Re: Last Call: draft-dharkins-siv-aes (SIV Authenticated Encryption using AES) to Proposed Standard

"Dan Harkins" <dharkins@lounge.org> Wed, 21 May 2008 03:53 UTC

Return-Path: <ietf-bounces@ietf.org>
X-Original-To: ietf-archive@megatron.ietf.org
Delivered-To: ietfarch-ietf-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 500ED3A6BB3; Tue, 20 May 2008 20:53:57 -0700 (PDT)
X-Original-To: ietf@core3.amsl.com
Delivered-To: ietf@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 912A628C622 for <ietf@core3.amsl.com>; Tue, 20 May 2008 20:53:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.265
X-Spam-Level:
X-Spam-Status: No, score=-2.265 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FcX1mtDfTeLS for <ietf@core3.amsl.com>; Tue, 20 May 2008 20:53:52 -0700 (PDT)
Received: from colo.trepanning.net (colo.trepanning.net [69.55.226.174]) by core3.amsl.com (Postfix) with ESMTP id 892FD28DE2D for <ietf@ietf.org>; Tue, 20 May 2008 11:26:46 -0700 (PDT)
Received: from www.trepanning.net (localhost [127.0.0.1]) by colo.trepanning.net (Postfix) with ESMTP id 6167810224074; Tue, 20 May 2008 11:26:47 -0700 (PDT)
Received: from 69.12.173.8 (SquirrelMail authenticated user dharkins@lounge.org) by www.trepanning.net with HTTP; Tue, 20 May 2008 11:26:47 -0700 (PDT)
Message-ID: <75e677cc9ea49f98eed0d99dfc70e61f.squirrel@www.trepanning.net>
In-Reply-To: <20080514133859.GA12555@jm.kir.nu>
References: <20080514133859.GA12555@jm.kir.nu>
Date: Tue, 20 May 2008 11:26:47 -0700 (PDT)
Subject: Re: Last Call: draft-dharkins-siv-aes (SIV Authenticated Encryption using AES) to Proposed Standard
From: "Dan Harkins" <dharkins@lounge.org>
To: "Jouni Malinen" <j@w1.fi>
User-Agent: SquirrelMail/1.4.14 [SVN]
MIME-Version: 1.0
X-Priority: 3 (Normal)
Importance: Normal
Cc: dharkins@arubanetworks.com, ietf@ietf.org
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/ietf>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: ietf-bounces@ietf.org
Errors-To: ietf-bounces@ietf.org

  Hi Jouni,

  Thank you very much for your review of my I-D and for identification
of the issues you describe below.

  I have updated the draft to incorporate your suggested modifications:

    - mention S2V before CTR in the description of SIV keying.
    - define "bitand" in section 2.1 as the logical AND of two equal
      length strings, then use "bitand" in sections 2.6 and 2.7 as
      you suggest.
    - fixed the test vector in section A.2

I also verified that my SIV implementation generates the correct test
vectors and this matches the test vectors sent to NIST.

  The draft has been updated and a -03 should be in the repository
right now.

  Once again, thanks for your review and for identifying these issues
before the draft got published.

  regards,

  Dan.

On Wed, May 14, 2008 6:38 am, Jouni Malinen wrote:
>>  - 'SIV Authenticated Encryption using AES '
>>    <draft-dharkins-siv-aes-02.txt> as a Proposed Standard
>>
>>  The IESG plans to make a decision in the next few weeks, and solicits
>>  final comments on this action.  Please send substantive comments to the
>>  ietf@ietf.org mailing lists by 2008-06-10.
>
> It looks like there are couple of small errors in the draft that can
> result in incorrect interpretation of the design:
>
> 2.2.  Overview
>
>    SIV-AES uses AES in counter mode (CTR) and in CMAC mode (S2V).  SIV-
>    AES takes either a 256, 384, or 512 bit key (which is broken up into
>    two equal-sized keys, one for CTR and the other for S2V), a variable
>
> While this is not strictly speaking incorrect statement, it would be
> clearer to swap the order of CTR and S2V in the description of the keys
> here since the first half of the key is actually used for S2V as
> specified in more formal description later in the draft.
>
>
> 2.5.  CTR
>    Before beginning counter mode the 32nd and 64th bits (where the
>    rightmost bit is the 0th bit) of the counter are cleared.  This
>
> 2.6.  SIV Encrypt
>    SIV-ENCRYPT(K, P, AD1, ..., ADn) {
>      Q = V xor (1^64 || 0^1 || 1^31 || 0^1 || 1^31)
>
> 2.7.  SIV Decrypt
>    SIV-DECRYPT(K, Z, AD1, ..., ADn) {
>      Q = V xor (1^64 || 0^1 || 1^31 || 0^1 || 1^31)
>
> The description of pre-processing for the counter is in conflict here.
> Chapter 2.5 clears two bits while the SIV-ENCRYPT and SIV-DECRYPT
> algorithms are actually swapping lots of bits and not changing the bits
> that should have been cleared. It looks like the 'xor' in these
> algorithms was supposed to be 'and' which would achieve the desired
> clearing of the two bits as defined in 2.5. In addition to this change,
> 'and' should be added into chapter 2.1 with similar description to 'xor'
> since this is the first use of 'A and B' notation in the draft.
>
>
> A.2.  Nonce-based Authenticated Encryption Example
>
>    Plaintext:
>            74686973 20697320 74686520 706c6169
>            6e746578 7420746f 20656e63 72797074
>            20757369 6e672053 49562d41 4553
>
>    xorend:
>            74686973 20697320 736f6d65 20706c61
>            696e7465 78742074 6f20656e 63727966
>            2d0c6201 f3341575 342a3745 f5c625
>
>    ciphertext:
>            cb900f2f ddbe4043 26601965 c889bf17
>            dba77ceb 094fa663 b7a3f748 ba8af829
>            ea64ad54 4a272e9c 485b62a3 fd5c0d
>
> There seems to be a typo here in the second test vector. The lengths of
> the plaintext, xorend, and ciphertext should be the same. However, the
> described plaintext is one octet shorter than xorend/ciphertext. Based
> on the ASCII presentation of the plaintext and beginning of xorend
> value, it looks like the plaintext value should start "this is some
> plaintext", not "this is the plaintext" in order to end up with the
> described output of the test case. In other words, the Plaintext for A.2
> should be changed to:
>
>    Plaintext:
>            74686973 20697320 736f6d65 20706c61
>            696e7465 78742074 6f20656e 63727970
>            74207573 696e6720 5349562d 414553
>
>
> With the changes described above, I can reproduce matching results for
> the test vectors.
>
> --
> Jouni Malinen                                            PGP id EFC895FA
> _______________________________________________
> IETF mailing list
> IETF@ietf.org
> https://www.ietf.org/mailman/listinfo/ietf
>


_______________________________________________
IETF mailing list
IETF@ietf.org
https://www.ietf.org/mailman/listinfo/ietf