IETF Logo Mail Archive

Re: [Cfrg] Short Authentication Tags in AES-128-CCM

Paul Lambert <paul@marvell.com> Wed, 22 July 2015 18:52 UTC

Return-Path: <paul@marvell.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C31CB1A8981 for <cfrg@ietfa.amsl.com>; Wed, 22 Jul 2015 11:52:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.267
X-Spam-Level:
X-Spam-Status: No, score=-2.267 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QPkEFMmhgm2p for <cfrg@ietfa.amsl.com>; Wed, 22 Jul 2015 11:52:12 -0700 (PDT)
Received: from mx0a-0016f401.pphosted.com (mx0a-0016f401.pphosted.com [67.231.148.174]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0D6241A893F for <cfrg@irtf.org>; Wed, 22 Jul 2015 11:52:09 -0700 (PDT)
Received: from pps.filterd (m0045849.ppops.net [127.0.0.1]) by mx0a-0016f401.pphosted.com (8.15.0.59/8.15.0.59) with SMTP id t6MInvpT025080; Wed, 22 Jul 2015 11:52:05 -0700
Received: from sc-exch03.marvell.com ([199.233.58.183]) by mx0a-0016f401.pphosted.com with ESMTP id 1vqm5jmxhw-1 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-SHA bits=256 verify=NOT); Wed, 22 Jul 2015 11:52:05 -0700
Received: from SC-EXCH03.marvell.com (10.93.176.83) by SC-EXCH03.marvell.com (10.93.176.83) with Microsoft SMTP Server (TLS) id 15.0.1044.25; Wed, 22 Jul 2015 11:52:04 -0700
Received: from SC-EXCH03.marvell.com ([fe80::6cb0:4dfa:f3f3:b8b6]) by SC-EXCH03.marvell.com ([fe80::6cb0:4dfa:f3f3:b8b6%21]) with mapi id 15.00.1044.021; Wed, 22 Jul 2015 11:52:04 -0700
From: Paul Lambert <paul@marvell.com>
To: Hannes Tschofenig <hannes.tschofenig@gmx.net>, "cfrg@irtf.org" <cfrg@irtf.org>
Thread-Topic: [Cfrg] Short Authentication Tags in AES-128-CCM
Thread-Index: AQHQxGgdd/PwK5le4Uuy3nsSSaTz153n1i6A
Date: Wed, 22 Jul 2015 18:52:03 +0000
Message-ID: <D1D5328F.737E3%paul@marvell.com>
References: <55AE1BB7.8070906@gmx.net> <55AF6E7E.5000300@gmx.net>
In-Reply-To: <55AF6E7E.5000300@gmx.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.5.3.150624
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.94.250.30]
Content-Type: text/plain; charset="us-ascii"
Content-ID: <C1123F4E1908E043A341EE7F89C30819@marvell.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2015-07-22_06:, , signatures=0
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 kscore.is_bulkscore=0 kscore.compositescore=1 compositescore=0.9 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 kscore.is_spamscore=0 rbsscore=0.9 spamscore=0 urlsuspectscore=0.9 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1506180000 definitions=main-1507220269
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/yK_J7H7UREKvQnxV4anDp6LmC1Q>
Subject: Re: [Cfrg] Short Authentication Tags in AES-128-CCM
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Jul 2015 18:52:14 -0000

Another option that has been picked up by byte-senstive standards groups
is to use AES-SIV.  The IV and integrity check are combined saving overall
encapsulation size.  Also, AES-SIV has a significant advantage that it
does not require nonce/IV uniqueness.  Setup is simplified for a pair-wise
links.  Broadcast/multicast is viable without complex nonce coordination.

AES-128-SIV is a much better option for small messages than tweaking
AES-128-CCM.  

Paul



On 7/22/15, 3:20 AM, "Cfrg on behalf of Hannes Tschofenig"
<cfrg-bounces@irtf.org on behalf of hannes.tschofenig@gmx.net> wrote:

>Hi all,
>
>in the Internet of Things context there has been some excitement to use
>short authentication tags with AES-128-CCM. With short range, low power
>radio technologies shorter frame sizes raise concerns about the number
>of bytes that are available to the application layer.
>
>The DTLS/TLS profile for IoT document <draft-ietf-dice-profile>
>therefore recommends the TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 ciphersuite,
>following what the CoAP protocol and also Zigbee IP suggest.
>
>When Stephen did a review of draft-ietf-dice-profile-13 he suggested to
>rather focus on AES-128-CCM with the full-length authentication tag
>instead. He motivates his suggestion based on the decision of the SRTP
>guys to move away from short authentication tags used with AES-GCM-128.
>Of course, AES-CCM and AES-GCM are different and attacks against AES-GCM
>with short authentication tags have been published.
>
>My question to this group is:
>
> * Are you aware of attacks against the AES-128-CCM-8?
> * Are there concerns with the use of short authentication tags, as we
>recommend for the IoT context? (Needless to say that there is a tradeoff
>between rekeying and the number of bits the tag has.)
>
>Ciao
>Hannes
>
>

v2.23.0 | Report a Bug | By Email