[AVTCORE] Criticism on draft-ietf-avtcore-srtp-aes-gcm

Florian Zeitz <florob@babelmonkeys.de> Tue, 22 April 2014 15:11 UTC

Return-Path: <florob@babelmonkeys.de>
X-Original-To: avt@ietfa.amsl.com
Delivered-To: avt@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CB7C91A064B for <avt@ietfa.amsl.com>; Tue, 22 Apr 2014 08:11:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.977
X-Spam-Level:
X-Spam-Status: No, score=0.977 tagged_above=-999 required=5 tests=[BAYES_50=0.8, FROM_12LTRDOM=0.099, HELO_EQ_DE=0.35, RP_MATCHES_RCVD=-0.272] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id I0cM-JQOKo57 for <avt@ietfa.amsl.com>; Tue, 22 Apr 2014 08:11:29 -0700 (PDT)
Received: from babelmonkeys.de (babelmonkeys.de [IPv6:2a02:d40:3:1:10a1:5eff:fe52:509]) by ietfa.amsl.com (Postfix) with ESMTP id 726A81A0552 for <avt@ietf.org>; Tue, 22 Apr 2014 08:11:29 -0700 (PDT)
Received: from xdsl-87-79-85-93.netcologne.de ([87.79.85.93] helo=[192.168.0.140]) by babelmonkeys.de with esmtpsa (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <florob@babelmonkeys.de>) id 1WccM1-0007S9-TT for avt@ietf.org; Tue, 22 Apr 2014 17:11:25 +0200
Message-ID: <53568695.7090509@babelmonkeys.de>
Date: Tue, 22 Apr 2014 17:11:17 +0200
From: Florian Zeitz <florob@babelmonkeys.de>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.4.0
MIME-Version: 1.0
To: avt@ietf.org
X-Enigmail-Version: 1.6
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/avt/q2RqNhPvQb5FcJfQrNklD4uFbI0
X-Mailman-Approved-At: Wed, 23 Apr 2014 08:10:29 -0700
Subject: [AVTCORE] Criticism on draft-ietf-avtcore-srtp-aes-gcm
X-BeenThere: avt@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Audio/Video Transport Core Maintenance <avt.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/avt>, <mailto:avt-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/avt/>
List-Post: <mailto:avt@ietf.org>
List-Help: <mailto:avt-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/avt>, <mailto:avt-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 22 Apr 2014 15:11:39 -0000

Hello,

I'd like to call this working group's attention to the fact that
yesterday an article in german language[1] was published, harshly
criticising draft-ietf-avtcore-srtp-aes-gcm-11.

The draft is therein called the NSA's newest attempt at weakening
internet security.
The criticism is largely based on Niels Ferguson's 2005 paper
"Authentication weaknesses in GCM"[2].

In particular the points I can identify are:

Repeated from Ferguson's paper
* GCM should no longer be used
* if GCM has to be used, the authentication tag should be 128-bit
  (the draft currently mandates implementation of the 64-bit
   variant, the others are purely optional)
* the paper uses telephony as an example in it's "A disastrous scenario"
  section. Yet this draft recommends GCM for telephony

Attributed to Michael Kafka, a "security expert" from Vienna:
* mixing confidentiality and authentication makes attacks easier
* in practice performance gains are negligible on modern smartphones

The article also insinuates that David McGrew is deliberately
co-authoring a draft he knows to be insecure, somehow under the pressure
of the NSA.

While I do not necessarily personally agree with the criticism, or the
conclusions, I would like this working group and the authors to address
it in some way.

Regards,
Florian Zeitz

[1] http://fm4.orf.at/stories/1737330/
[2]
http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/comments/CWC-GCM/Ferguson2.pdf