IETF Logo Mail Archive

Re: [kitten] considering abandoning CTS mode (Re: I-D Action:draft-ietf-kitten-aes-cts-hmac-sha2-01.txt)

Michiko Short <michikos@microsoft.com> Thu, 08 August 2013 22:02 UTC

Return-Path: <michikos@microsoft.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B930121F9C06 for <kitten@ietfa.amsl.com>; Thu, 8 Aug 2013 15:02:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.599
X-Spam-Level:
X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NfXFkF+bRdL3 for <kitten@ietfa.amsl.com>; Thu, 8 Aug 2013 15:02:50 -0700 (PDT)
Received: from na01-bl2-obe.outbound.protection.outlook.com (mail-bl2lp0206.outbound.protection.outlook.com [207.46.163.206]) by ietfa.amsl.com (Postfix) with ESMTP id 341E421F9C90 for <kitten@ietf.org>; Thu, 8 Aug 2013 15:02:50 -0700 (PDT)
Received: from BLUPR03CA029.namprd03.prod.outlook.com (10.141.30.22) by BLUPR03MB051.namprd03.prod.outlook.com (10.255.209.151) with Microsoft SMTP Server (TLS) id 15.0.731.11; Thu, 8 Aug 2013 22:02:41 +0000
Received: from BY2FFO11FD005.protection.gbl (2a01:111:f400:7c0c::25) by BLUPR03CA029.outlook.office365.com (2a01:111:e400:879::22) with Microsoft SMTP Server (TLS) id 15.0.745.25 via Frontend Transport; Thu, 8 Aug 2013 22:02:40 +0000
Received: from mail.microsoft.com (131.107.125.37) by BY2FFO11FD005.mail.protection.outlook.com (10.1.14.126) with Microsoft SMTP Server (TLS) id 15.0.745.15 via Frontend Transport; Thu, 8 Aug 2013 22:02:40 +0000
Received: from TK5EX14MBXC285.redmond.corp.microsoft.com ([169.254.3.223]) by TK5EX14HUBC102.redmond.corp.microsoft.com ([157.54.7.154]) with mapi id 14.03.0136.001; Thu, 8 Aug 2013 22:02:09 +0000
From: Michiko Short <michikos@microsoft.com>
To: "kitten@ietf.org" <kitten@ietf.org>
Thread-Topic: [kitten] considering abandoning CTS mode (Re: I-D Action:draft-ietf-kitten-aes-cts-hmac-sha2-01.txt)
Thread-Index: Ac6UguuCfwuvEtnVS+WRXhLN+l/eLw==
Date: Thu, 08 Aug 2013 22:02:08 +0000
Message-ID: <5674376E76F88641AD3748A64F0996971AAA4F35@TK5EX14MBXC285.redmond.corp.microsoft.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [157.54.51.74]
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Forefront-Antispam-Report: CIP:131.107.125.37; CTRY:US; IPV:CAL; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(24454002)(164054003)(51704005)(199002)(189002)(27574002)(377454003)(13464003)(19580395003)(77096001)(69226001)(51856001)(56816003)(81342001)(80022001)(16406001)(80976001)(65816001)(44976005)(83072001)(83322001)(81542001)(74662001)(19580405001)(47736001)(50466002)(6806004)(79102001)(23756003)(49866001)(74366001)(47446002)(31966008)(63696002)(54356001)(53806001)(47976001)(47776003)(74876001)(59766001)(4396001)(76796001)(46102001)(76482001)(74502001)(74706001)(50986001)(55846006)(66066001)(76176001)(33656001)(20776003)(54316002)(76786001)(77982001)(56776001)(81686001); DIR:OUT; SFP:; SCL:1; SRVR:BLUPR03MB051; H:mail.microsoft.com; CLIP:131.107.125.37; RD:InfoDomainNonexistent; A:1; MX:1; LANG:en;
X-O365ENT-EOP-Header: Message processed by - O365_ENT: Allow from ranges (Engineering ONLY)
X-Forefront-PRVS: 093290AD39
X-OriginatorOrg: DuplicateDomain-a84fc36a-4ed7-4e57-ab1c-3e967bcbad48.microsoft.com
X-MS-Exchange-CrossPremises-OriginalClientIPAddress: 131.107.125.37
X-MS-Exchange-CrossPremises-AuthSource: BY2FFO11FD005.protection.gbl
X-MS-Exchange-CrossPremises-AuthAs: Anonymous
X-MS-Exchange-CrossPremises-AVStamp-Service: 1.0
X-MS-Exchange-CrossPremises-SCL: 1
X-MS-Exchange-CrossPremises-Antispam-ScanContext: DIR:Originating; SFV:NSPM; SKIP:0;
X-MS-Exchange-CrossPremises-Processed-By-Journaling: Journal Agent
X-OrganizationHeadersPreserved: BLUPR03MB051.namprd03.prod.outlook.com
Subject: Re: [kitten] considering abandoning CTS mode (Re: I-D Action:draft-ietf-kitten-aes-cts-hmac-sha2-01.txt)
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Aug 2013 22:02:58 -0000

Apologies for the late response, I have not been tracking the crypto discussions on aes-cts-hmac-sha2, so I did not realize a response was needed.

Since the issue which requires the padding is caused by applications that do not use the SSPI APIs correctly, this should not be driver for the new crypto. Windows SSPI functions exist for an application to obtain the required lengths for use with the in-place encryption functions. Performance and security should be the drivers for selection of the new AES algorithm. We do get a lot of feedback about perf.

Thanks,
Michiko Short | Program Manager | Windows Security & Identity



-----Original Message-----
From: kitten-bounces@ietf.org [mailto:kitten-bounces@ietf.org] On Behalf Of kitten-request@ietf.org
Sent: Wednesday, July 10, 2013 3:42 PM
To: kitten@ietf.org
Subject: Kitten Digest, Vol 104, Issue 5



Today's Topics:

   1. Re:  considering abandoning CTS mode (Re: I-D Action:
      draft-ietf-kitten-aes-cts-hmac-sha2-01.txt) (Nico Williams)
  
----------------------------------------------------------------------

Message: 1
Date: Wed, 10 Jul 2013 16:30:46 -0500
From: Nico Williams <nico@cryptonector.com>
To: Tom Yu <tlyu@mit.edu>
Cc: kitten@ietf.org
Subject: Re: [kitten] considering abandoning CTS mode (Re: I-D Action:
	draft-ietf-kitten-aes-cts-hmac-sha2-01.txt)
Message-ID:
	<CAK3OfOiqmJ=Nv36RD2PkTygshK31Jit3Fzr2jy4S1uXbZ8YjmA@mail.gmail.com>
Content-Type: text/plain; charset=UTF-8

On Tue, Jul 9, 2013 at 6:46 PM, Tom Yu <tlyu@mit.edu> wrote:
> I've looked at the diff against the previous version of this document.
> Most of the changes look reasonable to me, but the special case 
> handling of short plaintexts seems too complicated from an 
> implementation perspective.  I'd prefer to go back to the more widely 
> accepted practice of CBC mode with explicit IV and PKCS#7-ish padding.
>
> It seems that one of the goals of this effort is to use, as much as 
> possible, the off-the shelf capabilities of cryptographic modules that 
> are validated to FIPS 140-2 or other relevant standards.  As far as I 
> know, few (if any) validated cryptographic modules support CTS mode 
> directly.
>
> At this point, I think it is useful to try moving away from CTS: the 
> benefits of CTS do not outweigh the implementation complexity, 
> particularly when dealing with the short plaintext case.  Implementing 
> CTS mode has already proven to be a challenge even for the existing 
> AES-CTS enctypes, and I'm reluctant to magnify that difficulty with 
> the new enctypes in this document.  Returning to a scheme based on 
> conventionally padded CBC would further the goal of using the existing 
> capabilities of validated cryptographic modules, and poses fewer 
> implementation risks.

I'm not at all worried about implementation risks.  We can test every possible plaintext length between the shortest (zero-bytes) and a small multiple of the block size (in bytes), both with test vectors and random data (making sure it round-trips).

I think the only risk we should be concerned about here is the risk that we might design-in a cryptographic weakness.  I definitely don't want to be even partly to blame for that :) so it's a risk that bothers me.  I think we can analyze the non-confounded CTS we came up with, and we could/should/must ask for review by strong cryptographers before we go forward with it (or otherwise we must show that the new thing must have the same properties as the old confounded CTS, which I think we informally did, but we'd have to redo that analysis).

Another risk I care about is the risk that we lose some hardware optimizations as a result of using CTS.  Though with the trend towards on-die hardware cipher implementations that problem becomes much less relevant.

> Statements from Microsoft imply that the main problems caused by 
> variable-length ciphertext expansion would be limited to SSPI 
> applications that do not use the APIs correctly.  SSPI functions exist 
> such that an application can use to obtain the required lengths for 
> use with the in-place encryption functions.

This was a big deal to them once.  It might still be.  It'd be nice to hear from someone at Microsoft as to whether this is still an issue.

> I realize we've spent a significant amount of effort trying to make 
> CTS work in the short-plaintext case.  I'd like to thank to Nico, 
> Kelley, and others who participated in trying to make CTS mode work in 
> this specification.  Looking at this document as an implementer, I 
> think using CTS mode, especially with the short-plaintext special 
> case, presents too much risk, and I'd like us to consider going back 
> to a more normal CBC mode.

I'll be fine with ditching the no-padding requirement if the implementors we've known to care for no-padding modes are ok with it now and no new ones show up to tell us otherwise.

Nico
--

v2.23.0 | Report a Bug | By Email