Re: Last Call: draft-dharkins-siv-aes (SIV Authenticated Encryption using AES) to Proposed Standard
"Dan Harkins" <dharkins@lounge.org> Wed, 21 May 2008 03:53 UTC
Return-Path: <ietf-bounces@ietf.org>
X-Original-To: ietf-archive@megatron.ietf.org
Delivered-To: ietfarch-ietf-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 500ED3A6BB3; Tue, 20 May 2008 20:53:57 -0700 (PDT)
X-Original-To: ietf@core3.amsl.com
Delivered-To: ietf@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 912A628C622 for <ietf@core3.amsl.com>; Tue, 20 May 2008 20:53:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.265
X-Spam-Level:
X-Spam-Status: No, score=-2.265 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FcX1mtDfTeLS for <ietf@core3.amsl.com>; Tue, 20 May 2008 20:53:52 -0700 (PDT)
Received: from colo.trepanning.net (colo.trepanning.net [69.55.226.174]) by core3.amsl.com (Postfix) with ESMTP id 892FD28DE2D for <ietf@ietf.org>; Tue, 20 May 2008 11:26:46 -0700 (PDT)
Received: from www.trepanning.net (localhost [127.0.0.1]) by colo.trepanning.net (Postfix) with ESMTP id 6167810224074; Tue, 20 May 2008 11:26:47 -0700 (PDT)
Received: from 69.12.173.8 (SquirrelMail authenticated user dharkins@lounge.org) by www.trepanning.net with HTTP; Tue, 20 May 2008 11:26:47 -0700 (PDT)
Message-ID: <75e677cc9ea49f98eed0d99dfc70e61f.squirrel@www.trepanning.net>
In-Reply-To: <20080514133859.GA12555@jm.kir.nu>
References: <20080514133859.GA12555@jm.kir.nu>
Date: Tue, 20 May 2008 11:26:47 -0700
Subject: Re: Last Call: draft-dharkins-siv-aes (SIV Authenticated Encryption using AES) to Proposed Standard
From: Dan Harkins <dharkins@lounge.org>
To: Jouni Malinen <j@w1.fi>
User-Agent: SquirrelMail/1.4.14 [SVN]
MIME-Version: 1.0
X-Priority: 3 (Normal)
Importance: Normal
Cc: dharkins@arubanetworks.com, ietf@ietf.org
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/ietf>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: ietf-bounces@ietf.org
Errors-To: ietf-bounces@ietf.org
Hi Jouni, Thank you very much for your review of my I-D and for identification of the issues you describe below. I have updated the draft to incorporate your suggested modifications: - mention S2V before CTR in the description of SIV keying. - define "bitand" in section 2.1 as the logical AND of two equal length strings, then use "bitand" in sections 2.6 and 2.7 as you suggest. - fixed the test vector in section A.2 I also verified that my SIV implementation generates the correct test vectors and this matches the test vectors sent to NIST. The draft has been updated and a -03 should be in the repository right now. Once again, thanks for your review and for identifying these issues before the draft got published. regards, Dan. On Wed, May 14, 2008 6:38 am, Jouni Malinen wrote: >> - 'SIV Authenticated Encryption using AES ' >> <draft-dharkins-siv-aes-02.txt> as a Proposed Standard >> >> The IESG plans to make a decision in the next few weeks, and solicits >> final comments on this action. Please send substantive comments to the >> ietf@ietf.org mailing lists by 2008-06-10. > > It looks like there are couple of small errors in the draft that can > result in incorrect interpretation of the design: > > 2.2. Overview > > SIV-AES uses AES in counter mode (CTR) and in CMAC mode (S2V). SIV- > AES takes either a 256, 384, or 512 bit key (which is broken up into > two equal-sized keys, one for CTR and the other for S2V), a variable > > While this is not strictly speaking incorrect statement, it would be > clearer to swap the order of CTR and S2V in the description of the keys > here since the first half of the key is actually used for S2V as > specified in more formal description later in the draft. > > > 2.5. CTR > Before beginning counter mode the 32nd and 64th bits (where the > rightmost bit is the 0th bit) of the counter are cleared. This > > 2.6. SIV Encrypt > SIV-ENCRYPT(K, P, AD1, ..., ADn) { > Q = V xor (1^64 || 0^1 || 1^31 || 0^1 || 1^31) > > 2.7. SIV Decrypt > SIV-DECRYPT(K, Z, AD1, ..., ADn) { > Q = V xor (1^64 || 0^1 || 1^31 || 0^1 || 1^31) > > The description of pre-processing for the counter is in conflict here. > Chapter 2.5 clears two bits while the SIV-ENCRYPT and SIV-DECRYPT > algorithms are actually swapping lots of bits and not changing the bits > that should have been cleared. It looks like the 'xor' in these > algorithms was supposed to be 'and' which would achieve the desired > clearing of the two bits as defined in 2.5. In addition to this change, > 'and' should be added into chapter 2.1 with similar description to 'xor' > since this is the first use of 'A and B' notation in the draft. > > > A.2. Nonce-based Authenticated Encryption Example > > Plaintext: > 74686973 20697320 74686520 706c6169 > 6e746578 7420746f 20656e63 72797074 > 20757369 6e672053 49562d41 4553 > > xorend: > 74686973 20697320 736f6d65 20706c61 > 696e7465 78742074 6f20656e 63727966 > 2d0c6201 f3341575 342a3745 f5c625 > > ciphertext: > cb900f2f ddbe4043 26601965 c889bf17 > dba77ceb 094fa663 b7a3f748 ba8af829 > ea64ad54 4a272e9c 485b62a3 fd5c0d > > There seems to be a typo here in the second test vector. The lengths of > the plaintext, xorend, and ciphertext should be the same. However, the > described plaintext is one octet shorter than xorend/ciphertext. Based > on the ASCII presentation of the plaintext and beginning of xorend > value, it looks like the plaintext value should start "this is some > plaintext", not "this is the plaintext" in order to end up with the > described output of the test case. In other words, the Plaintext for A.2 > should be changed to: > > Plaintext: > 74686973 20697320 736f6d65 20706c61 > 696e7465 78742074 6f20656e 63727970 > 74207573 696e6720 5349562d 414553 > > > With the changes described above, I can reproduce matching results for > the test vectors. > > -- > Jouni Malinen PGP id EFC895FA > _______________________________________________ > IETF mailing list > IETF@ietf.org > https://www.ietf.org/mailman/listinfo/ietf > _______________________________________________ IETF mailing list IETF@ietf.org https://www.ietf.org/mailman/listinfo/ietf
- Re: Last Call: draft-dharkins-siv-aes (SIV Authen… Jouni Malinen
- Re: Last Call: draft-dharkins-siv-aes (SIV Authen… Dan Harkins