IETF Logo Mail Archive

Re: [Cfrg] New Version Notification for draft-mcgrew-aead-aes-cbc-hmac-sha2-03.txt

Watson Ladd <watsonbladd@gmail.com> Fri, 14 February 2014 15:55 UTC

Return-Path: <watsonbladd@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F09771A02AF for <cfrg@ietfa.amsl.com>; Fri, 14 Feb 2014 07:55:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Vp7vXxsi0tqG for <cfrg@ietfa.amsl.com>; Fri, 14 Feb 2014 07:55:14 -0800 (PST)
Received: from mail-yh0-x22e.google.com (mail-yh0-x22e.google.com [IPv6:2607:f8b0:4002:c01::22e]) by ietfa.amsl.com (Postfix) with ESMTP id 3EE7D1A0242 for <cfrg@irtf.org>; Fri, 14 Feb 2014 07:55:14 -0800 (PST)
Received: by mail-yh0-f46.google.com with SMTP id v1so11749056yhn.5 for <cfrg@irtf.org>; Fri, 14 Feb 2014 07:55:12 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=oRQn6msNWTAhrm9ojYB+sVm2CI5Ql2dO+rpDOow5Cwc=; b=dT1ZqT8rj0MxlnL6RLqXM+ujbhAyPmPyIEYR2dxvgia5p872R8nxxxDLcuuVewXtbp LBl4TOmUTYZIzJsqlp1wRS88KDareqZceYoOhBZFQeye5jDeLAojWwifAW8oqVycu0lc YxzKXpNdKLj33b2GIIHiRTCTKHWb4pLfve8Fjy3ZTUUs5jGi/4ydfa+ycV/agMUN8l8o NyIlfx1y/o1Q3tWMNxa6kPOBmd/MuGpKsIn5i4uv/UFPa4nmLL+Cr/dH123RPbUy8Oo2 u5484XwJ5BjUEfePGEPyDDatEaqHUFR8rgW+RFZ0KOjK+Hh86AeipX9YllhUahqOrYrj 0T2w==
MIME-Version: 1.0
X-Received: by 10.236.191.67 with SMTP id f43mr3264012yhn.60.1392393312460; Fri, 14 Feb 2014 07:55:12 -0800 (PST)
Received: by 10.170.164.212 with HTTP; Fri, 14 Feb 2014 07:55:12 -0800 (PST)
In-Reply-To: <52FDF88F.3040209@cisco.com>
References: <20140214004117.27381.4308.idtracker@ietfa.amsl.com> <52FD6815.70402@cisco.com> <CACsn0ckjNvq1=k3krVt9sK6fCtWwCv+8XkJWJiqxn-Qg=1Rq_g@mail.gmail.com> <52FDF88F.3040209@cisco.com>
Date: Fri, 14 Feb 2014 07:55:12 -0800
Message-ID: <CACsn0cmKsLGOp9+n9o42B9_qWxN-bcr2MdzHCdWWEoGz3Se5Lw@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: David McGrew <mcgrew@cisco.com>
Content-Type: multipart/alternative; boundary="20cf3040e42ec6e77804f25fd480"
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/lWc9mfVrYt8Ga-5wznwVqmx-IUg
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] New Version Notification for draft-mcgrew-aead-aes-cbc-hmac-sha2-03.txt
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 14 Feb 2014 15:55:18 -0000

On Fri, Feb 14, 2014 at 3:05 AM, David McGrew <mcgrew@cisco.com> wrote:

>  On 02/13/2014 08:44 PM, Watson Ladd wrote:
>
>
>
>
> On Thu, Feb 13, 2014 at 4:49 PM, David McGrew <mcgrew@cisco.com> wrote:
>
>>  Hi,
>>
>> the latest version of this draft is out.  Thanks are due to Jim Schaad
>> and Rob Napier for their feedback on version 02.
>>
>> The goals of this draft are to provide an authenticated encryption scheme
>> suitable for use in those cases where CBC and HMAC are available, but no
>> dedicated AE schemes are available.   Also, it doesn't require
>> deterministic nonces, which itself is useful in some situations.
>>
>> It might be nice to add a description of how IVs can be pseudorandomly
>> generated.   It would be especially useful to generate the IV using the
>> same key as used for encryption, with an unpredictable counter, or
>> something like that.   Is anyone aware of a security proof that could be
>> cited for that sort of technique?   I think that some systems would have a
>> much easier time maintaining a counter than they would generating truly
>> random IVs, which is reasonable motivation in my opinion.   Glad to hear
>> other thoughts on this subject.
>>
>
>  Doesn't the usual PRF definition give you exactly this?
>
>
> Yes; the only tricky bit is showing that using the CBC encryption key to
> generate pseudorandom IVs doesn't affect CBC encryption security.   I'm
> sure that it can be done securely, but I don't know of a proof of security
> (for using a single key for both CBC and to generate IVs) that I can point
> to.
>

Okay, I didn't realize we needed a single key. Then I think the following
proof works, but I don't know how strong the result is. Replace the PRP
with a PRF by Bernstein's lemma. Then so long as we've never encrypted a
block equal to the counter, life is good. Show this can't happen with more
than negligible probability for the ideal PRF. Conclude that an attacker
who breaks the scheme turns into one who can distinguish the PRF from an
ideal PRF with some loss.

Sincerely,
Watson Ladd

>
> David
>
>
>
>
>> David
>>
>> --
>>
>> A new version of I-D, draft-mcgrew-aead-aes-cbc-hmac-sha2-03.txt
>> has been successfully submitted by David McGrew and posted to the
>> IETF repository.
>>
>> Name:		draft-mcgrew-aead-aes-cbc-hmac-sha2
>> Revision:	03
>> Title:		Authenticated Encryption with AES-CBC and HMAC-SHA
>> Document date:	2014-02-13
>> Group:		Individual Submission
>> Pages:		29
>> URL:            http://www.ietf.org/internet-drafts/draft-mcgrew-aead-aes-cbc-hmac-sha2-03.txt
>> Status:         https://datatracker.ietf.org/doc/draft-mcgrew-aead-aes-cbc-hmac-sha2/
>> Htmlized:       http://tools.ietf.org/html/draft-mcgrew-aead-aes-cbc-hmac-sha2-03
>> Diff:           http://www.ietf.org/rfcdiff?url2=draft-mcgrew-aead-aes-cbc-hmac-sha2-03
>>
>> Abstract:
>>    This document specifies algorithms for authenticated encryption with
>>    associated data (AEAD) that are based on the composition of the
>>    Advanced Encryption Standard (AES) in the Cipher Block Chaining (CBC)
>>    mode of operation for encryption, and the HMAC-SHA message
>>    authentication code (MAC).
>>
>>    These are randomized encryption algorithms, and thus are suitable for
>>    use with applications that cannot provide distinct nonces to each
>>    invocation of the AEAD encrypt operation.
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> Please note that it may take a couple of minutes from the time of submission
>> until the htmlized version and diff are available at tools.ietf.org.
>>
>> The IETF Secretariat
>>
>> .
>>
>>
>>
>>
>>
>> _______________________________________________
>> Cfrg mailing list
>> Cfrg@irtf.org
>> http://www.irtf.org/mailman/listinfo/cfrg
>>
>>
>
>
>  --
> "Those who would give up Essential Liberty to purchase a little Temporary
> Safety deserve neither  Liberty nor Safety."
> -- Benjamin Franklin
>
>
>


-- 
"Those who would give up Essential Liberty to purchase a little Temporary
Safety deserve neither  Liberty nor Safety."
-- Benjamin Franklin

v2.23.0 | Report a Bug | By Email