IETF Logo Mail Archive

Re: [Cfrg] New Version Notification for draft-mcgrew-aead-aes-cbc-hmac-sha2-03.txt

"Paterson, Kenny" <Kenny.Paterson@rhul.ac.uk> Fri, 14 February 2014 16:05 UTC

Return-Path: <Kenny.Paterson@rhul.ac.uk>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4A4881A02F4 for <cfrg@ietfa.amsl.com>; Fri, 14 Feb 2014 08:05:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Vwq89n4ADsYe for <cfrg@ietfa.amsl.com>; Fri, 14 Feb 2014 08:05:01 -0800 (PST)
Received: from tx2outboundpool.messaging.microsoft.com (tx2ehsobe005.messaging.microsoft.com [65.55.88.15]) by ietfa.amsl.com (Postfix) with ESMTP id D94221A02D8 for <cfrg@irtf.org>; Fri, 14 Feb 2014 08:05:00 -0800 (PST)
Received: from mail168-tx2-R.bigfish.com (10.9.14.232) by TX2EHSOBE013.bigfish.com (10.9.40.33) with Microsoft SMTP Server id 14.1.225.22; Fri, 14 Feb 2014 16:04:59 +0000
Received: from mail168-tx2 (localhost [127.0.0.1]) by mail168-tx2-R.bigfish.com (Postfix) with ESMTP id EABF92A03BB; Fri, 14 Feb 2014 16:04:58 +0000 (UTC)
X-Forefront-Antispam-Report: CIP:157.56.249.149; KIP:(null); UIP:(null); IPV:NLI; H:AM2PRD0311HT005.eurprd03.prod.outlook.com; RD:none; EFVD:NLI
X-SpamScore: -25
X-BigFish: PS-25(z579ehzbb2dI98dI9371Ic89bh936eI1418Ic857hdbf2izz1f42h208ch1ee6h1de0h1d18h1fdah2073h2146h1202h1e76h2189h1d1ah1d2ah21bch1fc6hzz1d7338h1de098h1033IL17326ah8275bh8275dh18c673h1de097h186068h1954cbh5eeeK1d68dehz2fh109h2a8h839hd24hf0ah1288h12a5h12bdh137ah1441h1504h1537h153bh162dh1631h1758h18e1h1946h19b5h19ceh1ad9h1b0ah1bceh224fh1d07h1d0ch1d2eh1d3fh1de9h1dfeh1dffh1fe8h1ff5h20f0h2216h22d0h2336h2461h2487h24ach24d7h2516h2545h255eh9a9j1155h)
Received-SPF: pass (mail168-tx2: domain of rhul.ac.uk designates 157.56.249.149 as permitted sender) client-ip=157.56.249.149; envelope-from=Kenny.Paterson@rhul.ac.uk; helo=AM2PRD0311HT005.eurprd03.prod.outlook.com ; .outlook.com ;
X-Forefront-Antispam-Report-Untrusted: SFV:NSPM; SFS:(10019001)(51444003)(24454002)(377424004)(243025003)(479174003)(377454003)(199002)(189002)(47736001)(87936001)(47976001)(83322001)(4396001)(83072002)(49866001)(50986001)(2656002)(19580405001)(81342001)(90146001)(16601075003)(19580395003)(19273905006)(74366001)(85306002)(56816005)(74316001)(19300405004)(76576001)(87266001)(15202345003)(66066001)(74502001)(65816001)(76482001)(77982001)(76796001)(81542001)(81686001)(56776001)(16236675002)(54316002)(54356001)(69226001)(53806001)(93136001)(33646001)(95416001)(94316002)(74706001)(15975445006)(63696002)(46102001)(31966008)(74876001)(59766001)(92566001)(85852003)(80976001)(79102001)(74662001)(95666001)(94946001)(76786001)(93516002)(86362001)(81816001)(80022001)(47446002)(74482001)(51856001)(24736002)(563064011); DIR:OUT; SFP:1102; SCL:1; SRVR:DB4PR03MB380; H:DB4PR03MB377.eurprd03.prod.outlook.com; CLIP:134.219.148.47; FPR:A55CFDF4.A3F0E542.F5F33CB9.42E8F161.20538; InfoNoRecordsA:1; MX:1; LANG:en;
Received: from mail168-tx2 (localhost.localdomain [127.0.0.1]) by mail168-tx2 (MessageSwitch) id 1392393896585839_17397; Fri, 14 Feb 2014 16:04:56 +0000 (UTC)
Received: from TX2EHSMHS025.bigfish.com (unknown [10.9.14.252]) by mail168-tx2.bigfish.com (Postfix) with ESMTP id 82FF3120071; Fri, 14 Feb 2014 16:04:56 +0000 (UTC)
Received: from AM2PRD0311HT005.eurprd03.prod.outlook.com (157.56.249.149) by TX2EHSMHS025.bigfish.com (10.9.99.125) with Microsoft SMTP Server (TLS) id 14.16.227.3; Fri, 14 Feb 2014 16:04:55 +0000
Received: from DB4PR03MB380.eurprd03.prod.outlook.com (10.242.231.18) by AM2PRD0311HT005.eurprd03.prod.outlook.com (10.255.162.40) with Microsoft SMTP Server (TLS) id 14.16.411.0; Fri, 14 Feb 2014 16:04:52 +0000
Received: from DB4PR03MB377.eurprd03.prod.outlook.com (10.242.231.12) by DB4PR03MB380.eurprd03.prod.outlook.com (10.242.231.18) with Microsoft SMTP Server (TLS) id 15.0.868.8; Fri, 14 Feb 2014 16:04:51 +0000
Received: from DB4PR03MB377.eurprd03.prod.outlook.com ([10.242.231.12]) by DB4PR03MB377.eurprd03.prod.outlook.com ([10.242.231.12]) with mapi id 15.00.0873.009; Fri, 14 Feb 2014 16:04:51 +0000
From: "Paterson, Kenny" <Kenny.Paterson@rhul.ac.uk>
To: Watson Ladd <watsonbladd@gmail.com>, David McGrew <mcgrew@cisco.com>
Thread-Topic: [Cfrg] New Version Notification for draft-mcgrew-aead-aes-cbc-hmac-sha2-03.txt
Thread-Index: AQHPKR2AMowJILlEpU6kpyJ17BmcC5qz6vuAgAAPRoCAAJz1gIAAUNgAgAAB//A=
Date: Fri, 14 Feb 2014 16:04:51 +0000
Message-ID: <576bd01af523476da616b6d8fc20111f@DB4PR03MB377.eurprd03.prod.outlook.com>
References: <20140214004117.27381.4308.idtracker@ietfa.amsl.com> <52FD6815.70402@cisco.com> <CACsn0ckjNvq1=k3krVt9sK6fCtWwCv+8XkJWJiqxn-Qg=1Rq_g@mail.gmail.com> <52FDF88F.3040209@cisco.com> <CACsn0cmKsLGOp9+n9o42B9_qWxN-bcr2MdzHCdWWEoGz3Se5Lw@mail.gmail.com>
In-Reply-To: <CACsn0cmKsLGOp9+n9o42B9_qWxN-bcr2MdzHCdWWEoGz3Se5Lw@mail.gmail.com>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [134.219.148.47]
x-forefront-prvs: 01221E3973
Content-Type: multipart/alternative; boundary="_000_576bd01af523476da616b6d8fc20111fDB4PR03MB377eurprd03pro_"
MIME-Version: 1.0
X-OriginatorOrg: rhul.ac.uk
X-FOPE-CONNECTOR: Id%0$Dn%*$RO%0$TLS%0$FQDN%$TlsDn%
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/UJPQj6vcJqtJo_5SrejTuiI4j-U
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] New Version Notification for draft-mcgrew-aead-aes-cbc-hmac-sha2-03.txt
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 14 Feb 2014 16:05:09 -0000

Watson,

Yes, that proof idea should work out.

It’s related to the proof for AES-CCM by Jonsson (this scheme uses CBC-MAC on top of CTR mode; the same issue about avoiding colliding counters/CBC chaining variable crops up there too): http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/ccm-ad1.pdf

Cheers,

Kenny

From: Cfrg [mailto:cfrg-bounces@irtf.org] On Behalf Of Watson Ladd
Sent: 14 February 2014 15:55
To: David McGrew
Cc: cfrg@irtf.org
Subject: Re: [Cfrg] New Version Notification for draft-mcgrew-aead-aes-cbc-hmac-sha2-03.txt



On Fri, Feb 14, 2014 at 3:05 AM, David McGrew <mcgrew@cisco.com<mailto:mcgrew@cisco.com>> wrote:
On 02/13/2014 08:44 PM, Watson Ladd wrote:


On Thu, Feb 13, 2014 at 4:49 PM, David McGrew <mcgrew@cisco.com<mailto:mcgrew@cisco.com>> wrote:
Hi,

the latest version of this draft is out.  Thanks are due to Jim Schaad and Rob Napier for their feedback on version 02.

The goals of this draft are to provide an authenticated encryption scheme suitable for use in those cases where CBC and HMAC are available, but no dedicated AE schemes are available.   Also, it doesn't require deterministic nonces, which itself is useful in some situations.

It might be nice to add a description of how IVs can be pseudorandomly generated.   It would be especially useful to generate the IV using the same key as used for encryption, with an unpredictable counter, or something like that.   Is anyone aware of a security proof that could be cited for that sort of technique?   I think that some systems would have a much easier time maintaining a counter than they would generating truly random IVs, which is reasonable motivation in my opinion.   Glad to hear other thoughts on this subject.

Doesn't the usual PRF definition give you exactly this?

Yes; the only tricky bit is showing that using the CBC encryption key to generate pseudorandom IVs doesn't affect CBC encryption security.   I'm sure that it can be done securely, but I don't know of a proof of security (for using a single key for both CBC and to generate IVs) that I can point to.

Okay, I didn't realize we needed a single key. Then I think the following proof works, but I don't know how strong the result is. Replace the PRP with a PRF by Bernstein's lemma. Then so long as we've never encrypted a block equal to the counter, life is good. Show this can't happen with more than negligible probability for the ideal PRF. Conclude that an attacker who breaks the scheme turns into one who can distinguish the PRF from an ideal PRF with some loss.

Sincerely,
Watson Ladd

David





David

--


A new version of I-D, draft-mcgrew-aead-aes-cbc-hmac-sha2-03.txt

has been successfully submitted by David McGrew and posted to the

IETF repository.



Name:             draft-mcgrew-aead-aes-cbc-hmac-sha2

Revision:  03

Title:            Authenticated Encryption with AES-CBC and HMAC-SHA

Document date:    2014-02-13

Group:            Individual Submission

Pages:            29

URL:            http://www.ietf.org/internet-drafts/draft-mcgrew-aead-aes-cbc-hmac-sha2-03.txt

Status:         https://datatracker.ietf.org/doc/draft-mcgrew-aead-aes-cbc-hmac-sha2/

Htmlized:       http://tools.ietf.org/html/draft-mcgrew-aead-aes-cbc-hmac-sha2-03

Diff:           http://www.ietf.org/rfcdiff?url2=draft-mcgrew-aead-aes-cbc-hmac-sha2-03



Abstract:

   This document specifies algorithms for authenticated encryption with

   associated data (AEAD) that are based on the composition of the

   Advanced Encryption Standard (AES) in the Cipher Block Chaining (CBC)

   mode of operation for encryption, and the HMAC-SHA message

   authentication code (MAC).



   These are randomized encryption algorithms, and thus are suitable for

   use with applications that cannot provide distinct nonces to each

   invocation of the AEAD encrypt operation.












Please note that it may take a couple of minutes from the time of submission

until the htmlized version and diff are available at tools.ietf.org<http://tools.ietf.org>.



The IETF Secretariat



.





_______________________________________________
Cfrg mailing list
Cfrg@irtf.org<mailto:Cfrg@irtf.org>
http://www.irtf.org/mailman/listinfo/cfrg



--
"Those who would give up Essential Liberty to purchase a little Temporary Safety deserve neither  Liberty nor Safety."
-- Benjamin Franklin




--
"Those who would give up Essential Liberty to purchase a little Temporary Safety deserve neither  Liberty nor Safety."
-- Benjamin Franklin

v2.23.0 | Report a Bug | By Email