[AVTCORE] Comments on the draft-ietf-avtcore-srtp-aes-gcm-01

Woo-Hwan Kim <whkim5@ensec.re.kr> Mon, 16 July 2012 05:48 UTC

MIME-Version: 1.0
Sender: woohwankim@gmail.com
Date: Mon, 16 Jul 2012 14:48:53 +0900
Message-ID: <CAMRi9Ce8Cn=HpY6sCos_-Jmi7Y0z1OA-ff58aoumXA8BRdnd0A@mail.gmail.com>
From: Woo-Hwan Kim <whkim5@ensec.re.kr>
To: avt@ietf.org, draft-ietf-avtcore-srtp-aes-gcm@tools.ietf.org
Content-Type: multipart/alternative; boundary="14dae9340fe72b9c3504c4ebfcd3"
Cc: Daesung Kwon <ds_kwon@ensec.re.kr>, Je Hong Park <jhpark@ensec.re.kr>
Subject: [AVTCORE] Comments on the draft-ietf-avtcore-srtp-aes-gcm-01
Precedence: list

Hi.

Here are some comments on the draft-ietf-avtcore-srtp-aes-gcm-01.

1. typos and minors

p.4 DTLS -> DTLS-SRTP
p.8 ROS -> ROC
p.11 the corresponding STRCP encrypted -> the corresponding SRTCP encrypted
p.13 C_max -> C_MAX
p.18 AEAD_AES_128_CCM -> AEAD_AES_128_GCM
p.18 AEAD_AES_256_CCM -> AEAD_AES_256_GCM

2. On the CCM decryption

In this draft, there is no separation between GCM and CCM except
"Tag_Size_Flag“.
It means both modes have the same parameters (nonce length, counter block
length etc.) and the same IV format (described in Sections 8.1 and 9.1).
But that does not hold if the authors intend to apply the interfaces of CCM
described in RFC 5116.
For example, the counter block length parameter q is not 4 but 3 when the
length of nonce is 12 octets.

According to the InputFormatting Function proposed in NIST SP 800-38C (and
referred by RFC 5116),
Tag_Size_Flag recommended in this draft is derived when q=3.
Note that such parameter is related to several AEAD parameters, and so a
large portion of the draft should be revised.

3. CCM Tag Validation

Section 5.3 says
"The ciphertext MUST NOT be decrypted until the AEAD tag has been
validated. The associated data
MUST NOT be released until the AEAD tag has been validated."

The above does not hold for CCM mode of operation,
because it is required to decrypt ciphertext before confirming the
validation of the AEAD tag.

4. Ciphertext length expansion for SRTP

Section 9.2 says
"Since the AEAD cipher is larger than the plaintext by exactly the length
of the AEAD authentication
tag, the corresponding STRCP encrypted packet replaces the plaintext field
with a slightly larger
field containing the cipher."

Does this sentence only hold for SRTCP?

5. Input/output data for CCM (Sections 5.2.1 and 5.2.2)

Both input and output data for CCM require Tag_Size_Flag, but that is the
value which can be computed
by three parameters (defined in NIST SP 800-38C). Because Tag_Size_Flag is
not included in SRTP/SRTCP
packets, the only way to share the same Tag_Size_Flag is to fix
authentication tag length and counter
block length in advance.

Additionally, Section 5.2.1 says the only output of "Encrypt Mode" is
"Ciphertext" with bit string length = legnth length(ciphertext)-tag_length.
What is the difference between "ciphertext" and "Ciphertext". If length of
the "Ciphertext" does not consider the length of "authentication tag",
where is authentication tag?


6. CCM tag length specification

Section 10.3

RFC5116 only defines AEAD_AES_128/256_CCM with 16 octets tag length.

Section 13.2

"Note that these SRTP Protection Profiles do not specify an auth_function,
auth_key_length, or
auth_tag_length because all of these profiles use AEAD algorithms, and thus
do not use a separate auth_function, auth_key, or auth_tag."

In IANA AEAD registry, there is no entry for AEAD_AES_128/256_CCM_12.
It means that there is no official reference for AES_CCM with 96-bit
authentication tag. So it is required to define
AEAD_AES_128/256_CCM_12 independently in this document, similar to
AEAD_AES_128/256_CCM_8 defined for
TLS usage(internet draft, AES-CCM Cipher Suites for TLS).

For SDES, it may be necessary to add CCM-related crypto suites with 64- and
96-bit authentication tags.

Thanks.

Woo-Hwan Kim

[AVTCORE] Comments on the draft-ietf-avtcore-srtp… Woo-Hwan Kim
Re: [AVTCORE] Comments on the draft-ietf-avtcore-… Igoe, Kevin M.