IETF Logo Mail Archive

Re: [Cfrg] Short Authentication Tags in AES-128-CCM

Carsten Bormann <cabo@tzi.org> Fri, 24 July 2015 07:05 UTC

Return-Path: <cabo@tzi.org>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0407C1A8AB1 for <cfrg@ietfa.amsl.com>; Fri, 24 Jul 2015 00:05:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.55
X-Spam-Level:
X-Spam-Status: No, score=-1.55 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_DE=0.35] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JoE3nTzwnq-x for <cfrg@ietfa.amsl.com>; Fri, 24 Jul 2015 00:04:58 -0700 (PDT)
Received: from mailhost.informatik.uni-bremen.de (mailhost.informatik.uni-bremen.de [IPv6:2001:638:708:30c9::12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8582B1A700E for <cfrg@irtf.org>; Fri, 24 Jul 2015 00:04:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at informatik.uni-bremen.de
Received: from submithost.informatik.uni-bremen.de (submithost.informatik.uni-bremen.de [IPv6:2001:638:708:30c9::b]) by mailhost.informatik.uni-bremen.de (8.14.5/8.14.5) with ESMTP id t6O74rqe013402; Fri, 24 Jul 2015 09:04:53 +0200 (CEST)
Received: from alma.local (unknown [IPv6:2001:67c:370:152:d477:f054:bc6b:606d]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by submithost.informatik.uni-bremen.de (Postfix) with ESMTPSA id 3md1kD73Z6zDMNp; Fri, 24 Jul 2015 09:04:52 +0200 (CEST)
Message-ID: <55B1E397.2000206@tzi.org>
Date: Fri, 24 Jul 2015 09:04:55 +0200
From: Carsten Bormann <cabo@tzi.org>
User-Agent: Postbox 4.0.1 (Macintosh/20150514)
MIME-Version: 1.0
To: John Mattsson <john.mattsson@ericsson.com>
References: <55AE1BB7.8070906@gmx.net> <55AF6E7E.5000300@gmx.net> <D1D6F1D9.3967B%john.mattsson@ericsson.com>
In-Reply-To: <D1D6F1D9.3967B%john.mattsson@ericsson.com>
X-Enigmail-Version: 1.2.3
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 8bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/bf1x10gnrwZ96-QRpMmtSsbcBjI>
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] Short Authentication Tags in AES-128-CCM
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Jul 2015 07:05:00 -0000

> Avtcore/IESG decided to not standardize CCM_8 and GCM_8, but for different
> reasons. CCM (all tag lengths) was removed as Stephen wanted to limit the
> number of algorithms, and nobody expressed any imminent plans to implement
> SRTP with CCM. GCM_8 was removed because of the theoretical weaknesses
> with GCM and short tags (summarized in https://eprint.iacr.org/2015/477)
> and their applicability to SRTP
> (https://mailarchive.ietf.org/arch/msg/avt/cKHmfai2SISd7itL_NlgXRJUPow).

Right, SRTP applications typically don't run in the hardware/software
environments described by RFC 7228, so there is little reason to have
CCM-based cipher suites around.

> I am not aware of any weaknesses with CCM_8 that depends on the tag
> length, except the general weakness that the forgery probability is the
> expected 2^-64. In his recent evaluation for Cryptec
> (http://www.cryptrec.go.jp/estimation/techrep_id2012_2.pdf), Rogaway
> states as one of the conclusions “CCM achieves good provable-security
> results, even with truncated tags” Given the constrained radio
> technologies targeted by dice, I think that 64-bit tags are a reasonable
> tradeoff.

+1

> Looking at the dice profile, I am more concerned with the lack of forward
> security in TLS_PSK_WITH_AES_128_CCM_8 and the fact that this cipher suite
> will likely be forbidden in DTLS 1.3 (as far as I understand). I would
> recommend changing this to ECDHE_PSK, or convincing the TLS wg to continue
> supporting PSK. 

Actually, we should move to ECDHE_PSK...CCM_8 as our default profile,
but there is still a set of applications where
TLS_PSK_WITH_AES_128_CCM_8 is a perfect fit. Qualifying this cipher
suite as a special-use one (don't put it into your Web browser for
HTTPS) is probably already a good idea because of the 64-but authenticator.

(One question that is lurking in my mind is whether we should be moving
to CMAC for the MAC part that is CBC-MAC in CCM.  That might be worth it
for the ECDHE version, but probably not for the basic PSK.)

> Standardizing a new profile that will not work with DTLS
> 1.3 would be strange

Indeed.

Grüße, Carsten

v2.23.0 | Report a Bug | By Email