IETF Logo Mail Archive

Re: [Cfrg] Streaming AEAD

David McGrew <mcgrew@cisco.com> Tue, 25 February 2014 15:52 UTC

Return-Path: <mcgrew@cisco.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ECB6F1A0134 for <cfrg@ietfa.amsl.com>; Tue, 25 Feb 2014 07:52:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -11.748
X-Spam-Level:
X-Spam-Status: No, score=-11.748 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, J_CHICKENPOX_51=0.6, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.547, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1SVcQwwlBWxI for <cfrg@ietfa.amsl.com>; Tue, 25 Feb 2014 07:52:22 -0800 (PST)
Received: from mtv-iport-3.cisco.com (mtv-iport-3.cisco.com [173.36.130.14]) by ietfa.amsl.com (Postfix) with ESMTP id E24611A07B6 for <cfrg@irtf.org>; Tue, 25 Feb 2014 07:52:22 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=4656; q=dns/txt; s=iport; t=1393343542; x=1394553142; h=message-id:date:from:mime-version:to:cc:subject: references:in-reply-to:content-transfer-encoding; bh=yJjuaj1k/HEZXkJsO+jgz7e/+9xmiympyOJRLN5qsJI=; b=MUP/5aY+BcdR43kxGEVwGYBhnSJHpa5qpjZBZ3CpQCd7x+F+kAHk/BD4 SPL8OcnbJbKqDVuEhHLr1vsDtfxrbGOmeMMCNB3fJjK4e13rdt4VGNby+ nmuDtmwyc7wcl0fiLXwpT0AXYrE4E/18kwIxVNHvr94tG7KsDt3fg+6Wc 4=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AgMFAKC7DFOrRDoJ/2dsb2JhbABZgwY7wiiBGBZ0giUBAQEDAQEBATU2CgEFCwsYCRYPCQMCAQIBFTAGDQEFAgIFh3QHDsZrF4xAKIF8B4Q4AQOJSI5shkiLX4NLHg
X-IronPort-AV: E=Sophos;i="4.97,540,1389744000"; d="scan'208";a="104465345"
Received: from mtv-core-4.cisco.com ([171.68.58.9]) by mtv-iport-3.cisco.com with ESMTP; 25 Feb 2014 15:52:21 +0000
Received: from [10.0.2.15] (sjc-vpn6-87.cisco.com [10.21.120.87]) by mtv-core-4.cisco.com (8.14.5/8.14.5) with ESMTP id s1PFqJ2N008413; Tue, 25 Feb 2014 15:52:20 GMT
Message-ID: <530CBC32.1040107@cisco.com>
Date: Tue, 25 Feb 2014 10:52:18 -0500
From: David McGrew <mcgrew@cisco.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130922 Icedove/17.0.9
MIME-Version: 1.0
To: "Manger, James" <James.H.Manger@team.telstra.com>
References: <9A043F3CF02CD34C8E74AC1594475C7372375D64@uxcn10-tdc06.UoA.auckland.ac.nz> <53035EC7.8010607@cisco.com> <255B9BB34FB7D647A506DC292726F6E1153B6AA83D@WSMSG3153V.srv.dir.telstra.com> <530A0293.5060208@cisco.com>
In-Reply-To: <530A0293.5060208@cisco.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/XVVvuMeIsE1RTZfkr_V1nncf1jk
Cc: "cfrg@irtf.org" <cfrg@irtf.org>, Peter Gutmann <pgut001@cs.auckland.ac.nz>
Subject: Re: [Cfrg] Streaming AEAD
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 25 Feb 2014 15:52:29 -0000

Hi James,

On 02/23/2014 09:15 AM, David McGrew wrote:
> Hi James,
>
> On 02/18/2014 10:59 PM, Manger, James wrote:
>>>>> What is needed is a way to use an AEAD algorithm to secure a 
>>>>> message in
>>>>> chunks. Streaming-AEAD would allow a recipient to know they have 
>>>>> received an
>>>>> authentic prefix of a message. It would allow crypto APIs to support
>>>>> streaming modes while never returning unauthentic plaintext.
>>>> I think the means of doing this is going to be protocol-specific, 
>>>> since it
>>>> depends on the PDU format being used.
>> Not necessarily.
>> I was thinking we could define a new alg identifier such as
>> "AEAD_AES_128_OCB_TAGLEN96/10K", meaning OCB on 10 KB chunks.
>> Once the 10228th byte (10KB - 96 bits) of plaintext is streamed
>> to the encrypt function, it finishes the first AEAD operation and
>> inserts a 96-bit tag into the ciphertext. A decryption function
>> caches the ciphertext it is streamed until it reaches a 10KB
>> boundary then it returns 10228 bytes of plaintext.
>>
>> An app sees a different alg id, but doesn't need to notice that
>> the ciphertext PDU is actually ct tag ct tag ct tag...
>> [It might need to know which nonces have been used internally though!]
>

A thought occurred to me.   Currently, many systems use an 
init/update/final interface for AEAD decryption.  The streaming AEAD 
algorithm that you propose would not enable them to continue using this 
interface as they currently are.   The problem is that the decryptUpdate 
function is required to provide plaintext when it returns; at least this 
is the case in some libraries.  If decryptUpdate is not required to 
provide plaintext when it returns, then the implementation could just 
buffer the (pre-auth-verification) plaintext until the auth verification 
is done.

David

> I take your point.  If there was a streaming-AEAD algorithm (using an 
> API similar to RFC 5116 but extended a bit), then it could be used in 
> a protocol regardless of that protocol's message formats and sizes.
>
> It would be somewhat awkward that the sender needs to know the right 
> chunk size that the receiver can handle, so the chunk size is 
> something that one would want to "negotiate", or at least have the 
> receiver advise the sender on.
>
> If a streaming-AEAD gets defined, it would be attractive to define a 
> way in which any of the existing AEAD schemes could be used in 
> chunk-mode.
>
>>
>>
>>> I think that's right.   It still makes sense to consider what should be
>>> going on above the AEAD layer, in a generic sense.
>>>
>>>> For things like SSL/TLS and SSH the
>>>> problem is already solved since data amounts are quantised to the
>>> protocol
>>>> data packet size,
>>> I hope that's right.   I am not sure that SSL/TLS implementers would be
>>> comfortable if they could never use the decryptUpdate function though.
>>>
>>>> for store-and-forward protocols like PGP and S/MIME you'd
>>>> need to add a mechanism for it in a PGP/SMIME-specific manner, but
>>> then you'd
>>>> also need to figure out how to communicate it to the other side...
>>> and then
>>>> you're back to relying on ad-hoc mechanisms.
>>>>
>>>> When I had to do this years ago I used something like:
>>>>
>>>> len1 || data1 || h1 = HMAC( len1 || data1 ),
>>>> len2 || data2 || h2 = HMAC( h1 || len2 || data2 ),
>>>> len3 || data3 || h3 = HMAC( h2 || len3 || data3 ),
>>>> ...
>>>>
>>>> A length of 0 indicated end-of-contents.
>>> Interesting, is there a writeup?
>>
>> So for packetizing plaintext for ~AEAD chunks:
>> * TLS puts a sequence number in the AAD;
>> * Peter (sort of) puts a tag for the previous prefix in the AAD;
>> * I suggested using sequential nonces and a start/middle/end flag;
>> * AERO hides the details in state;
>> * Pipelineable On-Line Encryption randomizes unauthentic plaintext.
>>
>>
>> My only concern with putting state (eg sequence number, byte count, 
>> previous hash) into AAD is that you need something at a higher layer 
>> to ensure that AEAD(X||Y,P) is always interpreted as "chunk mode with 
>> state=X, user-provided-AAD=Y", and never as "non-chunk mode with 
>> user-provided-AAD=X||Y". You probably cannot safely use 1 key in 
>> chunk and non-chunk modes.
>
> Agreed; chunk mode would need to be well defined, understood by both 
> sender and receiver, and never share keys with non-chunk modes.
>
> David
>
>>
>> -- 
>> James Manger
>
> _______________________________________________
> Cfrg mailing list
> Cfrg@irtf.org
> http://www.irtf.org/mailman/listinfo/cfrg
> .
>

v2.23.0 | Report a Bug | By Email