Re: [Cfrg] new authenticated encryption draft
David A. McGrew <david.a.mcgrew@mindspring.com> Mon, 28 August 2006 22:11 UTC
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1GHpK7-0004f8-IG; Mon, 28 Aug 2006 18:11:15 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1GHpK6-0004f2-B2 for cfrg@ietf.org; Mon, 28 Aug 2006 18:11:14 -0400
Received: from elasmtp-galgo.atl.sa.earthlink.net ([209.86.89.61]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1GHpK5-0002z5-00 for cfrg@ietf.org; Mon, 28 Aug 2006 18:11:14 -0400
Received: from [69.244.72.11] (helo=[192.168.1.100]) by elasmtp-galgo.atl.sa.earthlink.net with asmtp (TLSv1:RC4-SHA:128) (Exim 4.34) id 1GHpK4-0001uK-HS; Mon, 28 Aug 2006 18:11:12 -0400
In-Reply-To: <XFE-SJC-211V2mEIkLe00001004@xfe-sjc-211.amer.cisco.com>
References: <XFE-SJC-211V2mEIkLe00001004@xfe-sjc-211.amer.cisco.com>
Mime-Version: 1.0 (Apple Message framework v752.2)
Content-Type: text/plain; charset="US-ASCII"; delsp="yes"; format="flowed"
Message-Id: <C3A43028-D624-416F-B7A7-C40AED9BFE17@mindspring.com>
Content-Transfer-Encoding: 7bit
From: "David A. McGrew" <david.a.mcgrew@mindspring.com>
Subject: Re: [Cfrg] new authenticated encryption draft
Date: Mon, 28 Aug 2006 15:11:09 -0700
To: Scott Fluhrer <sfluhrer@cisco.com>
X-Mailer: Apple Mail (2.752.2)
X-ELNK-Trace: ad1f9a46c4c7bfd19649176a89d694c0f43c108795ac4507c95e18c30ac424135e5e235761befeb1350badd9bab72f9c350badd9bab72f9c350badd9bab72f9c
X-Originating-IP: 69.244.72.11
X-Spam-Score: 0.0 (/)
X-Scan-Signature: cf3becbbd6d1a45acbe2ffd4ab88bdc2
Cc: cfrg@ietf.org
X-BeenThere: cfrg@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:cfrg@ietf.org>
List-Help: <mailto:cfrg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=subscribe>
Errors-To: cfrg-bounces@ietf.org
Hi Scott, thanks for your comments, more inline: On Aug 23, 2006, at 7:24 PM, Scott Fluhrer wrote: > > >> -----Original Message----- >> From: David A. McGrew [mailto:david.a.mcgrew@mindspring.com] >> Sent: Monday, August 21, 2006 7:37 PM >> To: Hal Finney >> Cc: cfrg@ietf.org >> Subject: Re: [Cfrg] new authenticated encryption draft >> >> Hi Hal, >> >> On Aug 20, 2006, at 11:47 AM, Hal Finney wrote: >> >>> On 8/18/06, David A. McGrew <david.a.mcgrew@mindspring.com> wrote: >>>> Hello, >>>> >>>> I've recently submitted a new Internet Draft pertinent to >> this group, >>>> and I'd like to ask for your review. The pre-publication draft is >>>> online at http://www.mindspring.com/~dmcgrew/draft-mcgrew-auth- >>>> enc-00.txt >>>> >>>> Authenticated Encryption (draft-mcgrew-auth-enc-00.txt) >>>> >>>> Abstract. This draft defines algorithms for authenticated >> encryption >>>> with additional authenticated data (AEAD), and defines a uniform >>>> interface and a registry for such algorithms. The interface and >>>> registry can be used as an application independent set of >>>> cryptoalgorithm suites. This approach provides advantages in >>>> efficiency and security, and promotes the reuse of crypto >>>> implementations. >>> >>> Hi, David - That looks very interesting, but I have a few comments. >>> >>> As a general philosophical point, I am not sure that the name >>> "authenticated encryption" accurately defines the security >> properties >>> for the lay reader. He may think it means that there is >> authenticity >>> that the message came from a particular sender, for >> example. Recently >>> I have been involved with some disk encryption work which uses >>> authenticated encryption. In this context, it only means that the >>> authenticated data was written to the sector at some time >> in the past. >>> It doesn't guarantee that what you read from the disk is what was >>> written there, when you are reading multiple sectors at >> once (each of >>> which has its own tag, and each of which might have been >> rolled back >>> differently by an attacker). So I think you might want to say >>> something in more detail about the security properties this >> encryption >>> aims to meet, and perhaps mention some caveats about >> attacks that are >>> still possible even with AEAD. >>> >>> In a lot of ways, I think that AEAD is better thought of simply as >>> providing confidentiality, and nothing more. The purpose of the >>> "authentication" is to improve the confidentiality guarantee, by >>> preventing active attacks like chosen ciphertext. Without >> it, many of >>> our encryption modes do not provide confidentiality against a >>> sufficiently powerful attacker. >> >> That's a great point. > > I don't entirely agree - AEAD does give you something more than > confidentiality; it gives the guarantee that the data was encrypted by > someone who has the key (and with that exact additional data). In the draft I didn't make the point that authentication helps to achieve confidentiality goals - I should have though. Since most users understand confidentiality, but many may not appreciate the importance of authentication/integrity, this consideration is worth stating. That's what I'd meant. > Now, as Hal > has pointed out, in some scenarios, this can be less than what > someone who > hears "authentication" may expect (and so perhaps "integrity" would > be a > better term). However, this is something that can be spelled out, > rather > than just letting the user assume that this doesn't provide any > sort of > integrity assurance. I agree, adding definitions would be the best way to go. David _______________________________________________ Cfrg mailing list Cfrg@ietf.org https://www1.ietf.org/mailman/listinfo/cfrg
- [Cfrg] new authenticated encryption draft David A. McGrew
- Re: [Cfrg] new authenticated encryption draft Hal Finney
- Re: [Cfrg] new authenticated encryption draft Greg Rose
- Re: [Cfrg] new authenticated encryption draft Ted Krovetz
- Re: [Cfrg] new authenticated encryption draft David A. McGrew
- Re: [Cfrg] new authenticated encryption draft David A. McGrew
- Re: [Cfrg] new authenticated encryption draft John Wilkinson
- RE: [Cfrg] new authenticated encryption draft Scott Fluhrer
- Re: [Cfrg] new authenticated encryption draft David McGrew
- Re: [Cfrg] new authenticated encryption draft David A. McGrew
- Re: [Cfrg] new authenticated encryption draft David Wagner
- Re: [Cfrg] new authenticated encryption draft David McGrew
- Re: [Cfrg] new authenticated encryption draft Hal Finney
- Re: [Cfrg] new authenticated encryption draft David A. McGrew
- Re: [Cfrg] new authenticated encryption draft David Wagner
- RE: [Cfrg] new authenticated encryption draft Santosh Chokhani
- Re: [Cfrg] new authenticated encryption draft Ken Raeburn
- Re: [Cfrg] new authenticated encryption draft John Wilkinson
- Re: [Cfrg] new authenticated encryption draft David McGrew
- Re: [Cfrg] new authenticated encryption draft John Wilkinson
- Re: [Cfrg] new authenticated encryption draft D. J. Bernstein
- Re: [Cfrg] new authenticated encryption draft Steven M. Bellovin
- Re: [Cfrg] new authenticated encryption draft D. J. Bernstein
- RE: [Cfrg] new authenticated encryption draft Blumenthal, Uri
- Re: [Cfrg] new authenticated encryption draft David McGrew
- Re: [Cfrg] new authenticated encryption draft Tom Shrimpton
- Re: [Cfrg] new authenticated encryption draft D. J. Bernstein
- Re: [Cfrg] new authenticated encryption draft David McGrew
- Re: [Cfrg] new authenticated encryption draft John Wilkinson
- RE: [Cfrg] new authenticated encryption draft Doug Whiting
- Re: [Cfrg] new authenticated encryption draft Steven M. Bellovin
- Re: [Cfrg] new authenticated encryption draft David McGrew
- Re: [Cfrg] new authenticated encryption draft David McGrew
- Re: [Cfrg] new authenticated encryption draft David McGrew
- RE: [Cfrg] new authenticated encryption draft Tom Shrimpton
- Re: [Cfrg] new authenticated encryption draft David A. McGrew
- Re: [Cfrg] new authenticated encryption draft John Wilkinson
- Re: [Cfrg] new authenticated encryption draft Phillip Rogaway
- Re: [Cfrg] new authenticated encryption draft David A. McGrew
- Re: [Cfrg] new authenticated encryption draft David McGrew
- [Cfrg] AES-based key derivation David McGrew