools.ietf.org/html/draft-mcgrew-aero-01 and "Using Authenticated Encryption with Replay prOtection (AERO) in SRTP" http://tools.ietf.org/html/draft-mcgrew-srtp-aero-01. Some more research needs to be done to refine and validate this approach, but it appears promising as a future direction (in scenarios in which the endpoints can afford some additional computation during encryption). > > While I do not necessarily personally agree with the criticism, or the > conclusions, I would like this working group and the authors to > address it in some way. > Thank you for calling this to the attention of the list, and thus giving me the opportunity to respond to the posting that you referenced. regards, David
- [AVTCORE] Criticism on draft-ietf-avtcore-srtp-ae… Florian Zeitz
- Re: [AVTCORE] Criticism on draft-ietf-avtcore-srt… Magnus Westerlund
- Re: [AVTCORE] Criticism on draft-ietf-avtcore-srt… Florian Zeitz
- [AVTCORE] Criticism on draft-ietf-avtcore-srtp-ae… David McGrew
- Re: [AVTCORE] Criticism on draft-ietf-avtcore-srt… Magnus Westerlund
- Re: [AVTCORE] Criticism on draft-ietf-avtcore-srt… John Mattsson