IETF Logo Mail Archive

Re: [Cfrg] Streaming AEAD

"Manger, James" <James.H.Manger@team.telstra.com> Wed, 19 February 2014 03:59 UTC

Return-Path: <James.H.Manger@team.telstra.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EEE681A0309 for <cfrg@ietfa.amsl.com>; Tue, 18 Feb 2014 19:59:30 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.398
X-Spam-Level:
X-Spam-Status: No, score=0.398 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_AU=0.377, HOST_EQ_AU=0.327, J_CHICKENPOX_51=0.6, RCVD_IN_DNSWL_NONE=-0.0001, RELAY_IS_203=0.994] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bMmHqM8duU-f for <cfrg@ietfa.amsl.com>; Tue, 18 Feb 2014 19:59:29 -0800 (PST)
Received: from ipxbno.tcif.telstra.com.au (ipxbno.tcif.telstra.com.au [203.35.82.204]) by ietfa.amsl.com (Postfix) with ESMTP id 740001A0253 for <cfrg@irtf.org>; Tue, 18 Feb 2014 19:59:27 -0800 (PST)
X-IronPort-AV: E=Sophos;i="4.97,503,1389704400"; d="scan'208";a="173714182"
Received: from unknown (HELO ipccni.tcif.telstra.com.au) ([10.97.216.208]) by ipobni.tcif.telstra.com.au with ESMTP; 19 Feb 2014 14:59:22 +1100
X-IronPort-AV: E=McAfee;i="5400,1158,7353"; a="206725203"
Received: from wsmsg3701.srv.dir.telstra.com ([172.49.40.169]) by ipccni.tcif.telstra.com.au with ESMTP; 19 Feb 2014 14:59:22 +1100
Received: from WSMSG3153V.srv.dir.telstra.com ([172.49.40.159]) by WSMSG3701.srv.dir.telstra.com ([172.49.40.169]) with mapi; Wed, 19 Feb 2014 14:59:22 +1100
From: "Manger, James" <James.H.Manger@team.telstra.com>
To: David McGrew <mcgrew@cisco.com>, Peter Gutmann <pgut001@cs.auckland.ac.nz>
Date: Wed, 19 Feb 2014 14:59:22 +1100
Thread-Topic: [Cfrg] Streaming AEAD
Thread-Index: Ac8srJnO7Rln+NoxRjmK3WO8lKFQvAAbzG0g
Message-ID: <255B9BB34FB7D647A506DC292726F6E1153B6AA83D@WSMSG3153V.srv.dir.telstra.com>
References: <9A043F3CF02CD34C8E74AC1594475C7372375D64@uxcn10-tdc06.UoA.auckland.ac.nz> <53035EC7.8010607@cisco.com>
In-Reply-To: <53035EC7.8010607@cisco.com>
Accept-Language: en-US, en-AU
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US, en-AU
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/PYTKKXFtM_FB4jigWJtEHGiqxgA
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] Streaming AEAD
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 19 Feb 2014 03:59:31 -0000

> >> What is needed is a way to use an AEAD algorithm to secure a message in
> >> chunks. Streaming-AEAD would allow a recipient to know they have received an
> >> authentic prefix of a message. It would allow crypto APIs to support
> >> streaming modes while never returning unauthentic plaintext.

> > I think the means of doing this is going to be protocol-specific, since it
> > depends on the PDU format being used.

Not necessarily.
I was thinking we could define a new alg identifier such as
"AEAD_AES_128_OCB_TAGLEN96/10K", meaning OCB on 10 KB chunks.
Once the 10228th byte (10KB - 96 bits) of plaintext is streamed
to the encrypt function, it finishes the first AEAD operation and
inserts a 96-bit tag into the ciphertext. A decryption function
caches the ciphertext it is streamed until it reaches a 10KB
boundary then it returns 10228 bytes of plaintext.

An app sees a different alg id, but doesn't need to notice that
the ciphertext PDU is actually ct tag ct tag ct tag...
[It might need to know which nonces have been used internally though!]


> I think that's right.   It still makes sense to consider what should be
> going on above the AEAD layer, in a generic sense.
> 
> > For things like SSL/TLS and SSH the
> > problem is already solved since data amounts are quantised to the
> protocol
> > data packet size,
> 
> I hope that's right.   I am not sure that SSL/TLS implementers would be
> comfortable if they could never use the decryptUpdate function though.
> 
> > for store-and-forward protocols like PGP and S/MIME you'd
> > need to add a mechanism for it in a PGP/SMIME-specific manner, but
> then you'd
> > also need to figure out how to communicate it to the other side...
> and then
> > you're back to relying on ad-hoc mechanisms.
> >
> > When I had to do this years ago I used something like:
> >
> > len1 || data1 || h1 = HMAC( len1 || data1 ),
> > len2 || data2 || h2 = HMAC( h1 || len2 || data2 ),
> > len3 || data3 || h3 = HMAC( h2 || len3 || data3 ),
> > ...
> >
> > A length of 0 indicated end-of-contents.
> 
> Interesting, is there a writeup?


So for packetizing plaintext for ~AEAD chunks:
* TLS puts a sequence number in the AAD;
* Peter (sort of) puts a tag for the previous prefix in the AAD;
* I suggested using sequential nonces and a start/middle/end flag;
* AERO hides the details in state;
* Pipelineable On-Line Encryption randomizes unauthentic plaintext.


My only concern with putting state (eg sequence number, byte count, previous hash) into AAD is that you need something at a higher layer to ensure that AEAD(X||Y,P) is always interpreted as "chunk mode with state=X, user-provided-AAD=Y", and never as "non-chunk mode with user-provided-AAD=X||Y". You probably cannot safely use 1 key in chunk and non-chunk modes.

--
James Manger

v2.23.0 | Report a Bug | By Email