Re: [Cfrg] Streaming AEAD
David McGrew <mcgrew@cisco.com> Sun, 23 February 2014 14:15 UTC
Return-Path: <mcgrew@cisco.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 786EC1A00BF for <cfrg@ietfa.amsl.com>; Sun, 23 Feb 2014 06:15:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.548
X-Spam-Level:
X-Spam-Status: No, score=-7.548 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, J_CHICKENPOX_51=0.6, RP_MATCHES_RCVD=-0.547, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id a4skTOFX8zWH for <cfrg@ietfa.amsl.com>; Sun, 23 Feb 2014 06:15:44 -0800 (PST)
Received: from alln-iport-3.cisco.com (alln-iport-3.cisco.com [173.37.142.90]) by ietfa.amsl.com (Postfix) with ESMTP id 0A1CB1A00B1 for <cfrg@irtf.org>; Sun, 23 Feb 2014 06:15:43 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=3709; q=dns/txt; s=iport; t=1393164944; x=1394374544; h=message-id:date:from:mime-version:to:cc:subject: references:in-reply-to:content-transfer-encoding; bh=jwvpdx2BoJSfEHcjLV0BydLqZp+3BlBdvG1wawBImF4=; b=Gqnzn8FuzCvrSgQ8AfXbMMaw8lcTRz4oCe+XA7yuypvvUDRW6TWMe8yV ycjeVeLHYZlELN1KrDionePj7jcIP6GOzWb/+O5EZEmra2UQN/X1Wsuqz 1KLssTt2DTqatv0BMMRQ80F1Kj8Zb4G9KSn3tGZnMAV9PbWTfrJYsBEWa c=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AhMFAFsCClOtJXG//2dsb2JhbABZgwaEFbpTgweBBhZ0giUBAQEEIxVAARALGAICBRYLAgIJAwIBAgFFBg0BBwKIAaZdoQcXgSmNOweCb4FJAQOJSI5shkiLX4NLHg
X-IronPort-AV: E=Sophos;i="4.97,529,1389744000"; d="scan'208";a="22529888"
Received: from rcdn-core2-4.cisco.com ([173.37.113.191]) by alln-iport-3.cisco.com with ESMTP; 23 Feb 2014 14:15:43 +0000
Received: from [10.0.2.15] (rtp-mcgrew-8914.cisco.com [10.117.10.229]) by rcdn-core2-4.cisco.com (8.14.5/8.14.5) with ESMTP id s1NEFgxT010365; Sun, 23 Feb 2014 14:15:42 GMT
Message-ID: <530A0293.5060208@cisco.com>
Date: Sun, 23 Feb 2014 09:15:47 -0500
From: David McGrew <mcgrew@cisco.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130922 Icedove/17.0.9
MIME-Version: 1.0
To: "Manger, James" <James.H.Manger@team.telstra.com>
References: <9A043F3CF02CD34C8E74AC1594475C7372375D64@uxcn10-tdc06.UoA.auckland.ac.nz> <53035EC7.8010607@cisco.com> <255B9BB34FB7D647A506DC292726F6E1153B6AA83D@WSMSG3153V.srv.dir.telstra.com>
In-Reply-To: <255B9BB34FB7D647A506DC292726F6E1153B6AA83D@WSMSG3153V.srv.dir.telstra.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/BRoEngLbN7G5X2r3g8cSwh9u2WM
Cc: "cfrg@irtf.org" <cfrg@irtf.org>, Peter Gutmann <pgut001@cs.auckland.ac.nz>
Subject: Re: [Cfrg] Streaming AEAD
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sun, 23 Feb 2014 14:15:46 -0000
Hi James, On 02/18/2014 10:59 PM, Manger, James wrote: >>>> What is needed is a way to use an AEAD algorithm to secure a message in >>>> chunks. Streaming-AEAD would allow a recipient to know they have received an >>>> authentic prefix of a message. It would allow crypto APIs to support >>>> streaming modes while never returning unauthentic plaintext. >>> I think the means of doing this is going to be protocol-specific, since it >>> depends on the PDU format being used. > Not necessarily. > I was thinking we could define a new alg identifier such as > "AEAD_AES_128_OCB_TAGLEN96/10K", meaning OCB on 10 KB chunks. > Once the 10228th byte (10KB - 96 bits) of plaintext is streamed > to the encrypt function, it finishes the first AEAD operation and > inserts a 96-bit tag into the ciphertext. A decryption function > caches the ciphertext it is streamed until it reaches a 10KB > boundary then it returns 10228 bytes of plaintext. > > An app sees a different alg id, but doesn't need to notice that > the ciphertext PDU is actually ct tag ct tag ct tag... > [It might need to know which nonces have been used internally though!] I take your point. If there was a streaming-AEAD algorithm (using an API similar to RFC 5116 but extended a bit), then it could be used in a protocol regardless of that protocol's message formats and sizes. It would be somewhat awkward that the sender needs to know the right chunk size that the receiver can handle, so the chunk size is something that one would want to "negotiate", or at least have the receiver advise the sender on. If a streaming-AEAD gets defined, it would be attractive to define a way in which any of the existing AEAD schemes could be used in chunk-mode. > > >> I think that's right. It still makes sense to consider what should be >> going on above the AEAD layer, in a generic sense. >> >>> For things like SSL/TLS and SSH the >>> problem is already solved since data amounts are quantised to the >> protocol >>> data packet size, >> I hope that's right. I am not sure that SSL/TLS implementers would be >> comfortable if they could never use the decryptUpdate function though. >> >>> for store-and-forward protocols like PGP and S/MIME you'd >>> need to add a mechanism for it in a PGP/SMIME-specific manner, but >> then you'd >>> also need to figure out how to communicate it to the other side... >> and then >>> you're back to relying on ad-hoc mechanisms. >>> >>> When I had to do this years ago I used something like: >>> >>> len1 || data1 || h1 = HMAC( len1 || data1 ), >>> len2 || data2 || h2 = HMAC( h1 || len2 || data2 ), >>> len3 || data3 || h3 = HMAC( h2 || len3 || data3 ), >>> ... >>> >>> A length of 0 indicated end-of-contents. >> Interesting, is there a writeup? > > So for packetizing plaintext for ~AEAD chunks: > * TLS puts a sequence number in the AAD; > * Peter (sort of) puts a tag for the previous prefix in the AAD; > * I suggested using sequential nonces and a start/middle/end flag; > * AERO hides the details in state; > * Pipelineable On-Line Encryption randomizes unauthentic plaintext. > > > My only concern with putting state (eg sequence number, byte count, previous hash) into AAD is that you need something at a higher layer to ensure that AEAD(X||Y,P) is always interpreted as "chunk mode with state=X, user-provided-AAD=Y", and never as "non-chunk mode with user-provided-AAD=X||Y". You probably cannot safely use 1 key in chunk and non-chunk modes. Agreed; chunk mode would need to be well defined, understood by both sender and receiver, and never share keys with non-chunk modes. David > > -- > James Manger
- Re: [Cfrg] Streaming AEAD Peter Gutmann
- [Cfrg] Streaming AEAD Manger, James
- Re: [Cfrg] Streaming AEAD David McGrew
- Re: [Cfrg] Streaming AEAD David McGrew
- Re: [Cfrg] Streaming AEAD Jean Paul Degabriele
- Re: [Cfrg] Streaming AEAD Manger, James
- Re: [Cfrg] Streaming AEAD Mridul Nandi
- Re: [Cfrg] Streaming AEAD David McGrew
- Re: [Cfrg] Streaming AEAD David McGrew
- Re: [Cfrg] Streaming AEAD David Jacobson