Re: [Cfrg] new authenticated encryption draft
"Hal Finney" <hal.finney@gmail.com> Sun, 20 August 2006 18:47 UTC
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1GEsKr-0005vr-75; Sun, 20 Aug 2006 14:47:49 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1GEsKp-0005vj-QR for cfrg@ietf.org; Sun, 20 Aug 2006 14:47:47 -0400
Received: from nf-out-0910.google.com ([64.233.182.184]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1GEsKo-0000fk-Eh for cfrg@ietf.org; Sun, 20 Aug 2006 14:47:47 -0400
Received: by nf-out-0910.google.com with SMTP id n15so1918071nfc for <cfrg@ietf.org>; Sun, 20 Aug 2006 11:47:45 -0700 (PDT)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=c66tfXfoFEKx437EGEpRsd7iHe6y4asQkvFHtV4+RXNXYwXJUIy/O59yYjjTnNGYKrGf0tjehDA0M4Y3zpYchlmQg3CCfBNAhA9c+KdWOCB4odLIfW84TyV+/yJfYSCcBvg3aTGI1oPwzs2ZGqWy05AVNsn9F5dD/SigYDTH8fA=
Received: by 10.49.8.10 with SMTP id l10mr6803798nfi; Sun, 20 Aug 2006 11:47:45 -0700 (PDT)
Received: by 10.48.211.12 with HTTP; Sun, 20 Aug 2006 11:47:45 -0700 (PDT)
Message-ID: <da7b3ce30608201147u12c0c2f6s61694713e59cfa4a@mail.gmail.com>
Date: Sun, 20 Aug 2006 11:47:45 -0700
From: Hal Finney <hal.finney@gmail.com>
To: "David A. McGrew" <david.a.mcgrew@mindspring.com>
Subject: Re: [Cfrg] new authenticated encryption draft
In-Reply-To: <74A5A0C3-8E6E-47B4-A67B-C51ED97B2897@mindspring.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
References: <74A5A0C3-8E6E-47B4-A67B-C51ED97B2897@mindspring.com>
X-Spam-Score: 0.0 (/)
X-Scan-Signature: bdc523f9a54890b8a30dd6fd53d5d024
Cc: cfrg@ietf.org
X-BeenThere: cfrg@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:cfrg@ietf.org>
List-Help: <mailto:cfrg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=subscribe>
Errors-To: cfrg-bounces@ietf.org
On 8/18/06, David A. McGrew <david.a.mcgrew@mindspring.com> wrote: > Hello, > > I've recently submitted a new Internet Draft pertinent to this group, > and I'd like to ask for your review. The pre-publication draft is > online at http://www.mindspring.com/~dmcgrew/draft-mcgrew-auth- > enc-00.txt > > Authenticated Encryption (draft-mcgrew-auth-enc-00.txt) > > Abstract. This draft defines algorithms for authenticated encryption > with additional authenticated data (AEAD), and defines a uniform > interface and a registry for such algorithms. The interface and > registry can be used as an application independent set of > cryptoalgorithm suites. This approach provides advantages in > efficiency and security, and promotes the reuse of crypto > implementations. Hi, David - That looks very interesting, but I have a few comments. As a general philosophical point, I am not sure that the name "authenticated encryption" accurately defines the security properties for the lay reader. He may think it means that there is authenticity that the message came from a particular sender, for example. Recently I have been involved with some disk encryption work which uses authenticated encryption. In this context, it only means that the authenticated data was written to the sector at some time in the past. It doesn't guarantee that what you read from the disk is what was written there, when you are reading multiple sectors at once (each of which has its own tag, and each of which might have been rolled back differently by an attacker). So I think you might want to say something in more detail about the security properties this encryption aims to meet, and perhaps mention some caveats about attacks that are still possible even with AEAD. In a lot of ways, I think that AEAD is better thought of simply as providing confidentiality, and nothing more. The purpose of the "authentication" is to improve the confidentiality guarantee, by preventing active attacks like chosen ciphertext. Without it, many of our encryption modes do not provide confidentiality against a sufficiently powerful attacker. Another point is that you say that deterministic AEAD algorithms MUST take an input which goes into the IV. I am not sure I fully understand the reason for this requirement, but more to the point, I don't think it is going to be clear to the layman what he should put into this input. What security properties must his input meet, in order to use the underlying abstraction safely? Without this guidance, providing such an input may even be dangerous. It is outside the scope of your document, but I have found from my disk experience that the approach in these algorithms of letting the AEAD algorithm manage uniqueness of IVs at the "micro scale" while the caller manages uniqueness at the "macro scale" can actually lead to very inefficient allocation of IV space. For example, with GCM taking an external IV contribution of 64 bits, if the caller is encrypting a lot of short messages in a context where it must be stateless and pass in a random IV contribution, it can only encrypt 2^32 such messages under a given key. The seemingly vast IV space is eroded to a very significant limitation similar to what we had in the old days of DES. One final comment is regarding your proposal AEAD_AES_128_HMAC_SHA1, for CBC encryption with HMAC authentication. Basically it looks OK, but when you do the HMAC you "apply it" to the AAD, IV and ciphertext. This is ambiguous but it sounds like you might mean to concatenate these fields and HMAC them. If so, that would be unsafe, because it could be vulnerable to an attack where the boundaries between these fields are changed by an attacker. For example, he could create AAD' as AAD||IV, IV' as the first 16 bytes of ciphertext, and ciphertext' as the remainder of the ciphertext. This would authenticate OK at the decryption end but would not produce correct plaintext. So you should be sure to include some length fields inside the HMAC here to assure unambiguous parsing. > Comments welcome. FYI, I'll be in Santa Barbara next week. Hey, while you're there you should stop in at the Crypto conference... ;-) Hal _______________________________________________ Cfrg mailing list Cfrg@ietf.org https://www1.ietf.org/mailman/listinfo/cfrg
- [Cfrg] new authenticated encryption draft David A. McGrew
- Re: [Cfrg] new authenticated encryption draft Hal Finney
- Re: [Cfrg] new authenticated encryption draft Greg Rose
- Re: [Cfrg] new authenticated encryption draft Ted Krovetz
- Re: [Cfrg] new authenticated encryption draft David A. McGrew
- Re: [Cfrg] new authenticated encryption draft David A. McGrew
- Re: [Cfrg] new authenticated encryption draft John Wilkinson
- RE: [Cfrg] new authenticated encryption draft Scott Fluhrer
- Re: [Cfrg] new authenticated encryption draft David McGrew
- Re: [Cfrg] new authenticated encryption draft David A. McGrew
- Re: [Cfrg] new authenticated encryption draft David Wagner
- Re: [Cfrg] new authenticated encryption draft David McGrew
- Re: [Cfrg] new authenticated encryption draft Hal Finney
- Re: [Cfrg] new authenticated encryption draft David A. McGrew
- Re: [Cfrg] new authenticated encryption draft David Wagner
- RE: [Cfrg] new authenticated encryption draft Santosh Chokhani
- Re: [Cfrg] new authenticated encryption draft Ken Raeburn
- Re: [Cfrg] new authenticated encryption draft John Wilkinson
- Re: [Cfrg] new authenticated encryption draft David McGrew
- Re: [Cfrg] new authenticated encryption draft John Wilkinson
- Re: [Cfrg] new authenticated encryption draft D. J. Bernstein
- Re: [Cfrg] new authenticated encryption draft Steven M. Bellovin
- Re: [Cfrg] new authenticated encryption draft D. J. Bernstein
- RE: [Cfrg] new authenticated encryption draft Blumenthal, Uri
- Re: [Cfrg] new authenticated encryption draft David McGrew
- Re: [Cfrg] new authenticated encryption draft Tom Shrimpton
- Re: [Cfrg] new authenticated encryption draft D. J. Bernstein
- Re: [Cfrg] new authenticated encryption draft David McGrew
- Re: [Cfrg] new authenticated encryption draft John Wilkinson
- RE: [Cfrg] new authenticated encryption draft Doug Whiting
- Re: [Cfrg] new authenticated encryption draft Steven M. Bellovin
- Re: [Cfrg] new authenticated encryption draft David McGrew
- Re: [Cfrg] new authenticated encryption draft David McGrew
- Re: [Cfrg] new authenticated encryption draft David McGrew
- RE: [Cfrg] new authenticated encryption draft Tom Shrimpton
- Re: [Cfrg] new authenticated encryption draft David A. McGrew
- Re: [Cfrg] new authenticated encryption draft John Wilkinson
- Re: [Cfrg] new authenticated encryption draft Phillip Rogaway
- Re: [Cfrg] new authenticated encryption draft David A. McGrew
- Re: [Cfrg] new authenticated encryption draft David McGrew
- [Cfrg] AES-based key derivation David McGrew