Re: [Cfrg] Short Authentication Tags in AES-128-CCM
Robert Cragie <robert.cragie@gridmerge.com> Fri, 24 July 2015 17:53 UTC
Return-Path: <robert.cragie@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ABB6E1A8757 for <cfrg@ietfa.amsl.com>; Fri, 24 Jul 2015 10:53:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.277
X-Spam-Level:
X-Spam-Status: No, score=-1.277 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id x1AwNz3VHMyU for <cfrg@ietfa.amsl.com>; Fri, 24 Jul 2015 10:53:22 -0700 (PDT)
Received: from mail-lb0-x229.google.com (mail-lb0-x229.google.com [IPv6:2a00:1450:4010:c04::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DD9541A8709 for <cfrg@irtf.org>; Fri, 24 Jul 2015 10:53:18 -0700 (PDT)
Received: by lblf12 with SMTP id f12so19873930lbl.2 for <cfrg@irtf.org>; Fri, 24 Jul 2015 10:53:17 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:reply-to:sender:in-reply-to:references:date:message-id :subject:from:to:cc:content-type; bh=Z8xO/yPvqseJVCweo8wLEKOU/yeArE5uslbamHgO3Pc=; b=hCscMnH1QO6/wAwJ0wGu9YfUg4MtH8ccw953trzBgHILBDKH9Fm45tIkWYsnJonHyw ZzrtePdQwjOu/rsqGZPpvLk5+7slqSQ4+FRuPVawojTMgVheuvU0XukqntZT8Fe29lYB YW1ozzbEGTUMOmT9uCkLhM8ND0mfnfFJ3qgSEEw+Vg9YnkRtWCRjMNiwuam90IdjZYQt SvWQaaBIMyz8Ccnp6wodjhD+89aXSxWBlJV+iBxNF5Si1JMW0YXWz8FqR7zJV2d+mfYS MFvhFbLO3sPvGzmqFcAnCm7SrWpKDfrxLVpc7sgs3FD/nskbPWKW6a3Dl/zQ8XOO87To lBrA==
MIME-Version: 1.0
X-Received: by 10.153.7.137 with SMTP id dc9mr14690239lad.16.1437760397275; Fri, 24 Jul 2015 10:53:17 -0700 (PDT)
Sender: robert.cragie@gmail.com
Received: by 10.25.31.75 with HTTP; Fri, 24 Jul 2015 10:53:17 -0700 (PDT)
In-Reply-To: <55B1E397.2000206@tzi.org>
References: <55AE1BB7.8070906@gmx.net> <55AF6E7E.5000300@gmx.net> <D1D6F1D9.3967B%john.mattsson@ericsson.com> <55B1E397.2000206@tzi.org>
Date: Fri, 24 Jul 2015 18:53:17 +0100
X-Google-Sender-Auth: Rp9SNK-gqWROWg03Z6IJXuC6Hio
Message-ID: <CADrU+dL+dyePF9+sKqPKbi6m+r4Heg==kKekyJ6uh-4k3jydiw@mail.gmail.com>
From: Robert Cragie <robert.cragie@gridmerge.com>
To: Carsten Bormann <cabo@tzi.org>
Content-Type: multipart/alternative; boundary="001a113462a4c077af051ba2adab"
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/inpN5DW5UsPsmKsUWUlERV_aIhU>
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] Short Authentication Tags in AES-128-CCM
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: robert.cragie@gridmerge.com
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Jul 2015 17:53:25 -0000
I agree with all Carsten's points below. Regarding CMAC - I haven't found a case where we can totally eliminate the use of HMAC-SHA256 for one reason or another but that is possibly a goal to work towards. Robert On 24 July 2015 at 08:04, Carsten Bormann <cabo@tzi.org> wrote: > > Avtcore/IESG decided to not standardize CCM_8 and GCM_8, but for > different > > reasons. CCM (all tag lengths) was removed as Stephen wanted to limit the > > number of algorithms, and nobody expressed any imminent plans to > implement > > SRTP with CCM. GCM_8 was removed because of the theoretical weaknesses > > with GCM and short tags (summarized in https://eprint.iacr.org/2015/477) > > and their applicability to SRTP > > (https://mailarchive.ietf.org/arch/msg/avt/cKHmfai2SISd7itL_NlgXRJUPow). > > Right, SRTP applications typically don't run in the hardware/software > environments described by RFC 7228, so there is little reason to have > CCM-based cipher suites around. > > > I am not aware of any weaknesses with CCM_8 that depends on the tag > > length, except the general weakness that the forgery probability is the > > expected 2^-64. In his recent evaluation for Cryptec > > (http://www.cryptrec.go.jp/estimation/techrep_id2012_2.pdf), Rogaway > > states as one of the conclusions “CCM achieves good provable-security > > results, even with truncated tags” Given the constrained radio > > technologies targeted by dice, I think that 64-bit tags are a reasonable > > tradeoff. > > +1 > > > Looking at the dice profile, I am more concerned with the lack of forward > > security in TLS_PSK_WITH_AES_128_CCM_8 and the fact that this cipher > suite > > will likely be forbidden in DTLS 1.3 (as far as I understand). I would > > recommend changing this to ECDHE_PSK, or convincing the TLS wg to > continue > > supporting PSK. > > Actually, we should move to ECDHE_PSK...CCM_8 as our default profile, > but there is still a set of applications where > TLS_PSK_WITH_AES_128_CCM_8 is a perfect fit. Qualifying this cipher > suite as a special-use one (don't put it into your Web browser for > HTTPS) is probably already a good idea because of the 64-but authenticator. > > (One question that is lurking in my mind is whether we should be moving > to CMAC for the MAC part that is CBC-MAC in CCM. That might be worth it > for the ECDHE version, but probably not for the basic PSK.) > > > Standardizing a new profile that will not work with DTLS > > 1.3 would be strange > > Indeed. > > Grüße, Carsten > > _______________________________________________ > Cfrg mailing list > Cfrg@irtf.org > http://www.irtf.org/mailman/listinfo/cfrg >
- [Cfrg] Short Authentication Tags in AES-128-CCM Hannes Tschofenig
- Re: [Cfrg] Short Authentication Tags in AES-128-C… Watson Ladd
- Re: [Cfrg] Short Authentication Tags in AES-128-C… Paul Lambert
- Re: [Cfrg] Short Authentication Tags in AES-128-C… Aaron Zauner
- Re: [Cfrg] Short Authentication Tags in AES-128-C… Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] Short Authentication Tags in AES-128-C… Russ Housley
- Re: [Cfrg] Short Authentication Tags in AES-128-C… John Mattsson
- Re: [Cfrg] Short Authentication Tags in AES-128-C… Salz, Rich
- Re: [Cfrg] Short Authentication Tags in AES-128-C… Carsten Bormann
- Re: [Cfrg] Short Authentication Tags in AES-128-C… John Mattsson
- Re: [Cfrg] Short Authentication Tags in AES-128-C… Aaron Zauner
- Re: [Cfrg] Short Authentication Tags in AES-128-C… Russ Housley
- Re: [Cfrg] Short Authentication Tags in AES-128-C… Paterson, Kenny
- Re: [Cfrg] Short Authentication Tags in AES-128-C… David McGrew (mcgrew)
- Re: [Cfrg] Short Authentication Tags in AES-128-C… Robert Cragie
- Re: [Cfrg] Short Authentication Tags in AES-128-C… Jonathan Trostle
- [Cfrg] ECDHE_PSK was Re: Short Authentication Tag… Hannes Tschofenig
- Re: [Cfrg] ECDHE_PSK was Re: Short Authentication… Carsten Bormann
- Re: [Cfrg] ECDHE_PSK was Re: Short Authentication… Hannes Tschofenig
- Re: [Cfrg] ECDHE_PSK was Re: Short Authentication… Carsten Bormann