[Cfrg] Re: Comments on SIV and draft-dharkins-siv-aes-00
"Dan Harkins" <dharkins@lounge.org> Wed, 24 October 2007 00:56 UTC
Return-path: <cfrg-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1IkUXe-0005eH-F3; Tue, 23 Oct 2007 20:56:14 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1IkUXc-0005cO-WA for cfrg@ietf.org; Tue, 23 Oct 2007 20:56:13 -0400
Received: from colo.trepanning.net ([69.55.226.174] helo=mail1.trepanning.net) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1IkUXX-0005lc-Ej for cfrg@ietf.org; Tue, 23 Oct 2007 20:56:12 -0400
Received: from www.trepanning.net (localhost [127.0.0.1]) by mail1.trepanning.net (Postfix) with ESMTP id 9396E1FA612A; Tue, 23 Oct 2007 17:55:43 -0700 (PDT)
Received: from 69.12.173.8 (SquirrelMail authenticated user dharkins@lounge.org) by www.trepanning.net with HTTP; Tue, 23 Oct 2007 17:55:43 -0700 (PDT)
Message-ID: <2222.69.12.173.8.1193187343.squirrel@www.trepanning.net>
In-Reply-To: <C343BB62.1A93%mcgrew@cisco.com>
References: <C343BB62.1A93%mcgrew@cisco.com>
Date: Tue, 23 Oct 2007 17:55:43 -0700
From: Dan Harkins <dharkins@lounge.org>
To: mcgrew <mcgrew@cisco.com>
User-Agent: SquirrelMail/1.4.8
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
X-Priority: 3 (Normal)
Importance: Normal
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: -0.0 (/)
X-Scan-Signature: 7268a2980febc47a9fa732aba2b737ba
Cc: cfrg@ietf.org
Subject: [Cfrg] Re: Comments on SIV and draft-dharkins-siv-aes-00
X-BeenThere: cfrg@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:cfrg@ietf.org>
List-Help: <mailto:cfrg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=subscribe>
Errors-To: cfrg-bounces@ietf.org
Hi David, On Tue, October 23, 2007 2:53 pm, mcgrew wrote: > Hi Dan, > > On 10/19/07 1:23 PM, "Dan Harkins" <dharkins@lounge.org> wrote: > >> >> Hi David, >> >> On Thu, October 18, 2007 1:41 pm, mcgrew wrote: [snip] >>> First, what's the motivation for key wrapping? This is an important >>> question that a lot of people have wrestled with. I understand from >>> Section >>> 1.3.1 that nonceless AEAD is valuable because there are existing >>> protocols >>> that do not make use of nonces, so SIV's capability for nonceless AEAD >>> enables it to be easily adopted by these protocols. This is a very >>> good >>> point. Nonetheless, it does not address the question of "when should a >>> user >>> use nonceless AEAD?" outside of those "legacy" cases. I would expect >>> that >>> we would want to provide guidance that users SHOULD use nonces wherever >>> possible, but MAY otherwise do without nonces. (Perhaps there should >>> be >>> an >>> exception for cases in which determinism is essential, e.g. database >>> applications in which plaintext-to-ciphertext mapping must be >>> deterministic. >>> But this is clearly a special case.) >> >> I think the motivation is to provide deterministic authenticated >> encryption for specialized data, such as cryptographic keys. The >> American >> Standards Committee Working Group X9F1 has come up with a draft standard >> for such a problem. S/MIME has RFCs on that problem. I do mention that >> in >> the draft. >> >> I'm a little reluctant to jump into that brier patch though. [DAE] >> does >> a very nice treatment of the reasons behind, and requirements for, key >> wrapping both informally (in the introduction) and formally (in appendix >> C). I will try to address your comment by pointing readers to [DAE] and >> X9F1. Would that be acceptable? > > Seems to me that normative guidance on when nonces are/aren't needed > should > be in the document, since it significantly affects security. I propose at > least something like this: Suggested text is always welcome :-) > <quote> > Applications SHOULD include a nonce in the associated data. This nonce > must > either be generated uniformly at random and be at least as long as the > key, > or each nonce value must be distinct for each distinct invocation of the > SIV > encrypt function. Applications MAY do without a nonce in the associated > data if the plaintext contains data that is unpredictable to an adversary, > i.e. a secret key. > </quote> > > Details are up to debate, but I *think* that most people who care would > agree with that guidance. The attractive thing about SIV is that nonces need not be random or distinct for each distinct invocation of the SIV encrypt function. SIV provides resistance to nonce reuse. While this guidance is appropriate for cipher modes like GCM or CCM it is overly restrictive for SIV. I like the rest of the suggested text (thank you!). Does anyone else have an opinion on the topic of nonce reuse and SIV? > My concern here isn't specific to SIV at all - my concern is that, if we > define specifications of keywrap algorithms and recommend their use, that > we > be very clear where and how we expect for them to be used. That's the brier patch I don't want to jump into. The I-D is about SIV and not a generic treatment of the keywrap problem. I have no problem explaining when a nonce is not needed in the associated data with SIV (and your text above will help) but I don't want to deal with the general case of keywrapping in a I-D about SIV. > Off topic: OK, now that I have noticed and read Appendix F of [DAE], I > think > that it might be a good idea to use that appendix as a source of input > data > for the test vectors ;-) Excellent idea. [snip] >>> Regarding performance, any AEAD algorithm can be made to support a >>> scatter/gather or init/update/final interface as per RFC1321. It is a >>> conventional technique to copy the intermediate state after an update >>> operation, and then use it to process different suffixes. Beyond >>> that, >>> there are functions that support an "incremental" interface, in the >>> sense >>> of >>> "Incremental Cryptography and Application to Virus Protection" (27th >>> ACM >>> Symposium on the Theory of Computing, May 1995). GMAC, and many other >>> functions that make use of universal hashing, can be used in this way. >>> So >>> it is possible to reap the performance benefit claimed for SIV with >>> some >>> existing functions, and it's possible to realize the performance >>> advantage >>> without using a vector of inputs. >> >> You seem to be arguing against the novelty of this idea but not >> against >> the idea itself. > > I was trying to make the point that the performance advantages can be > realized without changing the user interface, so to speak. > >> >> It is a natural way to deal with AD. In [AEAD] you say, >> >> "When using an AEAD to secure a network protocol, for example, >> this input could include addresses, ports, sequence numbers, >> protocol version numbers, and other fields that indicate how the >> plaintext or ciphertext should be handled, forwarded, or >> processed." >> >> That's, potentially, several distinct pieces of information. Some may >> be contiguous (addresses, ports and sequence numbers might all be in a >> single header) but other might not be. Some AD might not even transit >> with the authenticated and encrypted data. >> >> I guess I can try to highlight this concept but it seems that what >> should really be explained is why these multiple distinct pieces of >> information have to be viewed as a single component input to an AEAD >> cipher mode. > > To play the devil's advocate: why, then, is there a single plaintext input > in SIV instead of a vector of plaintext inputs? Because it's unnatural. Things like ports, sequence numbers, protocol version numbers, and addresses cannot be encrypted because they need to be inspected by a network entity or a protocol layer that does not have access to keying material. It is still valuable to authenticate them end-to-end though. Also it is perfectly reasonable for a component of AD to be internal state or something that does not transit with the encrypted and authenticated packet but there is no reason why one would want to encrypt that. That is not the case with plaintext. In a network protocol data to encrypt is contiguous. There could be a packet aggregation protocol similar to the way 802.11n handles MPDU aggregation but if all the packets are to be encrypted with the same key (not the case for 11n) then all that's needed is to have enough cleartext header to deliver the whole bundle of aggregated packets to the crypto engine. There is no need for multiple disjoint components to plaintext. While it would be possible to modify an AEAD algorithm to accept multiple distinct plaintext inputs (especially if it uses CTR mode for encryption) it would overly complicate the encryption and decryption definition with no benefit. The benefit of treating AD as multiple and distinct is that that's the way it starts out. You need only specify the order in which it is processed (and you need to do that regardless of how your mode handles AD input). If you additionally require that AD be a single input then you may also need to encode lengths of the distinct data. In one octet? Two octets? Four octets? It's additional work to overcome a limitation in the mode. If a cipher mode does not have a limitation it should not be required to adopt one. You state that any AEAD algorithm can be modified to accept multiple distinct pieces of AD using scatter/gather or init/update/final techniques. Great! So AEAD algorithms that only allow a single input for AD have a way to deal with the more natural case where AD is as you describe in [AEAD] (you quote above). There seems to be no reason to _require_ all AEAD algorithms to have a single input for AD. Can we please remove the single input AD requirement in [AEAD]? SIV deals with AD the way it naturally is. It seems wrong to force SIV to deal with AD in an unnatural way because that's the way other modes handle it. Dan. _______________________________________________ Cfrg mailing list Cfrg@ietf.org https://www1.ietf.org/mailman/listinfo/cfrg
- [Cfrg] Comments on SIV and draft-dharkins-siv-aes… mcgrew
- [Cfrg] Re: Comments on SIV and draft-dharkins-siv… Dan Harkins
- [Cfrg] Re: Comments on SIV and draft-dharkins-siv… Dan Harkins
- [Cfrg] Re: Comments on SIV and draft-dharkins-siv… mcgrew
- [Cfrg] Re: Comments on SIV and draft-dharkins-siv… mcgrew
- [Cfrg] Re: Comments on SIV and draft-dharkins-siv… Dan Harkins