IETF Logo Mail Archive

Re: [Cfrg] AES-SIV versus AES-GCM for Encrypted Key Data

"Dan Harkins" <dharkins@lounge.org> Tue, 17 May 2016 00:30 UTC

Return-Path: <dharkins@lounge.org>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 478D912B01C for <cfrg@ietfa.amsl.com>; Mon, 16 May 2016 17:30:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.201
X-Spam-Level:
X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hT_7N1QMI_Vc for <cfrg@ietfa.amsl.com>; Mon, 16 May 2016 17:30:36 -0700 (PDT)
Received: from colo.trepanning.net (colo.trepanning.net [69.55.226.174]) by ietfa.amsl.com (Postfix) with ESMTP id E210B12D143 for <cfrg@irtf.org>; Mon, 16 May 2016 17:30:36 -0700 (PDT)
Received: from www.trepanning.net (localhost [127.0.0.1]) by colo.trepanning.net (Postfix) with ESMTP id 1D11D1FE01F2; Mon, 16 May 2016 17:30:36 -0700 (PDT)
Received: from 66.91.144.21 (SquirrelMail authenticated user dharkins@lounge.org) by www.trepanning.net with HTTP; Mon, 16 May 2016 17:30:36 -0700 (PDT)
Message-ID: <c2e1d0f562d065a6f4d2052607a46280.squirrel@www.trepanning.net>
In-Reply-To: <297966AA-C7E0-4C3B-BA56-8D61D7824D66@vigilsec.com>
References: <D35F6F11.93C3E%paul@marvell.com> <297966AA-C7E0-4C3B-BA56-8D61D7824D66@vigilsec.com>
Date: Mon, 16 May 2016 17:30:36 -0700
From: Dan Harkins <dharkins@lounge.org>
To: Russ Housley <housley@vigilsec.com>
User-Agent: SquirrelMail/1.4.14 [SVN]
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
X-Priority: 3 (Normal)
Importance: Normal
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/BrjJkeUhK2_Wbs-f8YFQ5NbAz5Y>
Resent-From: alias-bounces@ietf.org
Resent-To: <>
Cc: IRTF CFRG <cfrg@irtf.org>
Subject: Re: [Cfrg] AES-SIV versus AES-GCM for Encrypted Key Data
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 May 2016 00:30:38 -0000


On Mon, May 16, 2016 1:56 pm, Russ Housley wrote:
>
> On May 16, 2016, at 3:35 PM, Paul Lambert <paul@marvell.com> wrote:
>
>> I would think that nonce/counter misuse protection would be an advantage
>> for this type of application.
>
> I do not see how.  There is a fresh key-encryption key for each wrap.
> Where can the counter be reused.

  The application isn't really key wrapping, it's protection of some
handshaking messages for an authentication protocol. The resulting
security association is a bit longer-lived so subsequent packets for
on-going maintenance of the SA-- like rekeying traffic keys-- would use
the same (now "unfresh") key.

  Parts of the packet get encrypted and the whole thing gets
authentication. So instead of doing an ad hoc construction of cipher
(in CBC mode, or CTR mode, or ...) and MAC (HMAC-SHAXYZ) and making
sure the order is right it's easier to use a provably secure construction
that does authenticated encryption with AAD. Using one that doesn't
require any kind of additional nonce to be contributed is more attractive.
Robust misuse resistance is a virtue for a thing like this.

  regards,

  Dan.

> Russ
>
> _______________________________________________
> Cfrg mailing list
> Cfrg@irtf.org
> https://www.irtf.org/mailman/listinfo/cfrg
>

v2.23.0 | Report a Bug | By Email