Re: [Cfrg] New Version Notification for draft-mcgrew-aead-aes-cbc-hmac-sha2-03.txt
David Jacobson <dmjacobson@sbcglobal.net> Fri, 14 February 2014 06:34 UTC
Return-Path: <dmjacobson@sbcglobal.net>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 28E351A0119 for <cfrg@ietfa.amsl.com>; Thu, 13 Feb 2014 22:34:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kNepxDbx_7eZ for <cfrg@ietfa.amsl.com>; Thu, 13 Feb 2014 22:34:31 -0800 (PST)
Received: from nm24-vm6.access.bullet.mail.gq1.yahoo.com (nm24-vm6.access.bullet.mail.gq1.yahoo.com [216.39.63.172]) by ietfa.amsl.com (Postfix) with ESMTP id AA14A1A010F for <cfrg@irtf.org>; Thu, 13 Feb 2014 22:34:31 -0800 (PST)
Received: from [216.39.60.166] by nm24.access.bullet.mail.gq1.yahoo.com with NNFMP; 14 Feb 2014 06:34:30 -0000
Received: from [67.195.23.144] by tm2.access.bullet.mail.gq1.yahoo.com with NNFMP; 14 Feb 2014 06:34:30 -0000
Received: from [127.0.0.1] by smtp116.sbc.mail.gq1.yahoo.com with NNFMP; 14 Feb 2014 06:34:30 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sbcglobal.net; s=s1024; t=1392359670; bh=sK+gJ94Pho4RIlO12rW0qLZMrAv5kSXERt4ahJeXSHU=; h=X-Yahoo-Newman-Id:X-Yahoo-Newman-Property:X-YMail-OSG:X-Yahoo-SMTP:X-Rocket-Received:Message-ID:Date:From:User-Agent:MIME-Version:To:Subject:References:In-Reply-To:Content-Type; b=y2nrn+TPu8vTiOpNl4ZirUEkCtI/RlgiLx2/+Zix8OaIsAh0ETZzBt6PIxCmz7cGfzM/5xdEd+9HXFIFwRhbdVov0W0B+5lT9mTOmjOy+X2ucMGSu1gbQ8GlvZIEQd6mXquWwBhoDkEob3hjeX4pRtKoHnqhMRehIH+hRraLtSk=
X-Yahoo-Newman-Id: 161398.68211.bm@smtp116.sbc.mail.gq1.yahoo.com
X-Yahoo-Newman-Property: ymail-3
X-YMail-OSG: ID7Fvd8VM1k4WVACKVxeZ5rD15mJCUhd2.vtuTqpb4KmYIL KOP_SQoKb5_P6jZtR_h6FTGTROpQdhid828zNfTxogEWvpeInzNilvXSw_sg 1W3XrGHv6Y1r1yBHMeI2jTZSV0vchzkLvatmo2.QtAC9otWXlpBNc3e2EVSc 315kshkG0xvHnWePk0adKzMZ2Vzs04y8E77Z7YXnV0OpFwyIhdQrCNIgEZGe 8Zuh76SK6YByPURGwkDW9pdSMcssO7pu8fEz0__0_LT0TPz7jVd9tX0cGmgj zU3HjmKNVSQFjWMPpyFafYwVw74uCXTGUv.jvvYkWSXe4NV5wkiH2wlUkJDS 0XL1g272aXJq6zjJ5xJyCXYxVENV89czgTZxfIOnNsbepykaNMLEhTbBj2aO S6kirWI70gIYuiN9Vb9HGyi.i_KudMAQ4w8pqXkK0whCZTqbMiFlqljsn5KI o0QNa2QPc29H3pScBErvCAkXrHgv_XL0RJNGQf9JgxFqen3Wn6Z8cml1vVZt lWn33bQhhnEigFvOYrwnrV6NVWjZbh5KLAWgTspaxkW63fpMJ3MgMeWKCJQ4 GIDgbEmCUU8E0MYZW1t1RwEkHrUz5kP0QxxIBKIRI.KAj1MuBAOk7r32pNz8 YpV.VpyosFXeRgH9hHYXN7kw.5zc-
X-Yahoo-SMTP: nOrmCa6swBAE50FabWnlVFUpgFVJ9Gbi__8U5mpvhtQq7tTV1g--
X-Rocket-Received: from [192.168.1.64] (dmjacobson@99.120.97.155 with plain [67.195.15.5]) by smtp116.sbc.mail.gq1.yahoo.com with SMTP; 14 Feb 2014 06:34:30 +0000 UTC
Message-ID: <52FDB8F4.90203@sbcglobal.net>
Date: Thu, 13 Feb 2014 22:34:28 -0800
From: David Jacobson <dmjacobson@sbcglobal.net>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:24.0) Gecko/20100101 Thunderbird/24.3.0
MIME-Version: 1.0
To: David McGrew <mcgrew@cisco.com>, "cfrg@irtf.org" <cfrg@irtf.org>
References: <20140214004117.27381.4308.idtracker@ietfa.amsl.com> <52FD6815.70402@cisco.com>
In-Reply-To: <52FD6815.70402@cisco.com>
Content-Type: multipart/alternative; boundary="------------010309080302050408080104"
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/ZGloUAutymV4bH0T3RX_XkOnzNA
Subject: Re: [Cfrg] New Version Notification for draft-mcgrew-aead-aes-cbc-hmac-sha2-03.txt
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 14 Feb 2014 06:34:35 -0000
On 2/13/14 4:49 PM, David McGrew wrote: > Hi, > > the latest version of this draft is out. Thanks are due to Jim Schaad > and Rob Napier for their feedback on version 02. > > The goals of this draft are to provide an authenticated encryption > scheme suitable for use in those cases where CBC and HMAC are > available, but no dedicated AE schemes are available. Also, it > doesn't require deterministic nonces, which itself is useful in some > situations. > > It might be nice to add a description of how IVs can be pseudorandomly > generated. It would be especially useful to generate the IV using > the same key as used for encryption, with an unpredictable counter, or > something like that. Is anyone aware of a security proof that could > be cited for that sort of technique? I think that some systems would > have a much easier time maintaining a counter than they would > generating truly random IVs, which is reasonable motivation in my > opinion. Glad to hear other thoughts on this subject. > > David > > -- There is a mismatched parenthesis in the first sentence of Section 2.4. It seems that your intent is to truncate the MAC to the length of the MAC_KEY. Also these two seem to be half the size of the hash function output block size. However, that is not explicitly stated. I suggest you mention that somewhere. Above you mention generating the IV with the same key as is used for encryption. Note that this is in conflict with Section 3, which says "However, if a pseudorandom method is used, that method MUST NOT make use of ENC_KEY or MAC_KEY." Maybe you are thinking the we CFRG people can come up with a safe way to use the encryption key, but you don't trust users to do that. Above you mention an unpredictable counter. I suspect you mean a counter that begins at a secret value, and wraps in the obvious way. Therefore it has be generated at random and stored in secure non-volatile storage. So it seems strictly harder than just randomness. So I don't know what is gained by using an unpredictable counter. You have chosen to avoid nonces, but instead to require randomness. It is debatable whether this is a good tradeoff. I suspect it would be better to have a system that requires a nonce, where the only requirement is that it is doesn't repeat (or is sufficiently unlikely to repeat, to allow for random nonces if the user finds that convenient). Examples of suitable nonces are a counter, time, or random. You could compute the IV as SHA256(E_ek(nonce)) and use only the first 128 bits. E_ek means encrypt with the encryption key. This doesn't leak an ECB mode plaintext-ciphertext pair to an attacker, even if he knows or can easily guess the nonce (e.g. when the nonce is time or when he knows the number of messages that have been sent). Since the attacker doesn't know the encryption key, he can't predict the nonce. You have a key that is the concatenation of the MAC_KEY and the ENC_KEY. This might tempt lazy or incompetent implementers do something stupid. You might consider deriving the MAC_KEY and ENC_KEY from a single key. If you did that, you could generate the MAC_KEY, ENC_KEY, and IV like this. Use HMAC(key, 0x1 || counter) to generate enough bits for MAC_KEY and ENC_KEY. Use HMAC(key, 0x2 || nonce) to compute the IV. (This is a different proposal for the IV than the last paragraph.) Even if the attacker can predict the nonce, he cannot predict the IV because he doesn't know the key. If you really don't want to accept a nonce, have the library generate its own nonce with something from inside the system, such processID || date_time || message_counter_in_this_process. (Remember, this only has to be unique within users of the same key. It doesn't have to be world-wide unique.) The downside is that any such scheme is specific to a particular system. I think most of us would rather say "compute this and pass it in as the nonce" than "modify the code to collect this". As to the question you actually asked, I don't see that you can have randomness in the encryption if you don't have either randomness as an input or use a nonce. It is completely deterministic and the same message will be encrypted the same every time. However, you can do a bit better. In some applications the authenticated but unencrypted part (called A in the draft) will contain a sequence number or timestamp. If you compute MAC_KEY, ENC_KEY, and IV similar to the way in the last paragraph, but change the IV computation to HMAC(key, 0x2 || A). Absolutely identical messages will result in the same bits over the channel, but if the unencrypted part contains a sequence number or timestamp, the encrypted part will be randomized. My final suggestion is to compute IV as HMAC(key, 0x2 || length(A) || A || nonce). This way, users who supply non-repeating nonces get randomized encryption, and even if they mess up, they will get randomized encryption if the A part has a time stamp or sequence number. --David Jacobson > > A new version of I-D, draft-mcgrew-aead-aes-cbc-hmac-sha2-03.txt > has been successfully submitted by David McGrew and posted to the > IETF repository. > > Name: draft-mcgrew-aead-aes-cbc-hmac-sha2 > Revision: 03 > Title: Authenticated Encryption with AES-CBC and HMAC-SHA > Document date: 2014-02-13 > Group: Individual Submission > Pages: 29 > URL:http://www.ietf.org/internet-drafts/draft-mcgrew-aead-aes-cbc-hmac-sha2-03.txt > Status:https://datatracker.ietf.org/doc/draft-mcgrew-aead-aes-cbc-hmac-sha2/ > Htmlized:http://tools.ietf.org/html/draft-mcgrew-aead-aes-cbc-hmac-sha2-03 > Diff:http://www.ietf.org/rfcdiff?url2=draft-mcgrew-aead-aes-cbc-hmac-sha2-03 > > Abstract: > This document specifies algorithms for authenticated encryption with > associated data (AEAD) that are based on the composition of the > Advanced Encryption Standard (AES) in the Cipher Block Chaining (CBC) > mode of operation for encryption, and the HMAC-SHA message > authentication code (MAC). > > These are randomized encryption algorithms, and thus are suitable for > use with applications that cannot provide distinct nonces to each > invocation of the AEAD encrypt operation. > > > > > > > > > > > > > > > Please note that it may take a couple of minutes from the time of submission > until the htmlized version and diff are available at tools.ietf.org. > > The IETF Secretariat > > . > > > > > > _______________________________________________ > Cfrg mailing list > Cfrg@irtf.org > http://www.irtf.org/mailman/listinfo/cfrg
- Re: [Cfrg] New Version Notification for draft-mcg… Manger, James
- Re: [Cfrg] New Version Notification for draft-mcg… Watson Ladd
- [Cfrg] New Version Notification for draft-mcgrew-… David McGrew
- Re: [Cfrg] New Version Notification for draft-mcg… Manger, James
- Re: [Cfrg] New Version Notification for draft-mcg… David Jacobson
- Re: [Cfrg] New Version Notification for draft-mcg… David McGrew
- Re: [Cfrg] New Version Notification for draft-mcg… David McGrew
- Re: [Cfrg] New Version Notification for draft-mcg… David McGrew
- Re: [Cfrg] New Version Notification for draft-mcg… Watson Ladd
- Re: [Cfrg] New Version Notification for draft-mcg… Paterson, Kenny
- Re: [Cfrg] New Version Notification for draft-mcg… David Jacobson