Re: [Cfrg] RFC 5297 and absent vs. zero-length nonces
Dan Harkins <dharkins@lounge.org> Fri, 24 February 2017 02:09 UTC
Return-Path: <dharkins@lounge.org>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D9BCA12948A for <cfrg@ietfa.amsl.com>; Thu, 23 Feb 2017 18:09:00 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.202
X-Spam-Level:
X-Spam-Status: No, score=-4.202 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DjgD41gYjSVt for <cfrg@ietfa.amsl.com>; Thu, 23 Feb 2017 18:08:59 -0800 (PST)
Received: from colo.trepanning.net (colo.trepanning.net [69.55.226.174]) by ietfa.amsl.com (Postfix) with ESMTP id D5E91129488 for <cfrg@irtf.org>; Thu, 23 Feb 2017 18:08:59 -0800 (PST)
Received: from thinny.local (69-12-173-8.static.dsltransport.net [69.12.173.8]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by colo.trepanning.net (Postfix) with ESMTPSA id A818BA888004 for <cfrg@irtf.org>; Thu, 23 Feb 2017 18:08:59 -0800 (PST)
To: cfrg@irtf.org
References: <CAJm83bB22+9L3Rcn43hyDuGx1=ncse5cLYCm+dAP9hCPqnd8Hw@mail.gmail.com>
From: Dan Harkins <dharkins@lounge.org>
Message-ID: <288933e2-c982-1761-9b14-3b6215978bb6@lounge.org>
Date: Thu, 23 Feb 2017 18:08:57 -0800
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:45.0) Gecko/20100101 Thunderbird/45.7.1
MIME-Version: 1.0
In-Reply-To: <CAJm83bB22+9L3Rcn43hyDuGx1=ncse5cLYCm+dAP9hCPqnd8Hw@mail.gmail.com>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/UIZnotCX6Yf5sjYVxDCHXQX7Nbc>
Subject: Re: [Cfrg] RFC 5297 and absent vs. zero-length nonces
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Feb 2017 02:09:01 -0000
Hi Daniel, On 2/23/17 3:12 PM, Daniel Franke wrote: > The IANA considerations section of RFC 5297 (Synthetic Initialization > Vector (SIV) Authenticated Encryption Using the Advanced Encryption > Standard (AES)) gives N_MIN as 1. However, S2V is perfectly capable of > accepting zero-length arguments. Furthermore, passing a zero-length > argument to S2V is distinct from not passing that argument at all (as > done in the case deterministic encryption). How should an > implementation behave when provided with a zero-length nonce? The registry that RFC 5297 updated with its IANA Considerations was created by RFC 5116 to specify parameters for nonce-based AEAD modes. So when using RFC 5297 through that interface you're saying you want to use a nonce. RFC 5297 places the most minimal of requirements on such use: N_MIN of 1 octet. The registry does not say what to do if someone tries to use the mode in a way that is not defined for the registry so officially I don't know what the answer is. We can evaluate your suggestions though. (As an example, AES-GCM can take a nonce of 16 octets but the registry makes N_MIN = N_MAX = 12. What do you do if you send 16 octets to AES-GCM through this interface? Got me.) > Should it return an error, since its length is under N_MIN? That would seem like the prudent thing to do since it is in violation of the registry parameters. > > Should it pass it along to S2V just like any other nonce input? Since the registry mandates N_MIN as 1 then passing a zero length nonce "just like any other nonce input" seems wrong. So I'd say don't do that. > > Or should it treat this as a request for deterministic encryption and > not pass any nonce to S2V? Well the registry is not for deterministic encryption so I would say using it that way is not appropriate and would not think this is correct. Seems to me that if you want to use AES-SIV (or any of the AEAD modes from RFC 5116) in a way that is not defined by RFC 5116 then use them through some raw interface and not the constrained one created by RFC 5116. You'll note that the RFC 5116 interface also assumes that all AAD is a single blob and does not support AES-SIV's vector of AAD. What do you do with this registry if you need/want to pass a vector of AAD to AES-SIV? Well, I'd say you don't use this registry as your interface. Hope this helps, Dan.
- [Cfrg] RFC 5297 and absent vs. zero-length nonces Daniel Franke
- Re: [Cfrg] RFC 5297 and absent vs. zero-length no… Dan Harkins
- Re: [Cfrg] RFC 5297 and absent vs. zero-length no… David McGrew (mcgrew)
- Re: [Cfrg] RFC 5297 and absent vs. zero-length no… Daniel Franke
- Re: [Cfrg] RFC 5297 and absent vs. zero-length no… Dan Harkins