IETF Logo Mail Archive

Re: [Cfrg] Short Authentication Tags in AES-128-CCM

Robert Cragie <robert.cragie@gridmerge.com> Fri, 24 July 2015 17:53 UTC

Return-Path: <robert.cragie@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ABB6E1A8757 for <cfrg@ietfa.amsl.com>; Fri, 24 Jul 2015 10:53:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.277
X-Spam-Level:
X-Spam-Status: No, score=-1.277 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id x1AwNz3VHMyU for <cfrg@ietfa.amsl.com>; Fri, 24 Jul 2015 10:53:22 -0700 (PDT)
Received: from mail-lb0-x229.google.com (mail-lb0-x229.google.com [IPv6:2a00:1450:4010:c04::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DD9541A8709 for <cfrg@irtf.org>; Fri, 24 Jul 2015 10:53:18 -0700 (PDT)
Received: by lblf12 with SMTP id f12so19873930lbl.2 for <cfrg@irtf.org>; Fri, 24 Jul 2015 10:53:17 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:reply-to:sender:in-reply-to:references:date:message-id :subject:from:to:cc:content-type; bh=Z8xO/yPvqseJVCweo8wLEKOU/yeArE5uslbamHgO3Pc=; b=hCscMnH1QO6/wAwJ0wGu9YfUg4MtH8ccw953trzBgHILBDKH9Fm45tIkWYsnJonHyw ZzrtePdQwjOu/rsqGZPpvLk5+7slqSQ4+FRuPVawojTMgVheuvU0XukqntZT8Fe29lYB YW1ozzbEGTUMOmT9uCkLhM8ND0mfnfFJ3qgSEEw+Vg9YnkRtWCRjMNiwuam90IdjZYQt SvWQaaBIMyz8Ccnp6wodjhD+89aXSxWBlJV+iBxNF5Si1JMW0YXWz8FqR7zJV2d+mfYS MFvhFbLO3sPvGzmqFcAnCm7SrWpKDfrxLVpc7sgs3FD/nskbPWKW6a3Dl/zQ8XOO87To lBrA==
MIME-Version: 1.0
X-Received: by 10.153.7.137 with SMTP id dc9mr14690239lad.16.1437760397275; Fri, 24 Jul 2015 10:53:17 -0700 (PDT)
Sender: robert.cragie@gmail.com
Received: by 10.25.31.75 with HTTP; Fri, 24 Jul 2015 10:53:17 -0700 (PDT)
In-Reply-To: <55B1E397.2000206@tzi.org>
References: <55AE1BB7.8070906@gmx.net> <55AF6E7E.5000300@gmx.net> <D1D6F1D9.3967B%john.mattsson@ericsson.com> <55B1E397.2000206@tzi.org>
Date: Fri, 24 Jul 2015 18:53:17 +0100
X-Google-Sender-Auth: Rp9SNK-gqWROWg03Z6IJXuC6Hio
Message-ID: <CADrU+dL+dyePF9+sKqPKbi6m+r4Heg==kKekyJ6uh-4k3jydiw@mail.gmail.com>
From: Robert Cragie <robert.cragie@gridmerge.com>
To: Carsten Bormann <cabo@tzi.org>
Content-Type: multipart/alternative; boundary="001a113462a4c077af051ba2adab"
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/inpN5DW5UsPsmKsUWUlERV_aIhU>
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] Short Authentication Tags in AES-128-CCM
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: robert.cragie@gridmerge.com
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Jul 2015 17:53:25 -0000

I agree with all Carsten's points below. Regarding CMAC - I haven't found a
case where we can totally eliminate the use of HMAC-SHA256 for one reason
or another but that is possibly a goal to work towards.

Robert

On 24 July 2015 at 08:04, Carsten Bormann <cabo@tzi.org> wrote:

> > Avtcore/IESG decided to not standardize CCM_8 and GCM_8, but for
> different
> > reasons. CCM (all tag lengths) was removed as Stephen wanted to limit the
> > number of algorithms, and nobody expressed any imminent plans to
> implement
> > SRTP with CCM. GCM_8 was removed because of the theoretical weaknesses
> > with GCM and short tags (summarized in https://eprint.iacr.org/2015/477)
> > and their applicability to SRTP
> > (https://mailarchive.ietf.org/arch/msg/avt/cKHmfai2SISd7itL_NlgXRJUPow).
>
> Right, SRTP applications typically don't run in the hardware/software
> environments described by RFC 7228, so there is little reason to have
> CCM-based cipher suites around.
>
> > I am not aware of any weaknesses with CCM_8 that depends on the tag
> > length, except the general weakness that the forgery probability is the
> > expected 2^-64. In his recent evaluation for Cryptec
> > (http://www.cryptrec.go.jp/estimation/techrep_id2012_2.pdf), Rogaway
> > states as one of the conclusions “CCM achieves good provable-security
> > results, even with truncated tags” Given the constrained radio
> > technologies targeted by dice, I think that 64-bit tags are a reasonable
> > tradeoff.
>
> +1
>
> > Looking at the dice profile, I am more concerned with the lack of forward
> > security in TLS_PSK_WITH_AES_128_CCM_8 and the fact that this cipher
> suite
> > will likely be forbidden in DTLS 1.3 (as far as I understand). I would
> > recommend changing this to ECDHE_PSK, or convincing the TLS wg to
> continue
> > supporting PSK.
>
> Actually, we should move to ECDHE_PSK...CCM_8 as our default profile,
> but there is still a set of applications where
> TLS_PSK_WITH_AES_128_CCM_8 is a perfect fit. Qualifying this cipher
> suite as a special-use one (don't put it into your Web browser for
> HTTPS) is probably already a good idea because of the 64-but authenticator.
>
> (One question that is lurking in my mind is whether we should be moving
> to CMAC for the MAC part that is CBC-MAC in CCM.  That might be worth it
> for the ECDHE version, but probably not for the basic PSK.)
>
> > Standardizing a new profile that will not work with DTLS
> > 1.3 would be strange
>
> Indeed.
>
> Grüße, Carsten
>
> _______________________________________________
> Cfrg mailing list
> Cfrg@irtf.org
> http://www.irtf.org/mailman/listinfo/cfrg
>

v2.23.0 | Report a Bug | By Email