Re: [Cfrg] new authenticated encryption draft
David McGrew <mcgrew@cisco.com> Mon, 28 August 2006 21:29 UTC
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1GHofg-000050-Uf; Mon, 28 Aug 2006 17:29:28 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1GHofg-00004v-B4 for cfrg@ietf.org; Mon, 28 Aug 2006 17:29:28 -0400
Received: from sj-iport-6.cisco.com ([171.71.176.117]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1GHofe-0000yr-T6 for cfrg@ietf.org; Mon, 28 Aug 2006 17:29:28 -0400
Received: from sj-dkim-2.cisco.com ([171.71.179.186]) by sj-iport-6.cisco.com with ESMTP; 28 Aug 2006 14:29:26 -0700
Received: from sj-core-1.cisco.com (sj-core-1.cisco.com [171.71.177.237]) by sj-dkim-2.cisco.com (8.12.11.20060308/8.12.11) with ESMTP id k7SLTQXr001434; Mon, 28 Aug 2006 14:29:26 -0700
Received: from xbh-sjc-221.amer.cisco.com (xbh-sjc-221.cisco.com [128.107.191.63]) by sj-core-1.cisco.com (8.12.10/8.12.6) with ESMTP id k7SLTQQX020147; Mon, 28 Aug 2006 14:29:26 -0700 (PDT)
Received: from xfe-sjc-211.amer.cisco.com ([171.70.151.174]) by xbh-sjc-221.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.1830); Mon, 28 Aug 2006 14:29:26 -0700
Received: from [192.168.1.100] ([10.32.254.211]) by xfe-sjc-211.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.1830); Mon, 28 Aug 2006 14:29:25 -0700
In-Reply-To: <f207274d0608221905t2797ca6ew2a769dd5d9e3d410@mail.gmail.com>
References: <74A5A0C3-8E6E-47B4-A67B-C51ED97B2897@mindspring.com> <da7b3ce30608201147u12c0c2f6s61694713e59cfa4a@mail.gmail.com> <p06230910c10e98a55c4c@10.30.1.9> <f207274d0608221905t2797ca6ew2a769dd5d9e3d410@mail.gmail.com>
Mime-Version: 1.0 (Apple Message framework v752.2)
Content-Type: text/plain; charset="US-ASCII"; delsp="yes"; format="flowed"
Message-Id: <3D640F53-58F3-4AE4-AEFC-145BBD9BC9A0@cisco.com>
Content-Transfer-Encoding: 7bit
From: David McGrew <mcgrew@cisco.com>
Subject: Re: [Cfrg] new authenticated encryption draft
Date: Mon, 28 Aug 2006 14:29:23 -0700
To: John Wilkinson <wilkjohn@gmail.com>
X-Mailer: Apple Mail (2.752.2)
X-OriginalArrivalTime: 28 Aug 2006 21:29:25.0860 (UTC) FILETIME=[0948E240:01C6CAE9]
DKIM-Signature: a=rsa-sha1; q=dns; l=4057; t=1156800566; x=1157664566; c=relaxed/simple; s=sjdkim2002; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=mcgrew@cisco.com; z=From:David=20McGrew=20<mcgrew@cisco.com> |Subject:Re=3A=20[Cfrg]=20new=20authenticated=20encryption=20draft; X=v=3Dcisco.com=3B=20h=3DbEwS0oJgdOC6R0v1cvsFzhF5aNU=3D; b=J3s58ZtO2tL803SVOiYHWiDYLfKqN/rit5bGBB5IYe9eW0RcWPySZ+LIsT+bfptb2Z5soWft j/ENjF5a5gyoN5HVhDZWtxs6r6m5wiEEnoIO7KBCu0z2dd79br350edS;
Authentication-Results: sj-dkim-2.cisco.com; header.From=mcgrew@cisco.com; dkim=pass ( sig from cisco.com verified; );
X-Spam-Score: 0.0 (/)
X-Scan-Signature: b7b9551d71acde901886cc48bfc088a6
Cc: cfrg@ietf.org
X-BeenThere: cfrg@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:cfrg@ietf.org>
List-Help: <mailto:cfrg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=subscribe>
Errors-To: cfrg-bounces@ietf.org
Hi John, On Aug 22, 2006, at 7:05 PM, John Wilkinson wrote: > > David, while I've only briefly skimmed your draft, Hal and Gregg's > comments make me wonder about the way you're treating IVs in your > specification. I've heard from others that the motivation for why IVs are handled in the document is not clear. Thanks for your comments; I clearly have more explaining to do :-) > Why do you feel that IVs must be an _output_ of the > encryption algorithm, rather than a purely internal value? There is a rationale given in Section 2, but I'll try to amplify it - here's a rewrite of that part. Please let me know what you think. <new> Rationale. Proper IV generation is a crucial for security, and the requirements on how IVs are generated are different for different algorithms. By making the IV an output of the AEAD algorithm rather than an input, the IV is put under the control of that algorithm. This use of the 'information hiding' design principle frees the user from needing to understand the particulars of IV generation, thus making the interface easier to use correctly. Also, because IV generation is a security-critical operation, it makes sense to include it with the algorithm, which will typically be implemented in a crypto module. Including IV generation in this module makes it more self-contained and easier to test and to validate. Several security issues have arisen due to improper use of block cipher modes of operation. Several standards have suggested incorrect uses of cipher block chaining (CBC) encryption (e.g. using a previous ciphertext block as an IV, which allows an adversary to predict the IV). Modes that require distinct IVs, such as counter mode, are especially sensitive to misuse of IVs, which can void the security services that they provide. Giving the AEAD algorithm the responsibility for generating its own IV helps to avoid these security issues. </new> > Further, > what, exactly, do you mean by the requirement that "A deterministic > AEAD encryption algorithm MUST accept an additional input, and that > value [the IV contribution] MUST be included _verbatim_ [emphasis > added] in the IV." Several crypto algorithms, including CCM and GCM as used in ESP, form their IVs by prepending a value that is fixed (for the lifetime of the key) to a sequence number that increments once per packet. The IV contribution is needed in order to support these algorithms, and it is needed in order to allow CTR-based modes (like CCM, GCM, and EAX) to be useable in a situation in which there are multiple devices doing encryption with a single key. The IV contribution provides a place within which each encryptor can put a distinct value, to ensure that the IVs are distinct over all uses of that key. > > It seems to me that it would be a better abstraction of the AEAD > mechanism if the IV is used purely internally to the algorithm, so > that the only input required is a nonce, and that the same nonce is > used for encryption and decryption. Here we've gotten stuck on the terminological thicket. What you're calling a nonce is what the draft calls an IV. I should add definitions I guess. > Furthermore, the requirement that > the "IV contribution" must be used "verbatim" in the IV could be read > to exclude, for example, Bellare, Rogaway, and Wagner's EAX mode. EAX > uses a user-supplied nonce, which may be of any length, and computes a > MAC on this nonce to generate the initial counter for counter-mode > encryption. > The GCM mode of operation has the same property (it will accept an IV of any length, though it is optimized to handle 96-bit IVs). However, there does not seem to be any significant use for this facility in practice, so I decided to use a simpler and more consistent interface for the AEAD algorithms. EAX could certainly be added, but obviously we'd need to mandate a particular IV format. David _______________________________________________ Cfrg mailing list Cfrg@ietf.org https://www1.ietf.org/mailman/listinfo/cfrg
- [Cfrg] new authenticated encryption draft David A. McGrew
- Re: [Cfrg] new authenticated encryption draft Hal Finney
- Re: [Cfrg] new authenticated encryption draft Greg Rose
- Re: [Cfrg] new authenticated encryption draft Ted Krovetz
- Re: [Cfrg] new authenticated encryption draft David A. McGrew
- Re: [Cfrg] new authenticated encryption draft David A. McGrew
- Re: [Cfrg] new authenticated encryption draft John Wilkinson
- RE: [Cfrg] new authenticated encryption draft Scott Fluhrer
- Re: [Cfrg] new authenticated encryption draft David McGrew
- Re: [Cfrg] new authenticated encryption draft David A. McGrew
- Re: [Cfrg] new authenticated encryption draft David Wagner
- Re: [Cfrg] new authenticated encryption draft David McGrew
- Re: [Cfrg] new authenticated encryption draft Hal Finney
- Re: [Cfrg] new authenticated encryption draft David A. McGrew
- Re: [Cfrg] new authenticated encryption draft David Wagner
- RE: [Cfrg] new authenticated encryption draft Santosh Chokhani
- Re: [Cfrg] new authenticated encryption draft Ken Raeburn
- Re: [Cfrg] new authenticated encryption draft John Wilkinson
- Re: [Cfrg] new authenticated encryption draft David McGrew
- Re: [Cfrg] new authenticated encryption draft John Wilkinson
- Re: [Cfrg] new authenticated encryption draft D. J. Bernstein
- Re: [Cfrg] new authenticated encryption draft Steven M. Bellovin
- Re: [Cfrg] new authenticated encryption draft D. J. Bernstein
- RE: [Cfrg] new authenticated encryption draft Blumenthal, Uri
- Re: [Cfrg] new authenticated encryption draft David McGrew
- Re: [Cfrg] new authenticated encryption draft Tom Shrimpton
- Re: [Cfrg] new authenticated encryption draft D. J. Bernstein
- Re: [Cfrg] new authenticated encryption draft David McGrew
- Re: [Cfrg] new authenticated encryption draft John Wilkinson
- RE: [Cfrg] new authenticated encryption draft Doug Whiting
- Re: [Cfrg] new authenticated encryption draft Steven M. Bellovin
- Re: [Cfrg] new authenticated encryption draft David McGrew
- Re: [Cfrg] new authenticated encryption draft David McGrew
- Re: [Cfrg] new authenticated encryption draft David McGrew
- RE: [Cfrg] new authenticated encryption draft Tom Shrimpton
- Re: [Cfrg] new authenticated encryption draft David A. McGrew
- Re: [Cfrg] new authenticated encryption draft John Wilkinson
- Re: [Cfrg] new authenticated encryption draft Phillip Rogaway
- Re: [Cfrg] new authenticated encryption draft David A. McGrew
- Re: [Cfrg] new authenticated encryption draft David McGrew
- [Cfrg] AES-based key derivation David McGrew