IETF Logo Mail Archive

Re: [Cfrg] new authenticated encryption draft

David McGrew <mcgrew@cisco.com> Fri, 15 September 2006 16:14 UTC

Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1GOGL1-000366-TL; Fri, 15 Sep 2006 12:14:47 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1GOGL0-00035F-90 for cfrg@ietf.org; Fri, 15 Sep 2006 12:14:46 -0400
Received: from sj-iport-2-in.cisco.com ([171.71.176.71] helo=sj-iport-2.cisco.com) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1GOGKy-00060U-Q4 for cfrg@ietf.org; Fri, 15 Sep 2006 12:14:46 -0400
Received: from sj-dkim-1.cisco.com ([171.71.179.21]) by sj-iport-2.cisco.com with ESMTP; 15 Sep 2006 09:14:45 -0700
X-IronPort-AV: i="4.09,171,1157353200"; d="scan'208"; a="341614429:sNHT33137500"
Received: from sj-core-1.cisco.com (sj-core-1.cisco.com [171.71.177.237]) by sj-dkim-1.cisco.com (8.12.11.20060308/8.12.11) with ESMTP id k8FGEiiH023151; Fri, 15 Sep 2006 09:14:44 -0700
Received: from xbh-sjc-231.amer.cisco.com (xbh-sjc-231.cisco.com [128.107.191.100]) by sj-core-1.cisco.com (8.12.10/8.12.6) with ESMTP id k8FGEiQV027134; Fri, 15 Sep 2006 09:14:44 -0700 (PDT)
Received: from xfe-sjc-211.amer.cisco.com ([171.70.151.174]) by xbh-sjc-231.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.211); Fri, 15 Sep 2006 09:14:43 -0700
Received: from [192.168.1.100] ([10.32.254.211]) by xfe-sjc-211.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.1830); Fri, 15 Sep 2006 09:14:42 -0700
In-Reply-To: <f207274d0609141837m28cf6400v7cc1a643275f8beb@mail.gmail.com>
References: <74A5A0C3-8E6E-47B4-A67B-C51ED97B2897@mindspring.com> <da7b3ce30608201147u12c0c2f6s61694713e59cfa4a@mail.gmail.com> <p06230910c10e98a55c4c@10.30.1.9> <f207274d0608221905t2797ca6ew2a769dd5d9e3d410@mail.gmail.com> <3D640F53-58F3-4AE4-AEFC-145BBD9BC9A0@cisco.com> <f207274d0609011652m3bb76587xdd6cd9e1d3140e63@mail.gmail.com> <7BA4156B-14B4-4BB1-BEAD-2237F5B3834D@cisco.com> <f207274d0609111132w655f9b7er2e55c20e67973da5@mail.gmail.com> <1C7CA0AE-3BCC-437B-891F-0D2831BFBFBC@cisco.com> <f207274d0609141837m28cf6400v7cc1a643275f8beb@mail.gmail.com>
Mime-Version: 1.0 (Apple Message framework v752.2)
Content-Type: text/plain; charset="US-ASCII"; delsp="yes"; format="flowed"
Message-Id: <89EA334C-4D0C-4DD4-847E-D639E064187D@cisco.com>
Content-Transfer-Encoding: 7bit
From: David McGrew <mcgrew@cisco.com>
Subject: Re: [Cfrg] new authenticated encryption draft
Date: Fri, 15 Sep 2006 09:14:42 -0700
To: John Wilkinson <wilkjohn@gmail.com>
X-Mailer: Apple Mail (2.752.2)
X-OriginalArrivalTime: 15 Sep 2006 16:14:43.0186 (UTC) FILETIME=[0DC4FD20:01C6D8E2]
DKIM-Signature: a=rsa-sha1; q=dns; l=3122; t=1158336884; x=1159200884; c=relaxed/simple; s=sjdkim1002; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=mcgrew@cisco.com; z=From:David=20McGrew=20<mcgrew@cisco.com> |Subject:Re=3A=20[Cfrg]=20new=20authenticated=20encryption=20draft; X=v=3Dcisco.com=3B=20h=3DbEwS0oJgdOC6R0v1cvsFzhF5aNU=3D; b=lhoVfJp9/4ZTJMKAJZm+fSK7IbtqAz+6urbptDc5ahImUc2IL7U7MHxcBy7ustLgS60zjHC6 7SpJkcaM7716ts/x/lCUy7u7Wnjl8AflqfcinNMaW2eWbDjL3Z8Pa9hP;
Authentication-Results: sj-dkim-1.cisco.com; header.From=mcgrew@cisco.com; dkim=pass ( sig from cisco.com verified; );
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 0fa76816851382eb71b0a882ccdc29ac
Cc: cfrg@ietf.org
X-BeenThere: cfrg@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:cfrg@ietf.org>
List-Help: <mailto:cfrg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=subscribe>
Errors-To: cfrg-bounces@ietf.org

Hi John,

On Sep 14, 2006, at 6:37 PM, John Wilkinson wrote:

> David,
>
> Can you point me to an existing randomized AEAD specification that
> might have a more detailed rationale its randomness?

EAX, for one.  It was an explicit design goal for that mode.

It is an aim for the AEAD draft to be useful in scenarios in which a  
secret key is stored over a long term, including challenge/response  
applications that use random nonces rather than sequence numbers for  
anti-replay protection.  Let me turn your question around: can you  
point me to an existing C/R protocol that uses unique IVs rather than  
random IVs?

> I'm having a hard
> time understanding why this is necessary. It seems to me that almost
> any device on a network will have some sort of unique identifier
> associated with it, e.g., a MAC or IP address. This could be used to
> guarantee a unique nonce as input to the AEAD algorithm.
>

Most network identifiers are not suitable for use in constructing  
nonces.  For example, IP addresses are not suitable because of  
network address translation (NAT) and DHCP, besides the fact that the  
address identifies an interface rather than a device.  Using a  
network identifier would also put part of the IV under the control of  
a system which may not provide high assurance about the distinctness  
of the IVs, which is not always acceptable.

> It seems to me that your specification allows two types of AEAD
> schemes that aren't interchangeable:
>
> 1) The deterministic AEAD schemes, which accept as input a nonce, and
> which have a redundant output--the IV.
>
> 2) The randomized AEAD schemes, which accept as input an "IV
> contribution" (which may be reused), and which have an internal source
> of randomness which is used to generate the IV, which is then returned
> to the user.
>
> I tend to think that the internal source of randomness required for
> the second class of schemes will be extremely difficult to design in a
> portable (between architectures) way. In fact, I can't think of any
> crypto specifications at this level that assume, as part of the
> specification, an internal source of randomness.

The DSA and ECDSA signature algorithms require an internal random  
source.	

> Usually, the
> randomness is a required input, not an output. How would GCM or EAX or
> CCM be specified if the algorithms required an internal source of
> randomness? They would have to reference a particular class of
> certified hardware random number generators.

Why?

David

>
> Personally--and this is only my opinion--I find it much cleaner to
> separate the specifications of AEAD schemes and sources of randomness.
> Let all AEAD schemes be specified to be deterministic, and to accept
> at input a nonce. Let random number generation be handled in another
> component, that may have to be more machine-specific. I'd like to hear
> others' opinions on this.
>
> -John
>
> _______________________________________________
> Cfrg mailing list
> Cfrg@ietf.org
> https://www1.ietf.org/mailman/listinfo/cfrg

_______________________________________________
Cfrg mailing list
Cfrg@ietf.org
https://www1.ietf.org/mailman/listinfo/cfrg

v2.23.0 | Report a Bug | By Email