Re: [Cfrg] Short Authentication Tags in AES-128-CCM
John Mattsson <john.mattsson@ericsson.com> Thu, 23 July 2015 17:35 UTC
Return-Path: <john.mattsson@ericsson.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CE1F31A8973 for <cfrg@ietfa.amsl.com>; Thu, 23 Jul 2015 10:35:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.201
X-Spam-Level:
X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YIEfckexC_QP for <cfrg@ietfa.amsl.com>; Thu, 23 Jul 2015 10:35:55 -0700 (PDT)
Received: from sessmg23.ericsson.net (sessmg23.ericsson.net [193.180.251.45]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4AB131A89FE for <cfrg@irtf.org>; Thu, 23 Jul 2015 10:35:50 -0700 (PDT)
X-AuditID: c1b4fb2d-f79176d00000321c-17-55b125f4602e
Received: from ESESSHC007.ericsson.se (Unknown_Domain [153.88.253.124]) by sessmg23.ericsson.net (Symantec Mail Security) with SMTP id 39.A4.12828.4F521B55; Thu, 23 Jul 2015 19:35:48 +0200 (CEST)
Received: from ESESSMB307.ericsson.se ([169.254.7.7]) by ESESSHC007.ericsson.se ([153.88.183.39]) with mapi id 14.03.0210.002; Thu, 23 Jul 2015 19:35:48 +0200
From: John Mattsson <john.mattsson@ericsson.com>
To: Hannes Tschofenig <hannes.tschofenig@gmx.net>, "cfrg@irtf.org" <cfrg@irtf.org>
Thread-Topic: [Cfrg] Short Authentication Tags in AES-128-CCM
Thread-Index: AQHQxGgepvgFaguHDUiqOm+Elv69jZ3pUzSA
Date: Thu, 23 Jul 2015 17:35:47 +0000
Message-ID: <D1D6F1D9.3967B%john.mattsson@ericsson.com>
References: <55AE1BB7.8070906@gmx.net> <55AF6E7E.5000300@gmx.net>
In-Reply-To: <55AF6E7E.5000300@gmx.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.5.1.150515
x-originating-ip: [153.88.183.150]
Content-Type: multipart/mixed; boundary="_002_D1D6F1D93967Bjohnmattssonericssoncom_"
MIME-Version: 1.0
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFtrKIsWRmVeSWpSXmKPExsUyM+Jvje4X1Y2hBmdmqVp0/zjIZLF05z1W ByaPxZv2s3lM3niYLYApissmJTUnsyy1SN8ugSujZ+FK9oIbLhWvN/5ga2A849TFyMkhIWAi 8fnnTUYIW0ziwr31bF2MXBxCAkcZJU5eaGSHcBYxSjzf1sYCUsUmYCAxd08DG4gtIhAi8ePJ NmYQW1jARuLO5N9MEHFbieOfF7JA2EYSD7/vYAWxWQRUJT4dbgWL8wqYS3y8cAjMFhJwlHj/ 8hjYTE4BdYk9i0+BxRmBLvp+ag3YTGYBcYlbT+YzQVwqIvHw4mk2CFtU4uXjf2DzRQX0JKZf hLhHQkBJYsX2S4wQvWESx89uYYLYKyhxcuYTlgmMorOQjJ2FpGwWkrJZjBxAcU2J9bv0IUqs JV4fvsQCYStKTOl+yA5hG0r8PzOLGaJcQWLlHqByLiBzBaPE9MsNLDC9b09/YULWu4CRexWj aHFqcXFuupGxXmpRZnJxcX6eXl5qySZGYDwf3PJbdwfj6teOhxgFOBiVeHgfNG0IFWJNLCuu zD3EKM3BoiTOO2NzXqiQQHpiSWp2ampBalF8UWlOavEhRiYOTqkGxpqC+po5kzkijlWoFUxp P2Fb1b5/Xe2z7L4HwS23XheIh2S+Tf2X6hJ2VPLKgS+vTv2uudUYFxRzer6NwJOgmLmhjUG1 dy7zLPCdsO2k1f1ITb2aG2r7WG6fbO74H2pY33Zb9cXDYK6E7MivHX5yKndn+KzZ9mzSh/kH HwRpmltkCZz8wnLhrxJLcUaioRZzUXEiAON6Z0zIAgAA
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/wCnkXDwzBFx9T4THJ2Q1loViySM>
Subject: Re: [Cfrg] Short Authentication Tags in AES-128-CCM
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Jul 2015 17:35:57 -0000
Hi, Avtcore/IESG decided to not standardize CCM_8 and GCM_8, but for different reasons. CCM (all tag lengths) was removed as Stephen wanted to limit the number of algorithms, and nobody expressed any imminent plans to implement SRTP with CCM. GCM_8 was removed because of the theoretical weaknesses with GCM and short tags (summarized in https://eprint.iacr.org/2015/477) and their applicability to SRTP (https://mailarchive.ietf.org/arch/msg/avt/cKHmfai2SISd7itL_NlgXRJUPow). I am not aware of any weaknesses with CCM_8 that depends on the tag length, except the general weakness that the forgery probability is the expected 2^-64. In his recent evaluation for Cryptec (http://www.cryptrec.go.jp/estimation/techrep_id2012_2.pdf), Rogaway states as one of the conclusions “CCM achieves good provable-security results, even with truncated tags” Given the constrained radio technologies targeted by dice, I think that 64-bit tags are a reasonable tradeoff. Looking at the dice profile, I am more concerned with the lack of forward security in TLS_PSK_WITH_AES_128_CCM_8 and the fact that this cipher suite will likely be forbidden in DTLS 1.3 (as far as I understand). I would recommend changing this to ECDHE_PSK, or convincing the TLS wg to continue supporting PSK. Standardizing a new profile that will not work with DTLS 1.3 would be strange. Cheers, John On 22/07/15 05:20, "Hannes Tschofenig" <hannes.tschofenig@gmx.net> wrote: >Hi all, > >in the Internet of Things context there has been some excitement to use >short authentication tags with AES-128-CCM. With short range, low power >radio technologies shorter frame sizes raise concerns about the number >of bytes that are available to the application layer. > >The DTLS/TLS profile for IoT document <draft-ietf-dice-profile> >therefore recommends the TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 ciphersuite, >following what the CoAP protocol and also Zigbee IP suggest. > >When Stephen did a review of draft-ietf-dice-profile-13 he suggested to >rather focus on AES-128-CCM with the full-length authentication tag >instead. He motivates his suggestion based on the decision of the SRTP >guys to move away from short authentication tags used with AES-GCM-128. >Of course, AES-CCM and AES-GCM are different and attacks against AES-GCM >with short authentication tags have been published. > >My question to this group is: > > * Are you aware of attacks against the AES-128-CCM-8? > * Are there concerns with the use of short authentication tags, as we >recommend for the IoT context? (Needless to say that there is a tradeoff >between rekeying and the number of bits the tag has.) > >Ciao >Hannes > >
- [Cfrg] Short Authentication Tags in AES-128-CCM Hannes Tschofenig
- Re: [Cfrg] Short Authentication Tags in AES-128-C… Watson Ladd
- Re: [Cfrg] Short Authentication Tags in AES-128-C… Paul Lambert
- Re: [Cfrg] Short Authentication Tags in AES-128-C… Aaron Zauner
- Re: [Cfrg] Short Authentication Tags in AES-128-C… Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] Short Authentication Tags in AES-128-C… Russ Housley
- Re: [Cfrg] Short Authentication Tags in AES-128-C… John Mattsson
- Re: [Cfrg] Short Authentication Tags in AES-128-C… Salz, Rich
- Re: [Cfrg] Short Authentication Tags in AES-128-C… Carsten Bormann
- Re: [Cfrg] Short Authentication Tags in AES-128-C… John Mattsson
- Re: [Cfrg] Short Authentication Tags in AES-128-C… Aaron Zauner
- Re: [Cfrg] Short Authentication Tags in AES-128-C… Russ Housley
- Re: [Cfrg] Short Authentication Tags in AES-128-C… Paterson, Kenny
- Re: [Cfrg] Short Authentication Tags in AES-128-C… David McGrew (mcgrew)
- Re: [Cfrg] Short Authentication Tags in AES-128-C… Robert Cragie
- Re: [Cfrg] Short Authentication Tags in AES-128-C… Jonathan Trostle
- [Cfrg] ECDHE_PSK was Re: Short Authentication Tag… Hannes Tschofenig
- Re: [Cfrg] ECDHE_PSK was Re: Short Authentication… Carsten Bormann
- Re: [Cfrg] ECDHE_PSK was Re: Short Authentication… Hannes Tschofenig
- Re: [Cfrg] ECDHE_PSK was Re: Short Authentication… Carsten Bormann