[kitten] Moving forward with draft-ietf-kitten-aes-cts-hmac-sha2
"Peck, Michael A" <mpeck@mitre.org> Mon, 06 January 2014 20:26 UTC
Return-Path: <mpeck@mitre.org>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 64E181AE205 for <kitten@ietfa.amsl.com>; Mon, 6 Jan 2014 12:26:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.037
X-Spam-Level:
X-Spam-Status: No, score=-2.037 tagged_above=-999 required=5 tests=[BAYES_50=0.8, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.538] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oEd-M18822EL for <kitten@ietfa.amsl.com>; Mon, 6 Jan 2014 12:26:41 -0800 (PST)
Received: from smtpksrv1.mitre.org (smtpksrv1.mitre.org [198.49.146.77]) by ietfa.amsl.com (Postfix) with ESMTP id A539A1AE1FD for <kitten@ietf.org>; Mon, 6 Jan 2014 12:26:41 -0800 (PST)
Received: from smtpksrv1.mitre.org (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id A4B901F05BB for <kitten@ietf.org>; Mon, 6 Jan 2014 15:26:32 -0500 (EST)
Received: from IMCCAS02.MITRE.ORG (imccas02.mitre.org [129.83.29.79]) by smtpksrv1.mitre.org (Postfix) with ESMTP id 8A5F01F041D for <kitten@ietf.org>; Mon, 6 Jan 2014 15:26:32 -0500 (EST)
Received: from IMCMBX04.MITRE.ORG ([169.254.4.36]) by IMCCAS02.MITRE.ORG ([129.83.29.69]) with mapi id 14.03.0174.001; Mon, 6 Jan 2014 15:26:32 -0500
From: "Peck, Michael A" <mpeck@mitre.org>
To: "kitten@ietf.org" <kitten@ietf.org>
Thread-Topic: Moving forward with draft-ietf-kitten-aes-cts-hmac-sha2
Thread-Index: AQHPCx2WFQI85VLH+06sM72V8pZqMQ==
Date: Mon, 06 Jan 2014 20:26:32 +0000
Message-ID: <CED4D260.D7E7%mpeck@mitre.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.3.9.131030
x-originating-ip: [128.29.194.119]
Content-Type: multipart/alternative; boundary="_000_CED4D260D7E7mpeckmitreorg_"
MIME-Version: 1.0
Subject: [kitten] Moving forward with draft-ietf-kitten-aes-cts-hmac-sha2
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Jan 2014 20:26:45 -0000
Hi - I believe two primary issues have been raised with the AES and SHA-2 encryption type drafts: ciphertext stealing vs padding, and IV options. 1: CTS vs. CBC with PKCS7 padding We first submitted draft-ietf-kitten-aes-cts-hmac-sha2 (uses CTS mode, also known as CBC mode with ciphertext stealing), then submitted draft-ietf-kitten-aes-cbc-hmac-sha2 (uses CBC mode with PKCS7 padding). A consensus call decided on CBC mode with PKCS7 padding, but immediately afterwards Paul Miller from Microsoft stated that CBC with PKCS7 padding could cause compatibility problems. Based on that feedback, I suggest we go with CTS mode – are there any objections? 2: Initialization vector RFC 3961/3962 sets the formal CBC IV to the cipherstate (the next-to-last ciphertext block of the previous message) - (it's my understanding the purpose of the cipher state is to enforce message sequencing) - and sets the first block of plaintext to a 128-bit random value (called a confounder). The cipherstate is not sent with the message since it can be implicitly inferred from the ciphertext of the previous message. The confounder (first block of plaintext) plays the cryptographic role of the IV. Draft-ietf-kitten-aes-cts-hmac-sha2 currently sets the CBC IV to a 128-bit nonce XORed with the cipher state (in this draft, the cipher state is currently the previous message's 128-bit nonce). The nonce is sent in the clear along with the ciphertext and the MAC. We followed this approach to be aligned with the CTS definition found in the NIST Special Publication 800-38A Addendum, which treats the IV as a parameter to be passed into the encrypt and decrypt operations (and expects it to meet the required properties of a CBC IV). (Side note: Currently the draft states that the MAC is computed over the nonce and ciphertext. Upon another look, I'm thinking the MAC should instead be computed over the IV and ciphertext, so that message reorderings are detected by the MAC verification.) Some have indicated interest in sticking with the RFC 3961/3962 confounder approach. I'd like to suggest some options to choose from: Option 1: Define separate Kerberos enctypes for each of the two IV approaches. Define the cipherstate to be the next-to-last ciphertext block of the previous message (like in RFC 3961/3962). If the confounder approach is being used (as signaled by the enctype), don't include an explicit nonce. Set the CBC IV = cipherstate. Set the first block of plaintext to a 128-bit nonce. Omit the first block of plaintext from the decrypt operation's plaintext output. ciphertext || MAC is transmitted. If the explicit nonce approach is being used (as signaled by the enctype), set the CBC IV = cipherstate XOR nonce. nonce || ciphertext || MAC is transmitted. The MAC is computed over the IV || ciphertext in both cases. This option seems to provide the ability to deployers to decide which IV approaches they're comfortable with (both or just one) through the allowed enctypes. Option 2: Define the cipher state to be the next-to-last ciphertext block of the previous message (like in RFC 3961/3962). If the sender chooses the confounder approach, set the explicit nonce field to the cipher state, and set the first block of plaintext to a 128-bit nonce (confounder). If the sender chooses to use an explicit nonce, set the explicit nonce field to a 128-bit nonce, and set the first block of plaintext to the cipherstate. Either way, the CBC IV is set to the explicit nonce field. The MAC is computed over the explicit nonce field || ciphertext. Explicit nonce field || cipher text || MAC is transmitted. The recipient always omits the first block of plaintext from the decrypt operation's plaintext output. The recipient needs to make sure the cipherstate transmitted with the message is consistent with the previous message's ciphertext. Two downsides of this approach: It adds an unnecessary 128 bits to each message. It doesn't easily allow deployers to decide which IV techniques to allow based on policy considerations. Option 3: Pick one IV approach. Thanks, Mike
- [kitten] Moving forward with draft-ietf-kitten-ae… Peck, Michael A
- Re: [kitten] Moving forward with draft-ietf-kitte… Greg Hudson