Re: [Cfrg] Short Authentication Tags in AES-128-CCM
Jonathan Trostle <jon49175@yahoo.com> Tue, 28 July 2015 18:26 UTC
Return-Path: <jon49175@yahoo.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9F7641B2D1D for <cfrg@ietfa.amsl.com>; Tue, 28 Jul 2015 11:26:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.94
X-Spam-Level:
X-Spam-Status: No, score=0.94 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BzbwqqVlenZf for <cfrg@ietfa.amsl.com>; Tue, 28 Jul 2015 11:26:58 -0700 (PDT)
Received: from nm26-vm0.bullet.mail.bf1.yahoo.com (nm26-vm0.bullet.mail.bf1.yahoo.com [98.139.213.74]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E34C91B2D5F for <cfrg@irtf.org>; Tue, 28 Jul 2015 11:26:56 -0700 (PDT)
Received: from [98.139.214.32] by nm26.bullet.mail.bf1.yahoo.com with NNFMP; 28 Jul 2015 18:26:56 -0000
Received: from [98.139.212.206] by tm15.bullet.mail.bf1.yahoo.com with NNFMP; 28 Jul 2015 18:26:55 -0000
Received: from [127.0.0.1] by omp1015.mail.bf1.yahoo.com with NNFMP; 28 Jul 2015 18:26:55 -0000
X-Yahoo-Newman-Property: ymail-3
X-Yahoo-Newman-Id: 971845.13915.bm@omp1015.mail.bf1.yahoo.com
Received: (qmail 95607 invoked by uid 60001); 28 Jul 2015 18:26:55 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1438108015; bh=oYNzaLIjQjL4sMOIQ6enOKTtQVklvtwmv1ta/KKpj+U=; h=Message-ID:Date:From:Subject:To:In-Reply-To:MIME-Version:Content-Type; b=N8Z0aUTyFDCRogsAuYYtnWGtjxsAXsWdaOdNIOuYnIQE2/OlzMcIo/LOu4RWihciFCSYSf9fr6U5jqo9vFFsa2GcW1Fg8syT7zfS/3KQKP4c22gP2XHvkeLz371jxLzXy0rIf2MPq6h9ej0UIEpfKdwW8EbwfOzEOYkZ8Zs9Nc8=
X-YMail-OSG: A21aTWYVM1m5S1._GnkJv5R7PxkJeicZRo2KOgaaAlM8PiM szF6YyrYxQW5cR4PJrAaMP0b1lZFbbNRRCTq7BR5SIAAIhycVSxppg73OZtQ 7l9yH4II0v2o_nZMZmmnbJfi8tioCaMgldZkAzWa1er.t0eiamArgKqmUjQW zM64vm_edqC0wfPrbHTTzp9anV2RuhQYUTz3OI2TPP9VbA0NsNJwTjVX7F_N zncEHdVpB2VUZjhdzx4mp7SoMfjz3qdYLeI0WP25kOcNuSAFB82detzlEsTA q9YVx359P0Qhk3iSTudHOKziG6JuPCRUybRt6sE3_GN_9MxPeTpWjtNewcFM 3IanXyx7hq2Ih5fE9DwB_m16HbyjGaaTsheJIB53hvLOWvBmdXF9SQRctOLK 5KpyujZZ.ZIl.mUAeIEyX.Avm2iczNGDvWV78PBjnIAyVgOtnnsIJUzqAZjU 1UnPTIRaHiSwDZR4XFz1oKhScfngKnaU0ZHcazpRFku6XcnyXyxYjSNMERXa 8oq07TJ3p2bqGpEKnmeUFoT4uhHZXiwsJKa1X6PDCKxh6q58p4pVdfRjGpAl sAQ--
Received: from [75.164.250.102] by web161406.mail.bf1.yahoo.com via HTTP; Tue, 28 Jul 2015 11:26:55 PDT
X-Rocket-MIMEInfo: 002.001, SGksDQoNCkZvciBzaG9ydCB0YWdzLCBpdCBtYWtlcyBzZW5zZSB0byBjb25zaWRlciBhbGdvcml0aG1zIHdoZXJlIGNpcGhlcnRleHQgbW9kaWZpY2F0aW9ucyByZXN1bHQgaW4gcmFuZG9taXplZCBwbGFpbnRleHRzLiBJbiBlZmZlY3QsIHRoZSB0YWcgY2FuIGJlIHNob3J0ZXIsIG9yIHRoZSBzYW1lIGxlbmd0aCB0YWcgeWllbGRzIGhpZ2hlciBzZWN1cml0eSBjb21wYXJlZCB0byBhIGNvdW50ZXIgbW9kZSBiYXNlZCBhbGdvcml0aG0uIEZvciBjb3VudGVyIG1vZGUgYmFzZWQgYWxnb3JpdGhtcywgY2lwaGUBMAEBAQE-
X-Mailer: YahooMailBasic/582 YahooMailWebService/0.8.203.802
Message-ID: <1438108015.81423.YahooMailBasic@web161406.mail.bf1.yahoo.com>
Date: Tue, 28 Jul 2015 11:26:55 -0700
From: Jonathan Trostle <jon49175@yahoo.com>
To: "cfrg@irtf.org" <cfrg@irtf.org>, Hannes Tschofenig <hannes.tschofenig@gmx.net>
In-Reply-To: <55AF6E7E.5000300@gmx.net>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/_awkKCN6vXiSbu4yjwixlptXE5M>
Subject: Re: [Cfrg] Short Authentication Tags in AES-128-CCM
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Jul 2015 18:26:59 -0000
Hi, For short tags, it makes sense to consider algorithms where ciphertext modifications result in randomized plaintexts. In effect, the tag can be shorter, or the same length tag yields higher security compared to a counter mode based algorithm. For counter mode based algorithms, ciphertexts can be predictively modified, so a successful forgery can be much more damaging. CMCC (http://eprint.iacr.org/2013/269) is one such algorithm (also see the Caesar competition). CMCC also handles plaintexts shorter than the block length without additional padding and is nonce misuse resistant. Jonathan -------------------------------------------- On Wed, 7/22/15, Hannes Tschofenig <hannes.tschofenig@gmx.net> wrote: Subject: [Cfrg] Short Authentication Tags in AES-128-CCM To: "cfrg@irtf.org" <cfrg@irtf.org> Date: Wednesday, July 22, 2015, 3:20 AM Hi all, in the Internet of Things context there has been some excitement to use short authentication tags with AES-128-CCM. With short range, low power radio technologies shorter frame sizes raise concerns about the number of bytes that are available to the application layer. The DTLS/TLS profile for IoT document <draft-ietf-dice-profile> therefore recommends the TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 ciphersuite, following what the CoAP protocol and also Zigbee IP suggest. When Stephen did a review of draft-ietf-dice-profile-13 he suggested to rather focus on AES-128-CCM with the full-length authentication tag instead. He motivates his suggestion based on the decision of the SRTP guys to move away from short authentication tags used with AES-GCM-128. Of course, AES-CCM and AES-GCM are different and attacks against AES-GCM with short authentication tags have been published. My question to this group is: * Are you aware of attacks against the AES-128-CCM-8? * Are there concerns with the use of short authentication tags, as we recommend for the IoT context? (Needless to say that there is a tradeoff between rekeying and the number of bits the tag has.) Ciao Hannes -----Inline Attachment Follows----- _______________________________________________ Cfrg mailing list Cfrg@irtf.org http://www.irtf.org/mailman/listinfo/cfrg
- [Cfrg] Short Authentication Tags in AES-128-CCM Hannes Tschofenig
- Re: [Cfrg] Short Authentication Tags in AES-128-C… Watson Ladd
- Re: [Cfrg] Short Authentication Tags in AES-128-C… Paul Lambert
- Re: [Cfrg] Short Authentication Tags in AES-128-C… Aaron Zauner
- Re: [Cfrg] Short Authentication Tags in AES-128-C… Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] Short Authentication Tags in AES-128-C… Russ Housley
- Re: [Cfrg] Short Authentication Tags in AES-128-C… John Mattsson
- Re: [Cfrg] Short Authentication Tags in AES-128-C… Salz, Rich
- Re: [Cfrg] Short Authentication Tags in AES-128-C… Carsten Bormann
- Re: [Cfrg] Short Authentication Tags in AES-128-C… John Mattsson
- Re: [Cfrg] Short Authentication Tags in AES-128-C… Aaron Zauner
- Re: [Cfrg] Short Authentication Tags in AES-128-C… Russ Housley
- Re: [Cfrg] Short Authentication Tags in AES-128-C… Paterson, Kenny
- Re: [Cfrg] Short Authentication Tags in AES-128-C… David McGrew (mcgrew)
- Re: [Cfrg] Short Authentication Tags in AES-128-C… Robert Cragie
- Re: [Cfrg] Short Authentication Tags in AES-128-C… Jonathan Trostle
- [Cfrg] ECDHE_PSK was Re: Short Authentication Tag… Hannes Tschofenig
- Re: [Cfrg] ECDHE_PSK was Re: Short Authentication… Carsten Bormann
- Re: [Cfrg] ECDHE_PSK was Re: Short Authentication… Hannes Tschofenig
- Re: [Cfrg] ECDHE_PSK was Re: Short Authentication… Carsten Bormann