IETF Logo Mail Archive

Re: [Lake] Discussion on IoT AEAD limits for AES_128_CCM_8

Martin Thomson <mt@lowentropy.net> Wed, 18 November 2020 00:48 UTC

Return-Path: <mt@lowentropy.net>
X-Original-To: lake@ietfa.amsl.com
Delivered-To: lake@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E22433A1149 for <lake@ietfa.amsl.com>; Tue, 17 Nov 2020 16:48:36 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=lowentropy.net header.b=R8hqq6ka; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=jXrP9TUd
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3URNNnv_q2Dn for <lake@ietfa.amsl.com>; Tue, 17 Nov 2020 16:48:35 -0800 (PST)
Received: from out3-smtp.messagingengine.com (out3-smtp.messagingengine.com [66.111.4.27]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 20E313A1140 for <lake@ietf.org>; Tue, 17 Nov 2020 16:48:35 -0800 (PST)
Received: from compute1.internal (compute1.nyi.internal [10.202.2.41]) by mailout.nyi.internal (Postfix) with ESMTP id 55E475C029E for <lake@ietf.org>; Tue, 17 Nov 2020 19:48:34 -0500 (EST)
Received: from imap10 ([10.202.2.60]) by compute1.internal (MEProxy); Tue, 17 Nov 2020 19:48:34 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lowentropy.net; h=mime-version:message-id:in-reply-to:references:date:from:to :subject:content-type; s=fm3; bh=Sg+UYuHkFt0PH3dfKg61Er1fs4Wtzx7 4Sl0bn3xkeqI=; b=R8hqq6kabbdk17ytadnP9g5hGLy11ifIUtSfFjF2XrpSMXA 4ORXTFCmGJ+XbUNaCo95j5qXgHlldyQc0ukBuiYSxQ2zRjNvw6JsvrlGzvWPAoVi ctYOPSzgV9v84p09RWUn43gkYIMHt1eJQ2mJTSyhflvWY6mi8GDZk6T+XqkQCnwh G9+qT25v+ixK2cGK9eBr5sWVB0EyAdR275TyuFfb11qgzGYsM+sMgpyLwoeC3JzO xZqB7drwRrHvc56ixvc/rVICU+nCl7HCryYekSYbyxQriT6Qpgj02bFcv7aNVjGP lJGlMoFIBr45xtqr9JGT6W9cPWf5UMqruzTChIw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm1; bh=Sg+UYu HkFt0PH3dfKg61Er1fs4Wtzx74Sl0bn3xkeqI=; b=jXrP9TUdV6vwpRsj63WTkE 2iCFkKMRBBZMWbUEvEIXON7Mh8B2RnA4wvZpEp6jzOcBtCqXmmrZtgWk6EWD2dWd SoQgn4lhuRQpYJhx280LFJVG5BGL5f+nsQs4jN8P6XDdQyYOCZ9OmVdBgjQZnajJ GiJnyy2fylXbHvW/8EIQaz1W405SE02qDQ9ZkzPCNFkakGKdPgP7y9l2RMoJpDOk jnAIxyEJG4P3XYvoW/5xxB+gcwQ4GZ9c5zP364zVeqlfltPtc5Gyow92ACTOrBPC snRXuEcyhjaq1p6r3vV4NcRq+RzW55GS4cCjisCp2S/PEbDmY/FcoFP9beCpldlg ==
X-ME-Sender: <xms:YW-0X3Rfbnx6TinUn12A2ko5a23AMdpPb8yq37hzHAjYOG1HHg6bqw> <xme:YW-0X4z4pgNqdPoNOjKJzTJRU4DSoLRDvfTAW-sRXl9h1wKme9zN99rOxP2KbXMsL rj1N9p7QsOyhGWDYps>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedujedrudefgedgvdehucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucgoufhushhpvggtthffohhmrghinhculdegledmne cujfgurhepofgfggfkjghffffhvffutgesthdtredtreertdenucfhrhhomhepfdforghr thhinhcuvfhhohhmshhonhdfuceomhhtsehlohifvghnthhrohhphidrnhgvtheqnecugg ftrfgrthhtvghrnhepvdeuvdeuveevieevheeiieevudfgudevlefgiedvueffjeeiveef tdelgeekgefhnecuffhomhgrihhnpehgihhthhhusgdrihhopdhivghtfhdrohhrghenuc evlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpehmtheslhho figvnhhtrhhophihrdhnvght
X-ME-Proxy: <xmx:YW-0X83z1RH0EMYqh3LRHrCaROMB-xIYI2vIFaTPUavLRn1HIfRNpg> <xmx:YW-0X3BoAp0IEqCamtGuIojF2c-KoE875QEx2_4l-nzO7SH05j4S4g> <xmx:YW-0XwjcXqeAFatKqZOVu7d42LkW1kYV_3q5_NHevXwi4Yjpvb9dXQ> <xmx:Ym-0X7vEl_vLiVv28ogF8qXK0iU0qGy3dMNlFcwrZnJtNSiQHxdOWQ>
Received: by mailuser.nyi.internal (Postfix, from userid 501) id BD0AE201D0; Tue, 17 Nov 2020 19:48:33 -0500 (EST)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.3.0-622-g4a97c0b-fm-20201115.001-g4a97c0b3
Mime-Version: 1.0
Message-Id: <e7ad2b16-c5b7-467e-9325-d7d9cccc9166@www.fastmail.com>
In-Reply-To: <0EB305C3-1751-45AA-A240-C6A3135C09CC@ericsson.com>
References: <0EB305C3-1751-45AA-A240-C6A3135C09CC@ericsson.com>
Date: Wed, 18 Nov 2020 11:48:15 +1100
From: Martin Thomson <mt@lowentropy.net>
To: lake@ietf.org
Content-Type: text/plain
Archived-At: <https://mailarchive.ietf.org/arch/msg/lake/0dQhGrArfvY23ME23nAQ2df4Mkg>
Subject: Re: [Lake] Discussion on IoT AEAD limits for AES_128_CCM_8
X-BeenThere: lake@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Lightweight Authenticated Key Exchange <lake.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/lake>, <mailto:lake-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/lake/>
List-Post: <mailto:lake@ietf.org>
List-Help: <mailto:lake-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/lake>, <mailto:lake-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Nov 2020 00:48:37 -0000

You might find this tool useful in evaluating this:

https://chris-wood.github.io/interactive-aead-limits/

Note that with the value of p that TLS uses (2^-57), this cipher performs very badly.  The number of forgery attempts you can tolerate is 128.  That's not 2^128, it's 128.  I don't think that is acceptable.  You might be able to increase your tolerance for attack (p) to get something more realistic.

On Tue, Nov 17, 2020, at 02:17, John Mattsson wrote:
> Hi,
> 
> As discussed during the meeting today, CFRG is working on an excellent 
> document specifying equations to calculate AEAD limits for the number 
> of encryption operations q and the number of forgery attempts v. TLS, 
> DTLS, and QUIC have adopted strict limits based on these equations. 
> Having strict limits is not a problem if re-keying is easy.
> 
> https://tools.ietf.org/html/draft-irtf-cfrg-aead-limits
> 
> Most constrained IoT systems today use some variant of AES-128 in CCM 
> mode with a 32- or 64-bit tag. IETF use of AES-128 in CCM mode 
> typically only use 64-bit tags.
> 
> The important equations for AEAD_AES_128_CCM_8 (AES-CCM-16-64-128, 
> AES-CCM-64-64-128) are:
> 
> Confidentiality Limit:
> q <= sqrt((p * 2^126) / l^2)
> 
> Integrity Limit:
> v * 2^64 + (2l * (v + q))^2 <= p * 2^128
> 
> where:
> 
> q = Number of protected messages (AEAD encryption invocations)
> v = Number of attacker forgery attempts (failed AEAD decryption invocations)    
> p = Adversary attack probability
> l = input length (plaintext + additional data) in blocks
> 
> For AEAD_AES_128_CCM_8 the integrity limit is the most limiting. DTLS 
> 1.3 sets the limits for CCM to q = 2^23 and v = 2^23.5 and states that 
> AES_128_CCM_8 MUST NOT used in DTLS without additional safeguards 
> against forgery. This unfortunately severely limits the use case for 
> DTLS 1.3 in very constrained IoT.
> 
> The assumptions used DTLS 1.3 (still a draft) are:
> 
> p = 2^-57
> l = 2^10 (2^14 bytes)
> 
> It should be discussed which assumptions are relevant for IoT systems. 
> It was suggested during the meeting today that this discussion should 
> be held in a IoT focused security area WG like LAKE. There are a large 
> number of aspects that affect how the limits v and q should be assigned:
> 
> - The probability p can be set to basically any value, it decides the 
> security level. Some IoT systems might accept a higher forgery 
> probability that (D)TLS in general.
> 
> - To optimize the forgery probablity the attacker cannot send a chosen 
> message, the attacker has to settle for something that looks like a 
> random string. For use cases where the payload has a certain format, 
> this means that succesfull forgeries will likely be discarded on a 
> higher level in the stack.
> 
> - The forgery probability is for a single forgery. In some systems a 
> single forgery may not matter much and several forgeries might be 
> needed to do any harm.
> 
> - The input lengths are typically much much smaller for most 
> constrained IoT systems than the 16 KB packets assumed in the (D)TLS 
> calculations.
> 
> - If the attacker uses a high speed broadband connection, a lot of 
> forgeries can be sent quickly. On most constained IoT systems, the 
> bandwith is very limited and it would take takes a long time to send 
> forged message.
> 
> - Any denial-of-service resulting from low limits on v should be 
> compared to other denial-of-service attacks on the system. If there are 
> even easier ways to reduce the availability of a system, a low limit on 
> v does not matter.
> 
> Looking forward to hear the IETF IoT communities comments on the above.
> 
> Cheers,
> John
> 
> -- 
> Lake mailing list
> Lake@ietf.org
> https://www.ietf.org/mailman/listinfo/lake
>

v2.23.0 | Report a Bug | By Email