Re: [Cfrg] Question about the order of hashing

"Scott Fluhrer (sfluhrer)" <sfluhrer@cisco.com> Thu, 05 January 2012 16:27 UTC

Return-Path: <sfluhrer@cisco.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7137721F84DE for <cfrg@ietfa.amsl.com>; Thu, 5 Jan 2012 08:27:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.924
X-Spam-Level:
X-Spam-Status: No, score=-5.924 tagged_above=-999 required=5 tests=[AWL=-0.675, BAYES_00=-2.599, J_CHICKENPOX_41=0.6, RCVD_IN_DNSWL_MED=-4, SARE_OBFU_ALL=0.751]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xLON691JcsYp for <cfrg@ietfa.amsl.com>; Thu, 5 Jan 2012 08:27:12 -0800 (PST)
Received: from mtv-iport-2.cisco.com (mtv-iport-2.cisco.com [173.36.130.13]) by ietfa.amsl.com (Postfix) with ESMTP id D4E4321F84D2 for <cfrg@irtf.org>; Thu, 5 Jan 2012 08:27:12 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=sfluhrer@cisco.com; l=3576; q=dns/txt; s=iport; t=1325780833; x=1326990433; h=mime-version:content-transfer-encoding:subject:date: message-id:in-reply-to:references:from:to:cc; bh=KJgsJmY8esSRpg/AB3Cr1l+UB7GcH8pS5IrWoyJChas=; b=YhhAkL8BjErNuqkYAxQ35IJi7nAdqlbgDxoBvLMGokS+hmhJBDygVFt6 YtmZG/ljcxZH7baIHwlSBPHaA+tO3rUFpoZXl26Bvb8GBtYedj0Uj4mI+ SAq5SrKV7Ia+2jGmRw2VYd78cJJyC8EJh8DKwpW5NJMKz4df07c3Q5xl8 c=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: Ah8FAMjOBU+rRDoG/2dsb2JhbABCDoF3qniBBYFyAQEBBBIBHQo/DAQCAQgOAwQBAQEKBhcBBgFFCQgBAQQBCQkIGp87AZ4Tiy5jBIg5nktY
X-IronPort-AV: E=Sophos;i="4.71,462,1320624000"; d="scan'208";a="23963411"
Received: from mtv-core-1.cisco.com ([171.68.58.6]) by mtv-iport-2.cisco.com with ESMTP; 05 Jan 2012 16:26:55 +0000
Received: from xbh-sjc-221.amer.cisco.com (xbh-sjc-221.cisco.com [128.107.191.63]) by mtv-core-1.cisco.com (8.14.3/8.14.3) with ESMTP id q05GQtbu004318; Thu, 5 Jan 2012 16:26:55 GMT
Received: from xmb-sjc-23e.amer.cisco.com ([128.107.191.15]) by xbh-sjc-221.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.4675); Thu, 5 Jan 2012 08:26:55 -0800
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Date: Thu, 5 Jan 2012 08:26:53 -0800
Message-ID: <EE0C2F9E065E634B84FC3BE36CF8A4B2087DE600@xmb-sjc-23e.amer.cisco.com>
In-Reply-To: <5C0E5BE9-FE11-46BD-9D91-08FBE0299F10@checkpoint.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [Cfrg] Question about the order of hashing
Thread-Index: AczLixWdboFGgb0mTuaGb+2KYIDM+AAN8Krw
References: <5E6BDD30-3EB8-4FBA-826E-4A44DED36283@checkpoint.com><49D24499-1C16-44C4-84C2-36F94F95235C@cs.columbia.edu> <5C0E5BE9-FE11-46BD-9D91-08FBE0299F10@checkpoint.com>
From: "Scott Fluhrer (sfluhrer)" <sfluhrer@cisco.com>
To: "Yoav Nir" <ynir@checkpoint.com>, "Steven Bellovin" <smb@cs.columbia.edu>
X-OriginalArrivalTime: 05 Jan 2012 16:26:55.0260 (UTC) FILETIME=[D6AE1DC0:01CCCBC6]
Cc: cfrg@irtf.org
Subject: Re: [Cfrg] Question about the order of hashing
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Jan 2012 16:27:13 -0000

> -----Original Message-----
> From: cfrg-bounces@irtf.org [mailto:cfrg-bounces@irtf.org] On Behalf
Of
> Yoav Nir
> Sent: Thursday, January 05, 2012 4:19 AM
> To: Steven Bellovin
> Cc: cfrg@irtf.org
> Subject: Re: [Cfrg] Question about the order of hashing
> 
> 
> On Jan 5, 2012, at 11:10 AM, Steven Bellovin wrote:
> 
> >
> > On Jan 5, 2012, at 2:29 35AM, Yoav Nir wrote:
> >
> >> Hi.
> >>
> >> When using keyed hash functions such as HMAC, GHash, and CBC-MAC,
> does the order of the items being concatenated and hashed make any
> difference to the security properties of the keyed hash?
> >>
> >> IOW, does changing HMAC(k, a||b) into HMAC(k, b||a) change the
> security properties.
> >>
> >> My motivation for this question is that I would like to propose a
> variant for IPsec where the sequence numbers are hashed after the
> payload rather than before it. Different size packets take different
> times to hash, so if we try to parallelize IPsec processing,
> arbitrarily many packets may finish processing before a large single
> packet has finished processing.
> >>
> >> IPsec emitters are required to emit the packets in order of the
> sequence numbers, but since the sequence numbers (which are sent in
the
> clear) are hashed first, they have to be allocated before hashing
> begins. By moving them to the end of the hash, I can allocate the
> sequence number after having hashed most of the packet, and have
nearly
> constant-time processing after allocating the sequence number.
> >>
> >> So is this scheme I'm proposing save, or would it introduce some
> major vulnerability.
> >>
> > What is your traffic model?  If it's a single TCP stream, I think
> you'll introduce
> > performance problems at that layer if you're sending packets out of
> TCP order.
> 
> With a single TCP stream that is transferring a lot of data, all
> packets tend to be the same size - that of the MSS. My model is a lot
> of packets, some UDP, some TCP, belonging to multiple streams.
> 
> My implementation would place every TCP stream on a single processor,
> but that's because my implementation is also a firewall. This won't
> help cases where all (or most) traffic is a single TCP stream, but
> parallelizing can help where you have multiple streams or packets
under
> the same SA.

Yoav, might I point out that with ESP-GCM (and GMAC), you can actually
compute things out of order.  That is, you can compute the entire
encrypted data and ICV field assuming a sequence number of 0, and
afterwards figure out how to adjust the ICV for the actual sequence
number.

This adjustment does involve computing H**n (where H is an internal GCM
value derived from the key, and n is the packet length in 16 byte
increments, and the multiplications are GF(2**128) field
multiplications).  Computing this is logarithmic time, not constant
(unless you precompute all the possible H**n values; there's about 100
of them for standard MTU sizes), but is certainly closer to constant
what you're originally looking at with the standard HMAC authentication.

So, what's the benefit of putting up with this complexity?  Well, you
can basically get what you want with standard (RFC-compliant) protocols.
So, you can implement what you want without asking anyone else to do
anything (well, other than implement the GCM RFC, I suppose).  I share
Steve's concerns about sending packets out of order (my personal worry
would be video), but you can implement it yourself, and see in practice
if it works well.