Re: [Cfrg] misuse-resistant AEAD (was: Re: CFRG and thwarting pervasive montoring)
Watson Ladd <watsonbladd@gmail.com> Thu, 02 January 2014 22:26 UTC
Return-Path: <watsonbladd@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8E9131AC85E for <cfrg@ietfa.amsl.com>; Thu, 2 Jan 2014 14:26:31 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id c1GsXCUO6DPb for <cfrg@ietfa.amsl.com>; Thu, 2 Jan 2014 14:26:29 -0800 (PST)
Received: from mail-wi0-x230.google.com (mail-wi0-x230.google.com [IPv6:2a00:1450:400c:c05::230]) by ietfa.amsl.com (Postfix) with ESMTP id BEDCE1AC4C1 for <cfrg@irtf.org>; Thu, 2 Jan 2014 14:26:28 -0800 (PST)
Received: by mail-wi0-f176.google.com with SMTP id hq4so19235928wib.9 for <cfrg@irtf.org>; Thu, 02 Jan 2014 14:26:21 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=+Oj3AYarZwK0d5u+e6OEclNiW8tJgCAr1wg+Iy2EOVM=; b=lJt2mukzck/Ddnb1CtOnAcmEu29PrEZDZRU8tR3MhNJsZ+VEvIh0Yry/YGCydVcsdN PHCunOpqbg3qtamC1++sARodzt5IASbRkbt8H8WMXJDUV0ciMDvX88YwTCvAsAQyErTc MzHPYj0OnS96N0vsA/YMFtLvYAwNBNStysL1+qRZBqrLxHTouViCoPYgtuB5vcd613Pu O8xq1a+KCc5C3mkGhTE9YQXj6Mj9cDtiMbD/fRag47xR2sNokoL6EnPsU3hiSVCeUSKu z4LvRfy5Iq76hb61LYedgujptNp+GVHptcs7vaTMdbE4b79vcB3KEnP6gEvvdpnAn86X thIg==
MIME-Version: 1.0
X-Received: by 10.180.94.164 with SMTP id dd4mr56580070wib.20.1388701581210; Thu, 02 Jan 2014 14:26:21 -0800 (PST)
Received: by 10.194.242.131 with HTTP; Thu, 2 Jan 2014 14:26:21 -0800 (PST)
In-Reply-To: <2fe7d8ceead7a52aa4ae61585b9ea932.squirrel@www.trepanning.net>
References: <CAGZ8ZG2f9QHX40RcB8aajWvEfG0Gh_uewu2Rq7bQGHYNx6cOmw@mail.gmail.com> <52C07436.2040709@cs.tcd.ie> <04C32948-02A2-44F4-B4C1-CF29D4146715@vpnc.org> <CEE6FEE3.2B330%paul@marvell.com> <52C57FB4.2050102@cisco.com> <CACsn0c=fykhhwCF3P24CC4gneo8W5NJFE42-dZf2iotQ0Pmfvw@mail.gmail.com> <2fe7d8ceead7a52aa4ae61585b9ea932.squirrel@www.trepanning.net>
Date: Thu, 02 Jan 2014 17:26:21 -0500
Message-ID: <CACsn0c=2uPuiWiO5qJH0s=8YD1_OuScU0yEdfiNojygq3H-h4Q@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: Dan Harkins <dharkins@lounge.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Cc: David McGrew <mcgrew@cisco.com>, "cfrg@irtf.org" <cfrg@irtf.org>, Paul Hoffman <paul.hoffman@vpnc.org>
Subject: Re: [Cfrg] misuse-resistant AEAD (was: Re: CFRG and thwarting pervasive montoring)
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Jan 2014 22:26:31 -0000
On Thu, Jan 2, 2014 at 5:06 PM, Dan Harkins <dharkins@lounge.org> wrote: > > > On Thu, January 2, 2014 7:31 am, Watson Ladd wrote: >> On Jan 2, 2014 10:03 AM, "David McGrew" <mcgrew@cisco.com> wrote: >>> >>> Hi Paul, >>> >>> On 12/30/2013 02:06 PM, Paul Lambert wrote: >>>> >>>> In the past I¹ve never considered CFRG a viable discussion forum for >>>> making an impact by creating or approving new algorithms Š but if it >>>> is: >>>> >>>> We need an Œapproved' nonce-insensitive AEAD algorithm. >>>> >>>> I¹m designing multicast communications in a mesh topology and CCM and >>>> GCM >>>> suffer from N^2 complexity (since they require unique nonce/key). Yes >>>> Š >>>> there are ways that some link proposals like 802.1ae mitigate the issue >>>> using device addresses as part of the key setup. The best solution is >>>> a >>>> nonce-insensitive AEAD. >>> >>> I agree. The best solution would be an authenticated encryption >> algorithm that did not require a nonce as input. An alternative which is >> not quite as good would be an algorithm that requires a nonce as input, >> but >> which has security that suffers only a minimal degradation if nonces are >> repeated. >> >> Already exists: it's called CBC mode with HMAC. IVs are random and can >> repeat. > > There are still security sensitive requirements on IVs in CBC mode. > Namely, they have to be unpredictable to the attacker. That problem does > not exist with SIV. The nonce is completely arbitrary, it can be a counter, > pseudo-random material, it can be partially derived, it can repeat or not. > > And as a formal AEAD construction SIV avoids the ad hoc nature in which > CBC plus HMAC has been put together in the past. It also has a nice and > fixed API for things like passing AAD as a vector of inputs. CBC+HMAC is an instance of generic composition. So is GCM and Chacha/Salsa/XSalsa/Poly1305. What sort of device can encrypt, but not use a PRNG or count? > >>>> We already have an RFC for SIV which is deterministic and a decent >>>> solution, but it is not ŒNIST¹ approved, so I have problems >>>> introducing >> it >>>> into consumer equipment. It¹s also a little slow Š but I¹m not sure >>>> that >>>> efficiency should be the primary evaluation criteria. >>> >>> >>> All valid points. SIV shows that it is possible to have a >> misuse-resistant algorithm. It may not have all of the properties that >> one >> might want in an algorithm (for instance: more amenable to parallel >> processing), but it shows that we can achieve more robust security than >> nonce-based AEAD. >>> >> >> Deterministic encryption leaks considerable information when used on low >> entropy messages. Nonce reuse resistant nonce based MAC and encryption >> algorithms exist today, namely CBC initialized with the encryption of a >> counter and HMAC. > > With SIV, authenticity remains and the leakage is limited to knowledge > that the plaintext equals a prior plaintext, and that is further constrained > by the fact that it's the same plaintext plus the same AAD, if the AAD > changes (due to a message header that encapsulates the encrypted blob > being different) then there is no leakage. > > It really is the "swiss army knife" of crypto tools-- it slices, it dices, > it provides misuse-resistant AEAD, it does key wrapping with AAD! > (And it has a security proof behind it too). It's wonderful, but slow as molasses. 2 AES passes, only 1 of which can be parallelized. For the example of mesh networking it certainly has a place, but I don't know if the security is really that great for that application. For example, imagine a simple message format with (sender, dest) as header and a temperature as the message. A mesh network passing around temperature measurements will reveal a lot to a passive attacker: remember temperatures are continuous, so all you need is the direction change the same or different as before to see just about everything. Add a counter and everything is golden. But you need that counter. And if you have a counter, nonce-based misuse-resistant is just fine, and moreover can be done faster than SIV at the cost of leaking common prefixes. Authenticity doesn't make sense with repeated nonces. All you get is the attacker cannot introduce new messages, but they can still repeat old ones. This can be enough to have some fun. > > regards, > > Dan. > > > Sincerely, Watson Ladd -- "Those who would give up Essential Liberty to purchase a little Temporary Safety deserve neither Liberty nor Safety." -- Benjamin Franklin
- [Cfrg] Requesting removal of CFRG co-chair Trevor Perrin
- Re: [Cfrg] Requesting removal of CFRG co-chair Alyssa Rowan
- Re: [Cfrg] Requesting removal of CFRG co-chair William Whyte
- Re: [Cfrg] Requesting removal of CFRG co-chair Dan Harkins
- Re: [Cfrg] Requesting removal of CFRG co-chair Eggert, Lars
- Re: [Cfrg] Requesting removal of CFRG co-chair Alyssa Rowan
- Re: [Cfrg] Requesting removal of CFRG co-chair Stephen Farrell
- Re: [Cfrg] Requesting removal of CFRG co-chair Trevor Perrin
- Re: [Cfrg] Requesting removal of CFRG co-chair Stephen Farrell
- Re: [Cfrg] Requesting removal of CFRG co-chair Trevor Perrin
- Re: [Cfrg] Requesting removal of CFRG co-chair Watson Ladd
- Re: [Cfrg] Requesting removal of CFRG co-chair Stephen Farrell
- Re: [Cfrg] Requesting removal of CFRG co-chair Tao Effect
- Re: [Cfrg] Requesting removal of CFRG co-chair Tao Effect
- Re: [Cfrg] Requesting removal of CFRG co-chair Tao Effect
- Re: [Cfrg] Requesting removal of CFRG co-chair Tao Effect
- Re: [Cfrg] Requesting removal of CFRG co-chair Daniel Kahn Gillmor
- Re: [Cfrg] Requesting removal of CFRG co-chair Hilarie Orman
- Re: [Cfrg] Requesting removal of CFRG co-chair Tao Effect
- Re: [Cfrg] Requesting removal of CFRG co-chair Tao Effect
- Re: [Cfrg] Requesting removal of CFRG co-chair Daniel Kahn Gillmor
- Re: [Cfrg] Requesting removal of CFRG co-chair Paul Lambert
- Re: [Cfrg] Requesting removal of CFRG co-chair Tao Effect
- Re: [Cfrg] Requesting removal of CFRG co-chair Watson Ladd
- Re: [Cfrg] Requesting removal of CFRG co-chair Alyssa Rowan
- Re: [Cfrg] Requesting removal of CFRG co-chair Dan Harkins
- Re: [Cfrg] Requesting removal of CFRG co-chair Tao Effect
- Re: [Cfrg] Requesting removal of CFRG co-chair Dan Harkins
- Re: [Cfrg] Requesting removal of CFRG co-chair Adam Back
- Re: [Cfrg] Requesting removal of CFRG co-chair Eggert, Lars
- Re: [Cfrg] Requesting removal of CFRG co-chair Mike Simpson
- Re: [Cfrg] Requesting removal of CFRG co-chair Watson Ladd
- Re: [Cfrg] Requesting removal of CFRG co-chair Dan Harkins
- Re: [Cfrg] Requesting removal of CFRG co-chair Alyssa Rowan
- Re: [Cfrg] Requesting removal of CFRG co-chair Dan Harkins
- Re: [Cfrg] Requesting removal of CFRG co-chair Robert Ransom
- Re: [Cfrg] Requesting removal of CFRG co-chair Adam Back
- Re: [Cfrg] Requesting removal of CFRG co-chair Tao Effect
- Re: [Cfrg] Requesting removal of CFRG co-chair Yoav Nir
- Re: [Cfrg] Requesting removal of CFRG co-chair Natanael
- Re: [Cfrg] Requesting removal of CFRG co-chair Stephen Farrell
- Re: [Cfrg] Requesting removal of CFRG co-chair William Whyte
- Re: [Cfrg] Requesting removal of CFRG co-chair Henrick Hellström
- Re: [Cfrg] Requesting removal of CFRG co-chair Alyssa Rowan
- Re: [Cfrg] Requesting removal of CFRG co-chair John Viega
- Re: [Cfrg] Requesting removal of CFRG co-chair Tao Effect
- Re: [Cfrg] Requesting removal of CFRG co-chair Tao Effect
- Re: [Cfrg] Requesting removal of CFRG co-chair Stephen Farrell
- Re: [Cfrg] Requesting removal of CFRG co-chair Richard Barnes
- Re: [Cfrg] Requesting removal of CFRG co-chair John Bradley
- Re: [Cfrg] Requesting removal of CFRG co-chair Tao Effect
- Re: [Cfrg] Requesting removal of CFRG co-chair Tao Effect
- Re: [Cfrg] Requesting removal of CFRG co-chair Richard Barnes
- Re: [Cfrg] Requesting removal of CFRG co-chair Stephen Farrell
- Re: [Cfrg] Requesting removal of CFRG co-chair Trevor Perrin
- Re: [Cfrg] Requesting removal of CFRG co-chair Tao Effect
- Re: [Cfrg] Requesting removal of CFRG co-chair Tao Effect
- Re: [Cfrg] Requesting removal of CFRG co-chair John Viega
- Re: [Cfrg] Requesting removal of CFRG co-chair Stephen Farrell
- Re: [Cfrg] Requesting removal of CFRG co-chair Tao Effect
- Re: [Cfrg] Requesting removal of CFRG co-chair Stephen Farrell
- Re: [Cfrg] Requesting removal of CFRG co-chair John Viega
- Re: [Cfrg] Requesting removal of CFRG co-chair Watson Ladd
- Re: [Cfrg] Requesting removal of CFRG co-chair David McGrew
- Re: [Cfrg] Requesting removal of CFRG co-chair David McGrew
- Re: [Cfrg] Requesting removal of CFRG co-chair David McGrew
- Re: [Cfrg] Requesting removal of CFRG co-chair Stephen Farrell
- Re: [Cfrg] Requesting removal of CFRG co-chair Tao Effect
- Re: [Cfrg] Requesting removal of CFRG co-chair David McGrew
- Re: [Cfrg] Requesting removal of CFRG co-chair Brian Weis
- Re: [Cfrg] Requesting removal of CFRG co-chair Tom Ritter
- Re: [Cfrg] Requesting removal of CFRG co-chair Brian Weis
- Re: [Cfrg] Requesting removal of CFRG co-chair Dan Harkins
- Re: [Cfrg] Requesting removal of CFRG co-chair Tao Effect
- Re: [Cfrg] CFRG and thwarting pervasive montoring Paul Lambert
- Re: [Cfrg] Requesting removal of CFRG co-chair Henrick Hellström
- Re: [Cfrg] Requesting removal of CFRG co-chair Dan Harkins
- Re: [Cfrg] Requesting removal of CFRG co-chair Yoav Nir
- Re: [Cfrg] Requesting removal of CFRG co-chair Dan Harkins
- Re: [Cfrg] Requesting removal of CFRG co-chair Alyssa Rowan
- Re: [Cfrg] Requesting removal of CFRG co-chair Tao Effect
- Re: [Cfrg] Requesting removal of CFRG co-chair Tao Effect
- Re: [Cfrg] Requesting removal of CFRG co-chair Yoav Nir
- Re: [Cfrg] Requesting removal of CFRG co-chair David McGrew
- Re: [Cfrg] Requesting removal of CFRG co-chair Alyssa Rowan
- Re: [Cfrg] Requesting removal of CFRG co-chair Trevor Perrin
- Re: [Cfrg] Requesting removal of CFRG co-chair Nikos Mavrogiannopoulos
- Re: [Cfrg] Requesting removal of CFRG co-chair Dan Harkins
- Re: [Cfrg] Requesting removal of CFRG co-chair Dan Harkins
- Re: [Cfrg] Requesting removal of CFRG co-chair Dan Harkins
- Re: [Cfrg] Requesting removal of CFRG co-chair Watson Ladd
- Re: [Cfrg] Requesting removal of CFRG co-chair Dan Harkins
- Re: [Cfrg] Requesting removal of CFRG co-chair Yoav Nir
- Re: [Cfrg] Requesting removal of CFRG co-chair Tao Effect
- Re: [Cfrg] Requesting removal of CFRG co-chair Robert Ransom
- Re: [Cfrg] Requesting removal of CFRG co-chair Tao Effect
- Re: [Cfrg] Requesting removal of CFRG co-chair Yoav Nir
- Re: [Cfrg] Requesting removal of CFRG co-chair Paul Hoffman
- Re: [Cfrg] Requesting removal of CFRG co-chair Tao Effect
- Re: [Cfrg] Requesting removal of CFRG co-chair idontneedcoffee
- Re: [Cfrg] Requesting removal of CFRG co-chair Alyssa Rowan
- Re: [Cfrg] Requesting removal of CFRG co-chair Yoav Nir
- Re: [Cfrg] Requesting removal of CFRG co-chair Eggert, Lars
- Re: [Cfrg] Requesting removal of CFRG co-chair idontneedcoffee
- Re: [Cfrg] Requesting removal of CFRG co-chair Stephen Farrell
- Re: [Cfrg] Requesting removal of CFRG co-chair Tao Effect
- [Cfrg] CFRG and thwarting pervasive montoring Paul Hoffman
- Re: [Cfrg] CFRG and thwarting pervasive montoring Stephen Farrell
- Re: [Cfrg] CFRG and thwarting pervasive montoring Watson Ladd
- Re: [Cfrg] CFRG and thwarting pervasive montoring Paul Hoffman
- Re: [Cfrg] Requesting removal of CFRG co-chair David McGrew
- Re: [Cfrg] Requesting removal of CFRG co-chair John Bradley
- [Cfrg] misuse-resistant AEAD (was: Re: CFRG and t… David McGrew
- Re: [Cfrg] misuse-resistant AEAD (was: Re: CFRG a… Watson Ladd
- Re: [Cfrg] misuse-resistant AEAD David McGrew
- Re: [Cfrg] Requesting removal of CFRG co-chair David McGrew
- Re: [Cfrg] misuse-resistant AEAD (was: Re: CFRG a… Dan Harkins
- Re: [Cfrg] misuse-resistant AEAD (was: Re: CFRG a… Watson Ladd
- Re: [Cfrg] misuse-resistant AEAD (was: Re: CFRG a… Dan Harkins
- Re: [Cfrg] misuse-resistant AEAD David McGrew
- Re: [Cfrg] Requesting removal of CFRG co-chair Scott Fluhrer (sfluhrer)
- [Cfrg] changes to hunt-and-peck algorithm (Re: Re… David McGrew
- Re: [Cfrg] Requesting removal of CFRG co-chair Trevor Perrin
- Re: [Cfrg] Requesting removal of CFRG co-chair Trevor Perrin
- Re: [Cfrg] Requesting removal of CFRG co-chair Dan Harkins
- Re: [Cfrg] Requesting removal of CFRG co-chair Dan Harkins
- Re: [Cfrg] changes to hunt-and-peck algorithm (Re… Trevor Perrin
- Re: [Cfrg] Requesting removal of CFRG co-chair David McGrew
- Re: [Cfrg] Requesting removal of CFRG co-chair Daniel Kahn Gillmor
- Re: [Cfrg] Requesting removal of CFRG co-chair David McGrew
- Re: [Cfrg] Requesting removal of CFRG co-chair dan
- Re: [Cfrg] Requesting removal of CFRG co-chair Daniel Kahn Gillmor