IETF Logo Mail Archive

Re: [Cfrg] new authenticated encryption draft

David McGrew <mcgrew@cisco.com> Mon, 28 August 2006 21:29 UTC

Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1GHofg-000050-Uf; Mon, 28 Aug 2006 17:29:28 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1GHofg-00004v-B4 for cfrg@ietf.org; Mon, 28 Aug 2006 17:29:28 -0400
Received: from sj-iport-6.cisco.com ([171.71.176.117]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1GHofe-0000yr-T6 for cfrg@ietf.org; Mon, 28 Aug 2006 17:29:28 -0400
Received: from sj-dkim-2.cisco.com ([171.71.179.186]) by sj-iport-6.cisco.com with ESMTP; 28 Aug 2006 14:29:26 -0700
Received: from sj-core-1.cisco.com (sj-core-1.cisco.com [171.71.177.237]) by sj-dkim-2.cisco.com (8.12.11.20060308/8.12.11) with ESMTP id k7SLTQXr001434; Mon, 28 Aug 2006 14:29:26 -0700
Received: from xbh-sjc-221.amer.cisco.com (xbh-sjc-221.cisco.com [128.107.191.63]) by sj-core-1.cisco.com (8.12.10/8.12.6) with ESMTP id k7SLTQQX020147; Mon, 28 Aug 2006 14:29:26 -0700 (PDT)
Received: from xfe-sjc-211.amer.cisco.com ([171.70.151.174]) by xbh-sjc-221.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.1830); Mon, 28 Aug 2006 14:29:26 -0700
Received: from [192.168.1.100] ([10.32.254.211]) by xfe-sjc-211.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.1830); Mon, 28 Aug 2006 14:29:25 -0700
In-Reply-To: <f207274d0608221905t2797ca6ew2a769dd5d9e3d410@mail.gmail.com>
References: <74A5A0C3-8E6E-47B4-A67B-C51ED97B2897@mindspring.com> <da7b3ce30608201147u12c0c2f6s61694713e59cfa4a@mail.gmail.com> <p06230910c10e98a55c4c@10.30.1.9> <f207274d0608221905t2797ca6ew2a769dd5d9e3d410@mail.gmail.com>
Mime-Version: 1.0 (Apple Message framework v752.2)
Content-Type: text/plain; charset="US-ASCII"; delsp="yes"; format="flowed"
Message-Id: <3D640F53-58F3-4AE4-AEFC-145BBD9BC9A0@cisco.com>
Content-Transfer-Encoding: 7bit
From: David McGrew <mcgrew@cisco.com>
Subject: Re: [Cfrg] new authenticated encryption draft
Date: Mon, 28 Aug 2006 14:29:23 -0700
To: John Wilkinson <wilkjohn@gmail.com>
X-Mailer: Apple Mail (2.752.2)
X-OriginalArrivalTime: 28 Aug 2006 21:29:25.0860 (UTC) FILETIME=[0948E240:01C6CAE9]
DKIM-Signature: a=rsa-sha1; q=dns; l=4057; t=1156800566; x=1157664566; c=relaxed/simple; s=sjdkim2002; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=mcgrew@cisco.com; z=From:David=20McGrew=20<mcgrew@cisco.com> |Subject:Re=3A=20[Cfrg]=20new=20authenticated=20encryption=20draft; X=v=3Dcisco.com=3B=20h=3DbEwS0oJgdOC6R0v1cvsFzhF5aNU=3D; b=J3s58ZtO2tL803SVOiYHWiDYLfKqN/rit5bGBB5IYe9eW0RcWPySZ+LIsT+bfptb2Z5soWft j/ENjF5a5gyoN5HVhDZWtxs6r6m5wiEEnoIO7KBCu0z2dd79br350edS;
Authentication-Results: sj-dkim-2.cisco.com; header.From=mcgrew@cisco.com; dkim=pass ( sig from cisco.com verified; );
X-Spam-Score: 0.0 (/)
X-Scan-Signature: b7b9551d71acde901886cc48bfc088a6
Cc: cfrg@ietf.org
X-BeenThere: cfrg@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:cfrg@ietf.org>
List-Help: <mailto:cfrg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=subscribe>
Errors-To: cfrg-bounces@ietf.org

Hi John,

On Aug 22, 2006, at 7:05 PM, John Wilkinson wrote:
>
> David, while I've only briefly skimmed your draft, Hal and Gregg's
> comments make me wonder about the way you're treating IVs in your
> specification.

I've heard from others that the motivation for why IVs are handled in  
the document is not clear.  Thanks for your comments; I clearly have  
more explaining to do :-)

> Why do you feel that IVs must be an _output_ of the
> encryption algorithm, rather than a purely internal value?

There is a rationale given in Section 2, but I'll try to amplify it -  
here's a rewrite of that part.  Please let me know what you think.

<new>
Rationale.  Proper IV generation is a crucial for security, and the  
requirements on how IVs are generated are different for different  
algorithms.  By making the IV an output of the AEAD algorithm rather  
than an input, the IV is put under the control of that algorithm.   
This use of the 'information hiding' design principle frees the user  
from needing to understand the particulars of IV generation, thus  
making the interface easier to use correctly.  Also, because IV  
generation is a security-critical operation, it makes sense to  
include it with the algorithm, which will typically be implemented in  
a crypto module.  Including IV generation in this module makes it  
more self-contained and easier to test and to validate.

Several security issues have arisen due to improper use of block  
cipher modes of operation.  Several standards have suggested  
incorrect uses of cipher block chaining (CBC) encryption (e.g. using  
a previous ciphertext block as an IV, which allows an adversary to  
predict the IV).  Modes that require distinct IVs, such as counter  
mode, are especially sensitive to misuse of IVs, which can void the  
security services that they provide.  Giving the AEAD algorithm the  
responsibility for generating its own IV helps to avoid these  
security issues.
</new>

> Further,
> what, exactly, do you mean by the requirement that "A deterministic
> AEAD encryption algorithm MUST accept an additional input, and that
> value [the IV contribution] MUST be included _verbatim_ [emphasis
> added] in the IV."

Several crypto algorithms, including CCM and GCM as used in ESP, form  
their IVs by prepending a value that is fixed (for the lifetime of  
the key) to a sequence number that increments once per packet.  The  
IV contribution is needed in order to support these algorithms, and  
it is needed in order to allow CTR-based modes (like CCM, GCM, and  
EAX) to be useable in a situation in which there are multiple devices  
doing encryption with a single key.  The IV contribution provides a  
place within which each encryptor can put a distinct value, to ensure  
that the IVs are distinct over all uses of that key.

>
> It seems to me that it would be a better abstraction of the AEAD
> mechanism if the IV is used purely internally to the algorithm, so
> that the only input required is a nonce, and that the same nonce is
> used for encryption and decryption.

Here we've gotten stuck on the terminological thicket.  What you're  
calling a nonce is what the draft calls an IV.  I should add  
definitions I guess.

> Furthermore, the requirement that
> the "IV contribution" must be used "verbatim" in the IV could be read
> to exclude, for example, Bellare, Rogaway, and Wagner's EAX mode. EAX
> uses a user-supplied nonce, which may be of any length, and computes a
> MAC on this nonce to generate the initial counter for counter-mode
> encryption.
>

The GCM mode of operation has the same property (it will accept an IV  
of any length, though it is optimized to handle 96-bit IVs).   
However, there does not seem to be any significant use for this  
facility in practice, so I decided to use a simpler and more  
consistent interface for the AEAD algorithms.  EAX could certainly be  
added, but obviously we'd need to mandate a particular IV format.

David

_______________________________________________
Cfrg mailing list
Cfrg@ietf.org
https://www1.ietf.org/mailman/listinfo/cfrg

v2.23.0 | Report a Bug | By Email