IETF Logo Mail Archive

Re: [Cfrg] Streaming AEAD

David McGrew <mcgrew@cisco.com> Tue, 18 February 2014 13:16 UTC

Return-Path: <mcgrew@cisco.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A4E011A04BF for <cfrg@ietfa.amsl.com>; Tue, 18 Feb 2014 05:16:36 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -11.549
X-Spam-Level:
X-Spam-Status: No, score=-11.549 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, J_CHICKENPOX_41=0.6, J_CHICKENPOX_42=0.6, MANGLED_PILL=2.3, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.548, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2qJZhF7owaWb for <cfrg@ietfa.amsl.com>; Tue, 18 Feb 2014 05:16:33 -0800 (PST)
Received: from rcdn-iport-1.cisco.com (rcdn-iport-1.cisco.com [173.37.86.72]) by ietfa.amsl.com (Postfix) with ESMTP id 9620A1A01C1 for <cfrg@irtf.org>; Tue, 18 Feb 2014 05:16:33 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=8725; q=dns/txt; s=iport; t=1392729391; x=1393938991; h=message-id:date:from:mime-version:to:cc:subject: references:in-reply-to:content-transfer-encoding; bh=i4quqf9pp6HUdyl+OAqeOS/JN8aq7BYH3JBADKAG2sM=; b=UFIBOw2WXA+feYCPwt4w8bHJNnWlcNMdWVXSmlSv8Z7ec7a5FJYA+4im SwSqnPRMPn8X9z7eI7FEA17M/vYsJHzy6WZtrhlswDOOZTtcvysxsl7qU OsyWn9m0l+OTjtUmHdINH9F8BXhagebPnw4xr46OACDk7t+qiFdz3JCvu k=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: Ah0FAC9cA1OtJV2b/2dsb2JhbAA/GoMGOINZvE6BFRZ0giUBAQEDAQEBASAPAQU2CgEMBAsRBAEBAQICBRYIAwICCQMCAQIBFR8JCAYNAQUCAgWHdAgNNqkSog8XgSmLL4FRAQYBAU8HBoJpgUkEiUiOZIEyhRWLXINLHoEsAQgX
X-IronPort-AV: E=Sophos;i="4.97,501,1389744000"; d="scan'208";a="304608313"
Received: from rcdn-core-4.cisco.com ([173.37.93.155]) by rcdn-iport-1.cisco.com with ESMTP; 18 Feb 2014 13:16:28 +0000
Received: from [10.0.2.15] (rtp-mcgrew-8914.cisco.com [10.117.10.229]) by rcdn-core-4.cisco.com (8.14.5/8.14.5) with ESMTP id s1IDGRcP018520; Tue, 18 Feb 2014 13:16:27 GMT
Message-ID: <53035D2C.9040905@cisco.com>
Date: Tue, 18 Feb 2014 08:16:28 -0500
From: David McGrew <mcgrew@cisco.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130922 Icedove/17.0.9
MIME-Version: 1.0
To: "Manger, James" <James.H.Manger@team.telstra.com>
References: <255B9BB34FB7D647A506DC292726F6E1153B5ED749@WSMSG3153V.srv.dir.telstra.com>
In-Reply-To: <255B9BB34FB7D647A506DC292726F6E1153B5ED749@WSMSG3153V.srv.dir.telstra.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/_iVbSmVLW7nY82k8xZmuVFIX6cs
Cc: Adam Langley <agl@imperialviolet.org>, Niels Möller <nisse@lysator.liu.se>, "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] Streaming AEAD
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Feb 2014 13:16:36 -0000

Hi James,

thanks for introducing this topic, more inline:

On 02/18/2014 12:47 AM, Manger, James wrote:
> Authenticated Encryption with Additional Data (AEAD) is a great primitive for securing messages, but it has one serious limitation: you only learn that the plaintext is authentic after processing all of the ciphertext. A crypto library performing decryption either has to: 1) cache the whole message (of arbitrary size) before returning the authentic plaintext; or 2) return unauthenticated plaintext chunks, and indicate authenticity only later when (or if) the end of the message is reached.
> Neither of these choices are ideal.

In "Pipelineable On-Line Encryption" (to be presented at FSE in a couple 
of weeks http://fse2014.isg.rhul.ac.uk/index.php?p=accepted) we call the 
act of releasing (would-be) plaintext prior to the completion of the 
authentication check "decryption misuse".   You are absolutely right 
that many crypto APIs enable or require decryption misuse, including 
openSSL and PKCS11 through their "decryptUpdate" functions.   A crypto 
module that does AEAD decryption of long messages at high data rates 
might be forced into doing decryption misuse if it has limited memory, 
or if the latency of plaintext buffering was unacceptable.   Decryption 
misuse is a problem that deserves to be addressed.

The simplest way to avoid decryption misuse is to never call the 
"decryptUpdate" function.   In some software environments, it is 
possible to re-write code so that this function is not called. This 
won't solve every problem, but it is worth mentioning.

Next up the scale in terms of difficultly, the length of the plaintext 
and associated data can be kept below some limit, to lower the latency 
and the memory requirements.   Do so requires that there is some 
flexibility in how the plaintext is "packetized", that is, how the 
sequence of plaintext messages is mapped onto the AEAD's plaintext inputs.

>
> What is needed is a way to use an AEAD algorithm to secure a message in chunks. Streaming-AEAD would allow a recipient to know they have received an authentic prefix of a message. It would allow crypto APIs to support streaming modes while never returning unauthentic plaintext.
>
> A discussion on this topic has started on the IETF TLS list (in a thread unhelpfully titled "Comments on")
> http://www.ietf.org/mail-archive/web/tls/current/msg11282.html
>
> I think this would be a perfect topic for CFRG to address.
>
> Instead of sending C = AEAD(N, A, P);
> send C = AEAD(N1, A1, P1) || AEAD(N2, A2, P2) || ... || AEAD(Nm, Am, Pm).
> Presumably incrementing nonces can be used (eg N2 = N1 + 1).
> How do you flag the end of the message: a flag in the nonce; a flag in the AAD; empty plaintext; inside a modified AEAD primitive?
> How do you flag the start of the message?
> Should the byte offset of each chunk be put in that chunk's AAD?
> Is the real AAD fed to the first or last AEAD instantiation; or can parts be passed to any AEAD instantiation?

Here you are pointing out that a single associated data and plaintext 
value (A,P) could be fragmented into multiple values before AEAD 
processing is used.   This is surely true.   If the fragmentation was 
handled by the higher layer protocol (TLS, ESP, whatever) then this 
could be done with any AEAD algorithm.

>
> Should this be built from AEAD primitives? What about ones without nonces (eg draft-mcgrew-aead-aes-cbc-hmac-sha2)?
> Is it sufficient for a Streaming-AEAD primitive to distinguish 4 modes (full message; 1st chunk; intermediate chunk; last chunk) plus a stipulation to use incrementing nonces for successive chunks?
> Or should we aim for a Streaming-AEAD that can create extra intermediate authentication tags, without affecting the final tag?
>
>
> As a strawman, what if OCB [draft-irtf-cfrg-ocb] was tweaked so the internal 128-bit Nonce field was changed from:
> Nonce = num2str(TAGLEN mod 128,7) || zeros(120-bitlen(N)) || 1 || N
> to:
> Nonce = num2str((TAGLEN mod 128)/4,5) || num2str(FLAG,2) || zeros(120-bitlen(N)) || 1 || N
> where
> FLAG = 00 means the AEAD operation covers a full message,
> FLAG = 01 means the AEAD operation covers the first chunk of a message,
> FLAG = 10 means the AEAD operation covers a subsequent chunk of a message (incrementing N),
> FLAG = 11 means the AEAD operation covers the last chunk of a message (incrementing N).
>
> With 5 minutes analyses from a non-cryptanalyst that looks sufficient for a secure streaming-AEAD :)

Alternatively, the associated data could be formatted so that it 
contains the usual header, followed by a fragment number.   That 
technique would work with any of the AEAD algorithms.

Fragmenting the plaintexts before applying AEAD requires that each AEAD 
message be independently authenticated, and thus this technique has more 
data/encapsulation overhead.

In the POE approach that I mentioned above, we describe a way to make an 
AEAD algorithm robust against decryption misuse, though partial 
non-malleability.   That is, if the attacker changes any part of a 
ciphertext, then the corresponding post-decryption plaintext will be 
indistinguishable from random.   If conventional AEAD is used with the 
decryptUpdate function, the attacker can cause the post-decryption 
plaintext output by that function to have any value.   In contrast, if 
POE is used, then the output of decryptUpdate will be indistinguishable 
from random, and not under the control of an attacker.

This robustness against decryption misuse is a valuable property for an 
AEAD algorithm to have.   Nonetheless, it would be better if the 
protocol using AEAD actually performed some sort of plaintext 
fragmentation, if it can accommodate the overhead, because the security 
would be better.   Another advantage to using a plaintext fragmentation 
scheme is that the scheme could be used to hide the lengths and timings 
of the actual plaintext messages, thus preventing traffic analysis (like 
that done in Dyer et. al. "Peek-a-Boo, I Still See You: Why Efficient 
Traffic Analysis Countermeasures Fail").

This line of thinking is part of the rationale behind AERO 
(draft-mcgrew-aero-01) with a wide PRP: since we need to avoid 
decryption misuse, we force the decrypter to maintain some state, and 
given that fact, we might as well get the best security possible.

>
> --
> James Manger
>
> -----Original Message-----
> From: TLS [mailto:tls-bounces@ietf.org] On Behalf Of Nikos Mavrogiannopoulos
> Sent: Monday, 17 February 2014 7:10 PM
> To: Adam Langley
> Cc: Niels Möller; tls@ietf.org
> Subject: Re: [TLS] Comments on
>
> On Fri, 2014-02-14 at 14:49 -0500, Adam Langley wrote:
>
>>> By streaming, I don't advocate you do the decryption in a pipe line;
>>> that's clearly a dangerous habit. Usecase is more like on one machine
>>> running
>>>    src-machine$ tar -cf - foo-dir | aead-encrypt | send
>> This use of streaming is fine by my criteria, assuming that
>> "aead-encrypt" is chunking the input into different blocks and
>> applying the AEAD to each block. This is perfectly fine with a
>> one-shot(*), AEAD API at the core.
> I'd pretty much agree with the chunked approach, but I now realize that
> it is more hard to get it right than the streaming one. In the chunked
> approach one would need to implement sequence numbers (could be implicit
> as additional data) and a termination block. So both approaches have
> quite some disadvantages. The streaming approach allows for misuse of
> the API which may cancel the benefits of AEAD, and the chunked approach
> requires the developer to create a safe protocol over AEAD.
>
> If the idea is for AEAD to be used by an average developer, it seems we
> need even a higher abstraction than that; even for such a simple
> use-cases.

It makes sense to consider higher-level abstractions, but hopefully the 
problem can be addressed in many cases by having the higher-layer 
protocol avoid long plaintexts.

In any event, what are up against here is an important principle in 
secure protocol design: a receiver should not trust any data that gets 
sent to it until that data has been authenticated, and it should not be 
forced to use up its memory (e.g. to store post-decryption plaintext) on 
unauthenticated data.

thanks,

David

>
> regards,
> Nikos
>
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
> _______________________________________________
> Cfrg mailing list
> Cfrg@irtf.org
> http://www.irtf.org/mailman/listinfo/cfrg

v2.23.0 | Report a Bug | By Email