Re: [CFRG] AES-CTR + HMAC-SHA-256 AEAD
Adam Langley <agl@imperialviolet.org> Fri, 12 March 2021 23:44 UTC
Return-Path: <alangley@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3860E3A0A69 for <cfrg@ietfa.amsl.com>; Fri, 12 Mar 2021 15:44:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.899
X-Spam-Level:
X-Spam-Status: No, score=-0.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.249, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, SUBJ_ALL_CAPS=0.5, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id r5RSOfS6JB9E for <cfrg@ietfa.amsl.com>; Fri, 12 Mar 2021 15:44:50 -0800 (PST)
Received: from mail-qk1-f179.google.com (mail-qk1-f179.google.com [209.85.222.179]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ACE643A0A3B for <cfrg@ietf.org>; Fri, 12 Mar 2021 15:44:50 -0800 (PST)
Received: by mail-qk1-f179.google.com with SMTP id l132so26185471qke.7 for <cfrg@ietf.org>; Fri, 12 Mar 2021 15:44:50 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=XGIuS3KGvM9kPP7sZpSSgyC97R4jnAZW7oazyDcGFxU=; b=jpVGZ/0ARJZNKWEPrqlSvzF+3BoH48dWIvNcbqaWTV1vollbEAvKeUIWDa0s9fPx92 CQbwRdzXxtzibuR2M55QIXfDgtVJBV7RIGE+9evYdA7u2u6pKdh8za7MhYnf6T3gvUGX pBC40YXd5aprpBz669bsErKHfoDi/pxkopFxJgJRqw4j+7mhwms1vhqZ2qu8XoYepiO2 /M0EqYyLS0bv1mT8Jq8a81Qr/MBz7s58CCtTDNYEHs4Gt4j4Yzcemzpy35yEYp6zxIYw MevLwSaIuSZi7qEiOzQuBrouHNrGKtU61Op7fbyESMqeTlVInMIY2lHnuX10EJ5a7s6Z MDdw==
X-Gm-Message-State: AOAM5302ZWnlJ/Qth3PDKwgDDQ3q2ycTvFqD6dhuAiTiF5/BzOg9qw/t PqxjWUX75Oc+LoBmnOD7m0PSXVIADmEgP7KUP3UBZ4QlWXqmQA==
X-Google-Smtp-Source: ABdhPJyqNFkRlh2QTwmbZR6/PogUGEyhiVidUuKZ5v3I2SrwkbGqzXCFtXDomIJjt8MvMTbBMoW9367oBqp/pe8/s8A=
X-Received: by 2002:a05:620a:6d8:: with SMTP id 24mr4272817qky.322.1615592689684; Fri, 12 Mar 2021 15:44:49 -0800 (PST)
MIME-Version: 1.0
References: <5E976EFE-CF76-49CA-A02E-9189EB609988@ericsson.com>
In-Reply-To: <5E976EFE-CF76-49CA-A02E-9189EB609988@ericsson.com>
From: Adam Langley <agl@imperialviolet.org>
Date: Fri, 12 Mar 2021 15:44:38 -0800
Message-ID: <CAMfhd9UFJvQQOpz22CvuZ=thSqCeQkwtSCKiaH+spDB5N8OTLg@mail.gmail.com>
To: John Mattsson <john.mattsson=40ericsson.com@dmarc.ietf.org>
Cc: "cfrg@ietf.org" <cfrg@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000005ed4ad05bd5f7cda"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/TiKxngfKzJh1Nh-hGbVw-zFUpLA>
Subject: Re: [CFRG] AES-CTR + HMAC-SHA-256 AEAD
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Mar 2021 23:44:52 -0000
On Fri, Mar 12, 2021 at 3:13 PM John Mattsson <john.mattsson= 40ericsson.com@dmarc.ietf.org> wrote: > Hi, > > In the CFRG chat today, Richard Barnes asked for reviews of > https://tools.ietf.org/html/draft-omara-sframe-01#section-4.5.1 > > I think standardizing an AES-CTR + HMAC-SHA-256 AEAD seems very useful. > The design in 4.5.1 looks very good. Some comments: > > - I think the nonce length Nn ciphersuite 1 and 2 should be 16. I don't > see any reason to not use 16 bytes radnomness/salt. > > - It looks like the frame counter CTR and the block counter collide, but > maybe I miss something. > > - I note that only the aad_len is authenticated, while GCM authenticated > both aad_len and ct_len. I don't know what is correct. > I don't know what AES-CM is. Is it AES-CTR? If so, isn't the AEAD authenticity completely broken because the nonce isn't involved in computing the tag? I.e. if an attacker corrupts the nonce in a (nonce, inner_ct, tag) tuple it looks like it'll decrypt "correctly" but the plaintext will be random because the counter will be wrong. When doing something similar <https://boringssl.googlesource.com/boringssl/+/6b48efac7b3b229c17cff55e5cfd9f9a0aea9b70/crypto/cipher_extra/e_aesctrhmac.c#126> I also padded the HMAC input after the AAD and lengths to avoid the overhead of phase-shifting all the ciphertext data when hashing it. Cheers AGL
- [CFRG] AES-CTR + HMAC-SHA-256 AEAD John Mattsson
- Re: [CFRG] AES-CTR + HMAC-SHA-256 AEAD Adam Langley
- Re: [CFRG] AES-CTR + HMAC-SHA-256 AEAD John Mattsson
- Re: [CFRG] AES-CTR + HMAC-SHA-256 AEAD Adam Langley
- Re: [CFRG] AES-CTR + HMAC-SHA-256 AEAD Nico Williams