IETF Logo Mail Archive

Re: [Cfrg] New Version Notification for draft-mcgrew-aead-aes-cbc-hmac-sha2-03.txt

David Jacobson <dmjacobson@sbcglobal.net> Fri, 14 February 2014 06:34 UTC

Return-Path: <dmjacobson@sbcglobal.net>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 28E351A0119 for <cfrg@ietfa.amsl.com>; Thu, 13 Feb 2014 22:34:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kNepxDbx_7eZ for <cfrg@ietfa.amsl.com>; Thu, 13 Feb 2014 22:34:31 -0800 (PST)
Received: from nm24-vm6.access.bullet.mail.gq1.yahoo.com (nm24-vm6.access.bullet.mail.gq1.yahoo.com [216.39.63.172]) by ietfa.amsl.com (Postfix) with ESMTP id AA14A1A010F for <cfrg@irtf.org>; Thu, 13 Feb 2014 22:34:31 -0800 (PST)
Received: from [216.39.60.166] by nm24.access.bullet.mail.gq1.yahoo.com with NNFMP; 14 Feb 2014 06:34:30 -0000
Received: from [67.195.23.144] by tm2.access.bullet.mail.gq1.yahoo.com with NNFMP; 14 Feb 2014 06:34:30 -0000
Received: from [127.0.0.1] by smtp116.sbc.mail.gq1.yahoo.com with NNFMP; 14 Feb 2014 06:34:30 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sbcglobal.net; s=s1024; t=1392359670; bh=sK+gJ94Pho4RIlO12rW0qLZMrAv5kSXERt4ahJeXSHU=; h=X-Yahoo-Newman-Id:X-Yahoo-Newman-Property:X-YMail-OSG:X-Yahoo-SMTP:X-Rocket-Received:Message-ID:Date:From:User-Agent:MIME-Version:To:Subject:References:In-Reply-To:Content-Type; b=y2nrn+TPu8vTiOpNl4ZirUEkCtI/RlgiLx2/+Zix8OaIsAh0ETZzBt6PIxCmz7cGfzM/5xdEd+9HXFIFwRhbdVov0W0B+5lT9mTOmjOy+X2ucMGSu1gbQ8GlvZIEQd6mXquWwBhoDkEob3hjeX4pRtKoHnqhMRehIH+hRraLtSk=
X-Yahoo-Newman-Id: 161398.68211.bm@smtp116.sbc.mail.gq1.yahoo.com
X-Yahoo-Newman-Property: ymail-3
X-YMail-OSG: ID7Fvd8VM1k4WVACKVxeZ5rD15mJCUhd2.vtuTqpb4KmYIL KOP_SQoKb5_P6jZtR_h6FTGTROpQdhid828zNfTxogEWvpeInzNilvXSw_sg 1W3XrGHv6Y1r1yBHMeI2jTZSV0vchzkLvatmo2.QtAC9otWXlpBNc3e2EVSc 315kshkG0xvHnWePk0adKzMZ2Vzs04y8E77Z7YXnV0OpFwyIhdQrCNIgEZGe 8Zuh76SK6YByPURGwkDW9pdSMcssO7pu8fEz0__0_LT0TPz7jVd9tX0cGmgj zU3HjmKNVSQFjWMPpyFafYwVw74uCXTGUv.jvvYkWSXe4NV5wkiH2wlUkJDS 0XL1g272aXJq6zjJ5xJyCXYxVENV89czgTZxfIOnNsbepykaNMLEhTbBj2aO S6kirWI70gIYuiN9Vb9HGyi.i_KudMAQ4w8pqXkK0whCZTqbMiFlqljsn5KI o0QNa2QPc29H3pScBErvCAkXrHgv_XL0RJNGQf9JgxFqen3Wn6Z8cml1vVZt lWn33bQhhnEigFvOYrwnrV6NVWjZbh5KLAWgTspaxkW63fpMJ3MgMeWKCJQ4 GIDgbEmCUU8E0MYZW1t1RwEkHrUz5kP0QxxIBKIRI.KAj1MuBAOk7r32pNz8 YpV.VpyosFXeRgH9hHYXN7kw.5zc-
X-Yahoo-SMTP: nOrmCa6swBAE50FabWnlVFUpgFVJ9Gbi__8U5mpvhtQq7tTV1g--
X-Rocket-Received: from [192.168.1.64] (dmjacobson@99.120.97.155 with plain [67.195.15.5]) by smtp116.sbc.mail.gq1.yahoo.com with SMTP; 14 Feb 2014 06:34:30 +0000 UTC
Message-ID: <52FDB8F4.90203@sbcglobal.net>
Date: Thu, 13 Feb 2014 22:34:28 -0800
From: David Jacobson <dmjacobson@sbcglobal.net>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:24.0) Gecko/20100101 Thunderbird/24.3.0
MIME-Version: 1.0
To: David McGrew <mcgrew@cisco.com>, "cfrg@irtf.org" <cfrg@irtf.org>
References: <20140214004117.27381.4308.idtracker@ietfa.amsl.com> <52FD6815.70402@cisco.com>
In-Reply-To: <52FD6815.70402@cisco.com>
Content-Type: multipart/alternative; boundary="------------010309080302050408080104"
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/ZGloUAutymV4bH0T3RX_XkOnzNA
Subject: Re: [Cfrg] New Version Notification for draft-mcgrew-aead-aes-cbc-hmac-sha2-03.txt
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 14 Feb 2014 06:34:35 -0000

On 2/13/14 4:49 PM, David McGrew wrote:
> Hi,
>
> the latest version of this draft is out.  Thanks are due to Jim Schaad 
> and Rob Napier for their feedback on version 02.
>
> The goals of this draft are to provide an authenticated encryption 
> scheme suitable for use in those cases where CBC and HMAC are 
> available, but no dedicated AE schemes are available.   Also, it 
> doesn't require deterministic nonces, which itself is useful in some 
> situations.
>
> It might be nice to add a description of how IVs can be pseudorandomly 
> generated.   It would be especially useful to generate the IV using 
> the same key as used for encryption, with an unpredictable counter, or 
> something like that.   Is anyone aware of a security proof that could 
> be cited for that sort of technique?   I think that some systems would 
> have a much easier time maintaining a counter than they would 
> generating truly random IVs, which is reasonable motivation in my 
> opinion.   Glad to hear other thoughts on this subject.
>
> David
>
> --
There is a mismatched parenthesis in the first sentence of Section 2.4.

It seems that your intent is to truncate the MAC to the length of the 
MAC_KEY.  Also these two seem to be half the size of the hash function 
output block size.  However, that is not explicitly stated.  I suggest 
you mention that somewhere.

Above you mention generating the IV with the same key as is used for 
encryption.  Note that this is in conflict with Section 3, which says 
"However, if a pseudorandom method is used, that method MUST NOT make 
use of ENC_KEY or MAC_KEY."  Maybe you are thinking the we CFRG people 
can come up with a safe way to use the encryption key, but you don't 
trust users to do that.

Above you mention an unpredictable counter.  I suspect you mean a 
counter that begins at a secret value, and wraps in the obvious way.  
Therefore it has be generated at random and stored in secure 
non-volatile storage.  So it seems strictly harder than just 
randomness.  So I don't know what is gained by using an unpredictable 
counter.

You have chosen to avoid nonces, but instead to require randomness.   It 
is debatable whether this is a good tradeoff.  I suspect it would be 
better to have a system that requires a nonce, where the only 
requirement is that it is doesn't repeat (or is sufficiently unlikely to 
repeat, to allow for random nonces if the user finds that convenient).  
Examples of suitable nonces are a counter, time, or random.  You could 
compute the IV  as SHA256(E_ek(nonce)) and use only the first 128 bits.  
E_ek means encrypt with the encryption key.  This doesn't leak an ECB 
mode plaintext-ciphertext pair to an attacker, even if he knows or can 
easily guess the nonce (e.g. when the nonce is time or when he knows the 
number of messages that have been sent).  Since the attacker doesn't 
know the encryption key, he can't predict the nonce.

You have a key that is the concatenation of the MAC_KEY and the 
ENC_KEY.  This might tempt lazy or incompetent implementers  do 
something stupid.  You might consider deriving the MAC_KEY and ENC_KEY 
from a single key.  If you did that, you could generate the MAC_KEY, 
ENC_KEY, and IV like this.  Use HMAC(key, 0x1 || counter) to generate 
enough bits for MAC_KEY and ENC_KEY.  Use HMAC(key, 0x2 || nonce) to 
compute the IV.  (This is a different proposal for the IV than the last 
paragraph.)  Even if the  attacker can predict the nonce, he cannot 
predict the IV because he doesn't know the key.

If you really don't want to accept a nonce, have the library generate 
its own nonce with something from inside the system, such processID || 
date_time || message_counter_in_this_process. (Remember, this only has 
to be unique within users of the same key. It doesn't have to be 
world-wide unique.)  The downside is that any such scheme is specific to 
a particular system.  I think most of us would rather say "compute this 
and pass it in as the nonce" than "modify the code to collect this".

As to the question you actually asked, I don't see that you can have 
randomness in the encryption if you don't have either randomness as an 
input or use a nonce.  It is completely deterministic and the same 
message will be encrypted the same every time.  However, you can do a 
bit better.  In some applications the authenticated but unencrypted part 
(called A in the draft) will contain a sequence number or timestamp.  If 
you compute MAC_KEY, ENC_KEY, and IV similar to the way in the last 
paragraph, but change the IV computation to HMAC(key, 0x2 || A).  
Absolutely identical messages will result in the same bits over the 
channel, but if the unencrypted part contains a sequence number or 
timestamp, the encrypted part will be randomized.  My final suggestion 
is to compute IV as HMAC(key, 0x2 || length(A) || A || nonce).  This 
way, users who supply non-repeating nonces get randomized encryption, 
and even if they mess up, they will get randomized encryption if the A 
part has a time stamp or sequence number.

     --David Jacobson

>
> A new version of I-D, draft-mcgrew-aead-aes-cbc-hmac-sha2-03.txt
> has been successfully submitted by David McGrew and posted to the
> IETF repository.
>
> Name:		draft-mcgrew-aead-aes-cbc-hmac-sha2
> Revision:	03
> Title:		Authenticated Encryption with AES-CBC and HMAC-SHA
> Document date:	2014-02-13
> Group:		Individual Submission
> Pages:		29
> URL:http://www.ietf.org/internet-drafts/draft-mcgrew-aead-aes-cbc-hmac-sha2-03.txt
> Status:https://datatracker.ietf.org/doc/draft-mcgrew-aead-aes-cbc-hmac-sha2/
> Htmlized:http://tools.ietf.org/html/draft-mcgrew-aead-aes-cbc-hmac-sha2-03
> Diff:http://www.ietf.org/rfcdiff?url2=draft-mcgrew-aead-aes-cbc-hmac-sha2-03
>
> Abstract:
>     This document specifies algorithms for authenticated encryption with
>     associated data (AEAD) that are based on the composition of the
>     Advanced Encryption Standard (AES) in the Cipher Block Chaining (CBC)
>     mode of operation for encryption, and the HMAC-SHA message
>     authentication code (MAC).
>
>     These are randomized encryption algorithms, and thus are suitable for
>     use with applications that cannot provide distinct nonces to each
>     invocation of the AEAD encrypt operation.
>
>
>
> 	
>
> 	
>
> 	
>
> 	
>
>                                                                                    
>
>
> Please note that it may take a couple of minutes from the time of submission
> until the htmlized version and diff are available at tools.ietf.org.
>
> The IETF Secretariat
>
> .
>
>
>
>
>
> _______________________________________________
> Cfrg mailing list
> Cfrg@irtf.org
> http://www.irtf.org/mailman/listinfo/cfrg

v2.23.0 | Report a Bug | By Email