[cicm] RFC 5116 (AEAD)
"Novikov, Lev" <lnovikov@mitre.org> Wed, 24 August 2011 17:18 UTC
Return-Path: <lnovikov@mitre.org>
X-Original-To: cicm@ietfa.amsl.com
Delivered-To: cicm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D669721F86F6 for <cicm@ietfa.amsl.com>; Wed, 24 Aug 2011 10:18:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.561
X-Spam-Level:
X-Spam-Status: No, score=-5.561 tagged_above=-999 required=5 tests=[AWL=-1.038, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, SUBJ_ALL_CAPS=2.077]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QphYP2u6Grbt for <cicm@ietfa.amsl.com>; Wed, 24 Aug 2011 10:18:24 -0700 (PDT)
Received: from smtpksrv1.mitre.org (smtpksrv1.mitre.org [198.49.146.77]) by ietfa.amsl.com (Postfix) with ESMTP id BB2FD21F876F for <cicm@ietf.org>; Wed, 24 Aug 2011 10:18:24 -0700 (PDT)
Received: from smtpksrv1.mitre.org (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id 6586321B1285 for <cicm@ietf.org>; Wed, 24 Aug 2011 13:19:35 -0400 (EDT)
Received: from imchub2.MITRE.ORG (imchub2.mitre.org [129.83.29.74]) by smtpksrv1.mitre.org (Postfix) with ESMTP id 60D6E21B073E for <cicm@ietf.org>; Wed, 24 Aug 2011 13:19:35 -0400 (EDT)
Received: from IMCMBX3.MITRE.ORG ([129.83.29.206]) by imchub2.MITRE.ORG ([129.83.29.74]) with mapi; Wed, 24 Aug 2011 13:19:35 -0400
From: "Novikov, Lev" <lnovikov@mitre.org>
To: "CICM Discussion List (cicm@ietf.org)" <cicm@ietf.org>
Date: Wed, 24 Aug 2011 13:18:32 -0400
Thread-Topic: RFC 5116 (AEAD)
Thread-Index: AcxigcxlwIPJgN19T/a+DCPpDcGWZQ==
Message-ID: <F9AB58FA72BAE7449E7723791F6993ED0630EDCA5A@IMCMBX3.MITRE.ORG>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Subject: [cicm] RFC 5116 (AEAD)
X-BeenThere: cicm@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: CICM Discussion List <cicm@ietf.org>
List-Id: CICM Discussion List <cicm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cicm>, <mailto:cicm-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/cicm>
List-Post: <mailto:cicm@ietf.org>
List-Help: <mailto:cicm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cicm>, <mailto:cicm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Aug 2011 17:18:25 -0000
On 2011-07-27 14:39, David McGrew wrote: [...] > RFC 5116 defines a standard interface to Authenticated Encryption with > Associated Data (AEAD) algorithms, which is used by TLS 1.2, SSH, > SRTP, IKE, and SMIME, and is backwards compatible with ESP. The AEAD > interface is simple (two defined messages, four inputs and one output > each), and AEAD is widely regarded as the state of the art in security > and efficiency (including both OCB and GCM, for instance). It appears > that CICM is not compatible with this interface, in which case it > would be a real step backwards. (If CICM does support AEAD, it is not > clear to me how it does. Am I missing something?) > > CICM is intended for use in a high assurance crypto module. > Considering that AES-GCM is required for Suite B, and the Suite B RFCs > all cite RFC 5116, the lack of AEAD support appears problematic. [...] I've read through RFC 5116 and there doesn't seem to be any reason why CICM couldn't support AEAD, although it would probably have to be its own channel type. Here's why: 1. AEAD encryption takes a key (K), a nonce (N), plaintext (P), and associated data (A) and outputs ciphertext (C). Decryption takes K, N, A, and C and returns P (or FAIL). (Simplicity itself!) 2. Since the associated data (A) is sent in the clear, this is similar to a CICM::EncryptBypass::Conduit, although the whole bundle is authenticated, so it is more like a CICM::Encrypt::WithMACConduit --albeit with a single key (K). See: http://tools.ietf.org/html/draft-lanz-cicm-cm-01#section-9.8 http://tools.ietf.org/html/draft-lanz-cicm-cm-01#section-14.5 3. Therefore, it seems like the best way to handle AEAD would be to create a new channel type. Specifically, we'd need to support creating a conduit just like an EncryptBypass::Conduit (one key, one algorithm) that behaved like an Encrypt::WithMACConduit (supporting the end_get_mac() method). CICM::Status create_encrypt_auth_data_conduit( in CICM::RemotePort remote_port, in CICM::SymKey key_ref, in CICM::SymEncrAlgorithmId algorithm, out CICM::EncryptBypass::AEADConduit conduit_ref ); The conduit would look exactly like a Encrypt::WithMACConduit, except that both key attributes (key, mac_key) would point to the same key. For example, interface AEADConduit : CICM::AbstractMACConduit, CICM::Encrypt::Conduit {} 4. The approach above would differ from RFC 5116 in a few ways: - There is not a single method with four inputs that returns a single output. This is because in CICM channel *creation* is separate from channel *usage*. - The output is not returned, but is emitted in another domain. If necessary, we can add a similar channel type to the CICM::Coprocessor namespace as we have for Coprocessor::EncryptWithMACConduit. The conduit would no longer require a remote port, and the conduit would inherit from CICM::Coprocessor::EncryptConduit rather than CICM::Encrypt::Conduit. See: http://tools.ietf.org/html/draft-lanz-cicm-cm-01#section-18 http://tools.ietf.org/html/draft-lanz-cicm-cm-01#section-18.3 http://tools.ietf.org/html/draft-lanz-cicm-cm-01#section-18.4 - Additionally, the nonce (N) parameter would be omitted, but could be supplied or generated using the attributes and methods inherited from CICM::SetVectorController and CICM::GenVectorController. See: http://tools.ietf.org/html/draft-lanz-cicm-cm-01#section-7.5 http://tools.ietf.org/html/draft-lanz-cicm-cm-01#section-7.6 ** David McGrew: - Is my understanding of how AEAD works correct? - Would these sorts of additions satisfy the needs of AEAD, or would a more explicit conformance to the method signature be required? Lev
- [cicm] RFC 5116 (AEAD) Novikov, Lev