IETF Logo Mail Archive

Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Resistant Authenticated Encryption" as a CFRG document ---- Some clarifications

Taylor R Campbell <campbell+cfrg@mumble.net> Sat, 16 April 2016 18:53 UTC

Return-Path: <campbell@mumble.net>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7CA0B12DF17 for <cfrg@ietfa.amsl.com>; Sat, 16 Apr 2016 11:53:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.896
X-Spam-Level:
X-Spam-Status: No, score=-2.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.996] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vHIbTqoK8C6i for <cfrg@ietfa.amsl.com>; Sat, 16 Apr 2016 11:53:02 -0700 (PDT)
Received: from jupiter.mumble.net (jupiter.mumble.net [74.50.56.165]) by ietfa.amsl.com (Postfix) with ESMTP id F197A12DEF7 for <cfrg@irtf.org>; Sat, 16 Apr 2016 11:53:01 -0700 (PDT)
Received: by jupiter.mumble.net (Postfix, from userid 1014) id D031360319; Sat, 16 Apr 2016 18:51:33 +0000 (UTC)
From: Taylor R Campbell <campbell+cfrg@mumble.net>
To: Dan Harkins <dharkins@lounge.org>
In-reply-to: <7a32ee823d39c1d80de6c179837451ab.squirrel@www.trepanning.net> (dharkins@lounge.org)
Date: Sat, 16 Apr 2016 18:53:00 +0000
Sender: Taylor R Campbell <campbell@mumble.net>
User-Agent: IMAIL/1.21; Edwin/3.116; MIT-Scheme/9.1.99
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-Id: <20160416185133.D031360319@jupiter.mumble.net>
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/xKfDWuH-t832tIyle76N-SRvDz4>
Cc: cfrg@irtf.org
Subject: Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Resistant Authenticated Encryption" as a CFRG document ---- Some clarifications
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sat, 16 Apr 2016 18:53:03 -0000

   Date: Fri, 15 Apr 2016 13:46:19 -0700 (PDT)
   From: "Dan Harkins" <dharkins@lounge.org>

     Way back at IETF70 I proposed some ciphersuites for TLS using
   AES-SIV (RFC 5297). AES-SIV has the same nonce-misuse properties
   as AES-GCM-SIV but it's a 2-pass cipher mode. The general response
   I received can be summarized as "we don't need nonce misuse because
   the nonce is not part of the API that Joe User, who may be ignorant
   of nonce usage issues, calls and everyone writing a TLS implementation
   knows what he or she is doing so it's not a problem."

I drafted the following message in reply:

`For TLS, it is not a matter of ``all the implementors know what
 they're doing''.  Rather, if you reuse a nonce, your implementation
 is simply broken and will immediately, noisily fail to interoperate.

`For that case, AES-GCM-SIV is strictly less secure than AES-GCM
 because AES-GCM-SIV effectively uses randomly chosen 96-bit nonces
 and hence has a small birthday bound before an accidental internal
 nonce reuse (which is catastrophic).  AES-GCM nonces, in contrast,
 are guaranteed never to repeat in a TLS conversation.'

But then, on fact-checking myself, I discovered that the AES-GCM
cipher suites in TLS (RFC 5288) do not actually mandate the use of the
message sequence number as the nonce, which would have the fail-early
fail-closed effect I described -- instead the senders pick nonces on
their own arbitrarily and transmit them alongside the message, and the
receivers accept any nonces they receive.

v2.23.0 | Report a Bug | By Email