Re: [CFRG] AES-CTR + HMAC-SHA-256 AEAD

John Mattsson <john.mattsson@ericsson.com> Sat, 13 March 2021 08:15 UTC

Return-Path: <john.mattsson@ericsson.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7EAFC3A0975 for <cfrg@ietfa.amsl.com>; Sat, 13 Mar 2021 00:15:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.848
X-Spam-Level:
X-Spam-Status: No, score=-1.848 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.248, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, SUBJ_ALL_CAPS=0.5, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MBnsIzywp0fe for <cfrg@ietfa.amsl.com>; Sat, 13 Mar 2021 00:15:13 -0800 (PST)
Received: from EUR05-VI1-obe.outbound.protection.outlook.com (mail-vi1eur05on2047.outbound.protection.outlook.com [40.107.21.47]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 86AD03A096C for <cfrg@ietf.org>; Sat, 13 Mar 2021 00:15:12 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=oEix8CGUFG3RWhjaWiNyrlcerx6DMOnB/6k6Zt0F4ItSIuOkVZCwxbFLZfJeJSmPku2j2qhrecDeJLhyJSNZeaK6yvawmpi0QbllKP/QlGBlCMyHTFdaxRtUnWe7bYg4cGvuw1gTJ8X5PghrE1dsKZ7EYz5UrLGlL/3aKZxNzKnRc0XNHdc9drBTerBqpu71pCGkt1aiGxNqdAcvOmZrU5rda3NKw1hRE0unJPeYBC5QNKFnBRlUOzsFrSv+ZlaNNjFX2duM1IxYT7+FlHmo1IRL/xKAyJYdKWBp6jLRO0x4/bzoN6mukzNKH6VqarXXZ/vcaYRK9sia5rOMbB5DxA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Lxza8cHgu/XeD/AxkBXhLi4hE+B1g8bHSDxjfWHk/nk=; b=JMjpAKqXckpWJ7K1FFuVs1k6Px4a0hPH9Df3wILoEg1l2AWeNJMVkRLAlrvqPKCM/wsjguUrdkKr3lwZv9a3M0zfeFSMJ3gDdZsQEALP4SyhPrt9sqHMy5cutPivbJdjrmkvKIt86siMFbhIGiuANWVsUAq7HzEnNnxKUNaKnrAnU7xLLkRAQSUhXqepLp12i7j+T7MaaonugIEbz1uZYDklDvO+Il0QlUNI4KxaQ4jsYK/aWFuPIE3RqKYzF36Mrfux1FIu7SUSnFMg6lFJNlKY9PrAkxilG4euY3A9lM9+NoVcmlCfwUJLoV0BhyRlWJEXbycIFovV99Btnr0qjQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Lxza8cHgu/XeD/AxkBXhLi4hE+B1g8bHSDxjfWHk/nk=; b=ETv+HgqPoyH55QImLY/v2oBuUDz2EK4W8qXfBzgR9v7YXr97lD4EQumqE0grjFToft+GXvZxVOes5mZv97vrfKBJAQn1gZqcUkDW+Q2kKQHQFYa5r2WBhEW0UJjekYBXD0pcVUM670O6PyPPXCHzwP4vDSNkfpM50W4vBlaIqoI=
Received: from HE1PR0701MB3050.eurprd07.prod.outlook.com (2603:10a6:3:4b::8) by HE1PR0701MB2204.eurprd07.prod.outlook.com (2603:10a6:3:2c::7) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3955.10; Sat, 13 Mar 2021 08:14:57 +0000
Received: from HE1PR0701MB3050.eurprd07.prod.outlook.com ([fe80::69ab:83ff:dd6e:3536]) by HE1PR0701MB3050.eurprd07.prod.outlook.com ([fe80::69ab:83ff:dd6e:3536%4]) with mapi id 15.20.3955.011; Sat, 13 Mar 2021 08:14:57 +0000
From: John Mattsson <john.mattsson@ericsson.com>
To: Adam Langley <agl@imperialviolet.org>
CC: "cfrg@ietf.org" <cfrg@ietf.org>
Thread-Topic: [CFRG] AES-CTR + HMAC-SHA-256 AEAD
Thread-Index: AQHXF5UxBGcr+yyvCk2agJK9w9DVq6qBBCkAgACfVwA=
Date: Sat, 13 Mar 2021 08:14:56 +0000
Message-ID: <DE3B1E99-C75A-4F31-ACE8-0E1ABE4B40E6@ericsson.com>
References: <5E976EFE-CF76-49CA-A02E-9189EB609988@ericsson.com> <CAMfhd9UFJvQQOpz22CvuZ=thSqCeQkwtSCKiaH+spDB5N8OTLg@mail.gmail.com>
In-Reply-To: <CAMfhd9UFJvQQOpz22CvuZ=thSqCeQkwtSCKiaH+spDB5N8OTLg@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.46.21021202
authentication-results: imperialviolet.org; dkim=none (message not signed) header.d=none;imperialviolet.org; dmarc=none action=none header.from=ericsson.com;
x-originating-ip: [81.225.97.222]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 02716f5c-1a7e-42ad-999b-08d8e5f816cd
x-ms-traffictypediagnostic: HE1PR0701MB2204:
x-microsoft-antispam-prvs: <HE1PR0701MB2204377A9D51AACE77D1CEA5896E9@HE1PR0701MB2204.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: iCyF2Erha64Lcm4pxyR2OpYNW2vZB27M9WNLI7VRzdbggKvge5aeUXdnqH61kOI3T84CXR7CIDTst24r7uO8ncGETYV6daIDTkjWq7VIuuZMjEIHPYCr0Ce+MyfPN0czrf9KJq4XDAw4W/E+xrgOQXE60W292oxx7CST535E3COe9KHkLcwYQw2g85d4PWne6PyTYRN7+EPHVtcJir39tpv856l7CGpRUpqR5bePawRqoIZGA1Du+cuFRu+g0t+IGlxh5HJvWitPXfBqpyz6rrdhE+Jv3zsdP3uoLEsoe3F/Dgy+nFuSq9WZcsYHLLKoqwdsO4bjJzjhlMRmTbi30iNOLjQNkajmmbEEXamzXzJP8qoMRTD+talHWu91b/d1T7ZSxDLBFXJ6RMmo2VxiMD09h1GK0k9OWayfeQlrZmcrfIJkXLDHV4VfLrv5dpA9va7PWEylxHdU3T9EFfEJkFCFGUWx4aXZXh1YnXT2MBiovz3vmCMYIjdxZLB9Cxm3mspO2SgHmttxov5CPV30iBn0TQUXaNkG6vhTaZwx1GyExN1c9q4hIb4d+UWhBH5IFGQb2ePwMr1ZhDiUPtqjI/14l0y8dxU3rrwLyaB+bc4p/I0gQc121D4EGGB4o+mxBnmfKdSmceyDVOz/RLT6MqK2U539kJA7ClOQE5VJR83VNuHI38bBaAJG8q3ro8sy
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:HE1PR0701MB3050.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(346002)(376002)(136003)(39860400002)(396003)(366004)(166002)(33656002)(36756003)(76116006)(66446008)(83380400001)(64756008)(66946007)(66476007)(86362001)(66556008)(6486002)(316002)(478600001)(71200400001)(44832011)(8676002)(6916009)(2616005)(2906002)(5660300002)(53546011)(8936002)(4326008)(6506007)(6512007)(966005)(186003)(26005)(45980500001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: =?utf-8?B?VkJNYUdzSk5zaWlLLzdCN2JyeUV0ellmYVI0ZjFFSkdIenJVTlZ3UGRPUmVI?= =?utf-8?B?Uit4TU5NZFNhNFZVNW1NakU4blU5SUxZNlo5Q0hVS0FkYW9sMUhFQTVzVjI2?= =?utf-8?B?VFJHQnkySWhydzBsZ2IrWlVsRzN4bldKc2FPdDdyZ2ZoYUNkblJFSk40SkFw?= =?utf-8?B?RGt2NDgzUm1Pa2xPUW1WWGlkQVUxeStpM09QQ1pPSmFVTWdjN2hqbGxWQ2lo?= =?utf-8?B?akhxUVlrQVZZVVNlTTNlbTNBaTEzU2tXQ0gxYm5UM3VBOFZkNm93VDBSblhX?= =?utf-8?B?N0IxYTRUMmM1ZkJkc0hoRmkyQ2NtRitzYVdLSXp0c0Q0WW5iblhmb2tPaDhj?= =?utf-8?B?SXMwSVVLbURXUWhsa3drdUtOTFVKV1NrR3N6d2prc3NEektMUlgxSDcrR0RH?= =?utf-8?B?ZDYwaUFwN2owYjEyVytPL2RCOVFkV29SMEVaSVRjQUZkNnZVL2FmL3kzcXRJ?= =?utf-8?B?eS8vL254aGRVUWlhcnFZcldqcnFrNmNPUnVyV1I0TTY0QnhuTlc2VTllQXdu?= =?utf-8?B?NjI3UGFMYy9XVjV6MVduZFNISEt6eGlJQm0rL1l0U3JmSXNCd2F2RWpUcGxv?= =?utf-8?B?ZEdXYlhJMVFjNi9zYUVWb3pZS3d6SzlkWm0zakl2WjVsNWl0N0N5WGpLVmsx?= =?utf-8?B?Mm9vNjA1OU9oL2o5TEhOVHBNRS9HV1ZqZUdrekJ6dzBhM0xGK2M2ckFGSXVG?= =?utf-8?B?WTFvQjZGbFNQd09tYWJkSndhV0c2SUxpS2NnbUEwVm9JOG81cDZQempST0lH?= =?utf-8?B?NncrV25TSTYzZ3g0aG5pQ0JmQ3pkYlJwTnloSzE4RVNCa0ZDUnJudm5QQ0VQ?= =?utf-8?B?ME43amJNcldNSnZnK1JwTC93cXMxbTlZWnY3a0RqakZNYjhnS2w0MEQ5WDNV?= =?utf-8?B?aWNTT3prTW1pQTUwL1Fsejh1Z3kwOG5NcFczRERJSE9EcG5iMkZXUVVhQlNt?= =?utf-8?B?VStPTGdJR1lyNktGVElWWU5UL1ZXUnZ0Zk1GZmJEVXh5K2JOa2pSNXRNUVZJ?= =?utf-8?B?MjJjMjZDdStJMUZKSXdEVmxFSURrWWp6bGo4SWhpWkE2eTN3VGR6bURiT3hn?= =?utf-8?B?RnYrWnkraTU0QkQ4Y3FEaUhzSFE3elhld0hCNjdvZWxlazl3dmVQMEprRU9H?= =?utf-8?B?R2Y0bWkxelhGK01DeDR0a2NDTUN0bHRFK3hrRzFaeVpwQ2QyYjhOYUwxc2Ev?= =?utf-8?B?YVEzbURQT2k5b0ZjZkRibVdmaDU0cVVGRjlkS3YvVjErUDl4L0x4QVcwMzhp?= =?utf-8?B?YXBRck5Sc2xVYnJIdlZub25iNmhlOXJBSDBtcENKeWNER0JYRTE1RHFDdFl5?= =?utf-8?B?MlJUV0Erb0ZHaHVLZUswallocWhNazMyMUEyU25ROERQVWQ3QmVhUFhudlp0?= =?utf-8?B?OFZpQlh3UzlDdityMG4xcTJUWk5RMngvdjJuOTlNWkV6dnVEYWtkRzN0UEla?= =?utf-8?B?MUxVcjJiNkZudWhxN1d2cnloZitBUlZKUUk5UHFqKzZNOGw0aUlHeWFhc3FV?= =?utf-8?B?RlYrWWwwbGtDZ3RiZEN3M25IYVRzUWVBcG1hRHhKMGhBWllGWUJnZS9rMGFn?= =?utf-8?B?bTdXRnpwcDN0OWNNN1lIa2hIQVBhV3E0TXRINVozTUR0a3haWEJKaVFFcG1z?= =?utf-8?B?VGFoMmRwZ2xzWitpMUN6NzVrQi8ydTM1d1hKRWJnSTM1SGh3YUo1Y3NrL3oy?= =?utf-8?B?UHIxUGtEMHVpUHV4clBtaFkxUEFKanVhUkJkMk1rZlZkcUhiejR6WFl4aTJx?= =?utf-8?Q?vzDmznzZeRvwt70hwLiwPruelTbJh64c5+ijPB6?=
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_DE3B1E99C75A4F31ACE80E1ABE4B40E6ericssoncom_"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: HE1PR0701MB3050.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 02716f5c-1a7e-42ad-999b-08d8e5f816cd
X-MS-Exchange-CrossTenant-originalarrivaltime: 13 Mar 2021 08:14:56.8428 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: AQ30q9iT9oBvimPfAhfeB5+IKsNZMqbx44zsj64nEJBEqcMw5qzxqSQ4pFHcK59OlKWOlCacve/WTHpMIjfmzjycU6jgHcPU4Tvh+L5k5PI=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR0701MB2204
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/-o4rX8JW7zWXzklOqSfBmut-9Kk>
Subject: Re: [CFRG] AES-CTR + HMAC-SHA-256 AEAD
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sat, 13 Mar 2021 08:15:16 -0000

Adam Langley wrote:
>I don't know what AES-CM is. Is it AES-CTR?

Yes, Counter Mode (CM) is just CTR. The terminology CM was used in RFC 3711 (SRTP) and McGrew’s paper from the same time. https://cr.yp.to/bib/2002/mcgrew.pdf.


I wrote:
“It looks like the frame counter CTR and the block counter collide, but maybe I miss something.”.

A better description is probably that it is undefined how the 12 byte nonce is mapped to the 16 byte IV in AES counter mode. I would recommend:

frame_ctr = encode_big_endian(CTR * 2^64, 16)

From: Adam Langley <agl@imperialviolet.org>
Date: Saturday, 13 March 2021 at 00:45
To: John Mattsson <john.mattsson@ericsson.com>
Cc: "cfrg@ietf.org" <cfrg@ietf.org>
Subject: Re: [CFRG] AES-CTR + HMAC-SHA-256 AEAD

On Fri, Mar 12, 2021 at 3:13 PM John Mattsson <john.mattsson=40ericsson.com@dmarc.ietf.org<mailto:40ericsson.com@dmarc.ietf.org>> wrote:
Hi,

In the CFRG chat today, Richard Barnes asked for reviews of https://tools.ietf.org/html/draft-omara-sframe-01#section-4.5.1

I think standardizing an AES-CTR + HMAC-SHA-256 AEAD seems very useful. The design in 4.5.1 looks very good. Some comments:

- I think the nonce length Nn ciphersuite 1 and 2 should be 16. I don't see any reason to not use 16 bytes radnomness/salt.

- It looks like the frame counter CTR and the block counter collide, but maybe I miss something.

- I note that only the aad_len is authenticated, while GCM authenticated both aad_len and ct_len. I don't know what is correct.

I don't know what AES-CM is. Is it AES-CTR?

If so, isn't the AEAD authenticity completely broken because the nonce isn't involved in computing the tag? I.e. if an attacker corrupts the nonce in a (nonce, inner_ct, tag) tuple it looks like it'll decrypt "correctly" but the plaintext will be random because the counter will be wrong.

When doing something similar<https://boringssl.googlesource.com/boringssl/+/6b48efac7b3b229c17cff55e5cfd9f9a0aea9b70/crypto/cipher_extra/e_aesctrhmac.c#126> I also padded the HMAC input after the AAD and lengths to avoid the overhead of phase-shifting all the ciphertext data when hashing it.


Cheers

AGL