IETF Logo Mail Archive

Re: [Cfrg] new authenticated encryption draft

"Hal Finney" <hal.finney@gmail.com> Sun, 20 August 2006 18:47 UTC

Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1GEsKr-0005vr-75; Sun, 20 Aug 2006 14:47:49 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1GEsKp-0005vj-QR for cfrg@ietf.org; Sun, 20 Aug 2006 14:47:47 -0400
Received: from nf-out-0910.google.com ([64.233.182.184]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1GEsKo-0000fk-Eh for cfrg@ietf.org; Sun, 20 Aug 2006 14:47:47 -0400
Received: by nf-out-0910.google.com with SMTP id n15so1918071nfc for <cfrg@ietf.org>; Sun, 20 Aug 2006 11:47:45 -0700 (PDT)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=c66tfXfoFEKx437EGEpRsd7iHe6y4asQkvFHtV4+RXNXYwXJUIy/O59yYjjTnNGYKrGf0tjehDA0M4Y3zpYchlmQg3CCfBNAhA9c+KdWOCB4odLIfW84TyV+/yJfYSCcBvg3aTGI1oPwzs2ZGqWy05AVNsn9F5dD/SigYDTH8fA=
Received: by 10.49.8.10 with SMTP id l10mr6803798nfi; Sun, 20 Aug 2006 11:47:45 -0700 (PDT)
Received: by 10.48.211.12 with HTTP; Sun, 20 Aug 2006 11:47:45 -0700 (PDT)
Message-ID: <da7b3ce30608201147u12c0c2f6s61694713e59cfa4a@mail.gmail.com>
Date: Sun, 20 Aug 2006 11:47:45 -0700
From: Hal Finney <hal.finney@gmail.com>
To: "David A. McGrew" <david.a.mcgrew@mindspring.com>
Subject: Re: [Cfrg] new authenticated encryption draft
In-Reply-To: <74A5A0C3-8E6E-47B4-A67B-C51ED97B2897@mindspring.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
References: <74A5A0C3-8E6E-47B4-A67B-C51ED97B2897@mindspring.com>
X-Spam-Score: 0.0 (/)
X-Scan-Signature: bdc523f9a54890b8a30dd6fd53d5d024
Cc: cfrg@ietf.org
X-BeenThere: cfrg@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:cfrg@ietf.org>
List-Help: <mailto:cfrg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=subscribe>
Errors-To: cfrg-bounces@ietf.org

On 8/18/06, David A. McGrew <david.a.mcgrew@mindspring.com> wrote:
> Hello,
>
> I've recently submitted a new Internet Draft pertinent to this group,
> and I'd like to ask for your review.  The pre-publication draft is
> online at http://www.mindspring.com/~dmcgrew/draft-mcgrew-auth-
> enc-00.txt
>
> Authenticated Encryption (draft-mcgrew-auth-enc-00.txt)
>
> Abstract.  This draft defines algorithms for authenticated encryption
> with additional authenticated data (AEAD), and defines a uniform
> interface and a registry for such algorithms. The interface and
> registry can be used as an application independent set of
> cryptoalgorithm suites. This approach provides advantages in
> efficiency and security, and promotes the reuse of crypto
> implementations.

Hi, David - That looks very interesting, but I have a few comments.

As a general philosophical point, I am not sure that the name
"authenticated encryption" accurately defines the security properties
for the lay reader. He may think it means that there is authenticity
that the message came from a particular sender, for example. Recently
I have been involved with some disk encryption work which uses
authenticated encryption. In this context, it only means that the
authenticated data was written to the sector at some time in the past.
It doesn't guarantee that what you read from the disk is what was
written there, when you are reading multiple sectors at once (each of
which has its own tag, and each of which might have been rolled back
differently by an attacker). So I think you might want to say
something in more detail about the security properties this encryption
aims to meet, and perhaps mention some caveats about attacks that are
still possible even with AEAD.

In a lot of ways, I think that AEAD is better thought of simply as
providing confidentiality, and nothing more. The purpose of the
"authentication" is to improve the confidentiality guarantee, by
preventing active attacks like chosen ciphertext. Without it, many of
our encryption modes do not provide confidentiality against a
sufficiently powerful attacker.

Another point is that you say that deterministic AEAD algorithms MUST
take an input which goes into the IV. I am not sure I fully understand
the reason for this requirement, but more to the point, I don't think
it is going to be clear to the layman what he should put into this
input. What security properties must his input meet, in order to use
the underlying abstraction safely? Without this guidance, providing
such an input may even be dangerous.

It is outside the scope of your document, but I have found from my
disk experience that the approach in these algorithms of letting the
AEAD algorithm manage uniqueness of IVs at the "micro scale" while the
caller manages uniqueness at the "macro scale" can actually lead to
very inefficient allocation of IV space. For example, with GCM taking
an external IV contribution of 64 bits, if the caller is encrypting a
lot of short messages in a context where it must be stateless and pass
in a random IV contribution, it can only encrypt 2^32 such messages
under a given key. The seemingly vast IV space is eroded to a very
significant limitation similar to what we had in the old days of DES.

One final comment is regarding your proposal AEAD_AES_128_HMAC_SHA1,
for CBC encryption with HMAC authentication. Basically it looks OK,
but when you do the HMAC you "apply it" to the AAD, IV and ciphertext.
This is ambiguous but it sounds like you might mean to concatenate
these fields and HMAC them. If so, that would be unsafe, because it
could be vulnerable to an attack where the boundaries between these
fields are changed by an attacker. For example, he could create AAD'
as AAD||IV, IV' as the first 16 bytes of ciphertext, and ciphertext'
as the remainder of the ciphertext. This would authenticate OK at the
decryption end but would not produce correct plaintext. So you should
be sure to include some length fields inside the HMAC here to assure
unambiguous parsing.


> Comments welcome.  FYI, I'll be in Santa Barbara next week.

Hey, while you're there you should stop in at the Crypto conference... ;-)

Hal

_______________________________________________
Cfrg mailing list
Cfrg@ietf.org
https://www1.ietf.org/mailman/listinfo/cfrg

v2.23.0 | Report a Bug | By Email