Re: [Lake] Discussion on IoT AEAD limits for AES_128_CCM_8
Martin Thomson <mt@lowentropy.net> Wed, 18 November 2020 00:48 UTC
Return-Path: <mt@lowentropy.net>
X-Original-To: lake@ietfa.amsl.com
Delivered-To: lake@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E22433A1149 for <lake@ietfa.amsl.com>; Tue, 17 Nov 2020 16:48:36 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=lowentropy.net header.b=R8hqq6ka; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=jXrP9TUd
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3URNNnv_q2Dn for <lake@ietfa.amsl.com>; Tue, 17 Nov 2020 16:48:35 -0800 (PST)
Received: from out3-smtp.messagingengine.com (out3-smtp.messagingengine.com [66.111.4.27]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 20E313A1140 for <lake@ietf.org>; Tue, 17 Nov 2020 16:48:35 -0800 (PST)
Received: from compute1.internal (compute1.nyi.internal [10.202.2.41]) by mailout.nyi.internal (Postfix) with ESMTP id 55E475C029E for <lake@ietf.org>; Tue, 17 Nov 2020 19:48:34 -0500 (EST)
Received: from imap10 ([10.202.2.60]) by compute1.internal (MEProxy); Tue, 17 Nov 2020 19:48:34 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lowentropy.net; h=mime-version:message-id:in-reply-to:references:date:from:to :subject:content-type; s=fm3; bh=Sg+UYuHkFt0PH3dfKg61Er1fs4Wtzx7 4Sl0bn3xkeqI=; b=R8hqq6kabbdk17ytadnP9g5hGLy11ifIUtSfFjF2XrpSMXA 4ORXTFCmGJ+XbUNaCo95j5qXgHlldyQc0ukBuiYSxQ2zRjNvw6JsvrlGzvWPAoVi ctYOPSzgV9v84p09RWUn43gkYIMHt1eJQ2mJTSyhflvWY6mi8GDZk6T+XqkQCnwh G9+qT25v+ixK2cGK9eBr5sWVB0EyAdR275TyuFfb11qgzGYsM+sMgpyLwoeC3JzO xZqB7drwRrHvc56ixvc/rVICU+nCl7HCryYekSYbyxQriT6Qpgj02bFcv7aNVjGP lJGlMoFIBr45xtqr9JGT6W9cPWf5UMqruzTChIw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm1; bh=Sg+UYu HkFt0PH3dfKg61Er1fs4Wtzx74Sl0bn3xkeqI=; b=jXrP9TUdV6vwpRsj63WTkE 2iCFkKMRBBZMWbUEvEIXON7Mh8B2RnA4wvZpEp6jzOcBtCqXmmrZtgWk6EWD2dWd SoQgn4lhuRQpYJhx280LFJVG5BGL5f+nsQs4jN8P6XDdQyYOCZ9OmVdBgjQZnajJ GiJnyy2fylXbHvW/8EIQaz1W405SE02qDQ9ZkzPCNFkakGKdPgP7y9l2RMoJpDOk jnAIxyEJG4P3XYvoW/5xxB+gcwQ4GZ9c5zP364zVeqlfltPtc5Gyow92ACTOrBPC snRXuEcyhjaq1p6r3vV4NcRq+RzW55GS4cCjisCp2S/PEbDmY/FcoFP9beCpldlg ==
X-ME-Sender: <xms:YW-0X3Rfbnx6TinUn12A2ko5a23AMdpPb8yq37hzHAjYOG1HHg6bqw> <xme:YW-0X4z4pgNqdPoNOjKJzTJRU4DSoLRDvfTAW-sRXl9h1wKme9zN99rOxP2KbXMsL rj1N9p7QsOyhGWDYps>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedujedrudefgedgvdehucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucgoufhushhpvggtthffohhmrghinhculdegledmne cujfgurhepofgfggfkjghffffhvffutgesthdtredtreertdenucfhrhhomhepfdforghr thhinhcuvfhhohhmshhonhdfuceomhhtsehlohifvghnthhrohhphidrnhgvtheqnecugg ftrfgrthhtvghrnhepvdeuvdeuveevieevheeiieevudfgudevlefgiedvueffjeeiveef tdelgeekgefhnecuffhomhgrihhnpehgihhthhhusgdrihhopdhivghtfhdrohhrghenuc evlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpehmtheslhho figvnhhtrhhophihrdhnvght
X-ME-Proxy: <xmx:YW-0X83z1RH0EMYqh3LRHrCaROMB-xIYI2vIFaTPUavLRn1HIfRNpg> <xmx:YW-0X3BoAp0IEqCamtGuIojF2c-KoE875QEx2_4l-nzO7SH05j4S4g> <xmx:YW-0XwjcXqeAFatKqZOVu7d42LkW1kYV_3q5_NHevXwi4Yjpvb9dXQ> <xmx:Ym-0X7vEl_vLiVv28ogF8qXK0iU0qGy3dMNlFcwrZnJtNSiQHxdOWQ>
Received: by mailuser.nyi.internal (Postfix, from userid 501) id BD0AE201D0; Tue, 17 Nov 2020 19:48:33 -0500 (EST)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.3.0-622-g4a97c0b-fm-20201115.001-g4a97c0b3
Mime-Version: 1.0
Message-Id: <e7ad2b16-c5b7-467e-9325-d7d9cccc9166@www.fastmail.com>
In-Reply-To: <0EB305C3-1751-45AA-A240-C6A3135C09CC@ericsson.com>
References: <0EB305C3-1751-45AA-A240-C6A3135C09CC@ericsson.com>
Date: Wed, 18 Nov 2020 11:48:15 +1100
From: Martin Thomson <mt@lowentropy.net>
To: lake@ietf.org
Content-Type: text/plain
Archived-At: <https://mailarchive.ietf.org/arch/msg/lake/0dQhGrArfvY23ME23nAQ2df4Mkg>
Subject: Re: [Lake] Discussion on IoT AEAD limits for AES_128_CCM_8
X-BeenThere: lake@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Lightweight Authenticated Key Exchange <lake.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/lake>, <mailto:lake-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/lake/>
List-Post: <mailto:lake@ietf.org>
List-Help: <mailto:lake-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/lake>, <mailto:lake-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Nov 2020 00:48:37 -0000
You might find this tool useful in evaluating this: https://chris-wood.github.io/interactive-aead-limits/ Note that with the value of p that TLS uses (2^-57), this cipher performs very badly. The number of forgery attempts you can tolerate is 128. That's not 2^128, it's 128. I don't think that is acceptable. You might be able to increase your tolerance for attack (p) to get something more realistic. On Tue, Nov 17, 2020, at 02:17, John Mattsson wrote: > Hi, > > As discussed during the meeting today, CFRG is working on an excellent > document specifying equations to calculate AEAD limits for the number > of encryption operations q and the number of forgery attempts v. TLS, > DTLS, and QUIC have adopted strict limits based on these equations. > Having strict limits is not a problem if re-keying is easy. > > https://tools.ietf.org/html/draft-irtf-cfrg-aead-limits > > Most constrained IoT systems today use some variant of AES-128 in CCM > mode with a 32- or 64-bit tag. IETF use of AES-128 in CCM mode > typically only use 64-bit tags. > > The important equations for AEAD_AES_128_CCM_8 (AES-CCM-16-64-128, > AES-CCM-64-64-128) are: > > Confidentiality Limit: > q <= sqrt((p * 2^126) / l^2) > > Integrity Limit: > v * 2^64 + (2l * (v + q))^2 <= p * 2^128 > > where: > > q = Number of protected messages (AEAD encryption invocations) > v = Number of attacker forgery attempts (failed AEAD decryption invocations) > p = Adversary attack probability > l = input length (plaintext + additional data) in blocks > > For AEAD_AES_128_CCM_8 the integrity limit is the most limiting. DTLS > 1.3 sets the limits for CCM to q = 2^23 and v = 2^23.5 and states that > AES_128_CCM_8 MUST NOT used in DTLS without additional safeguards > against forgery. This unfortunately severely limits the use case for > DTLS 1.3 in very constrained IoT. > > The assumptions used DTLS 1.3 (still a draft) are: > > p = 2^-57 > l = 2^10 (2^14 bytes) > > It should be discussed which assumptions are relevant for IoT systems. > It was suggested during the meeting today that this discussion should > be held in a IoT focused security area WG like LAKE. There are a large > number of aspects that affect how the limits v and q should be assigned: > > - The probability p can be set to basically any value, it decides the > security level. Some IoT systems might accept a higher forgery > probability that (D)TLS in general. > > - To optimize the forgery probablity the attacker cannot send a chosen > message, the attacker has to settle for something that looks like a > random string. For use cases where the payload has a certain format, > this means that succesfull forgeries will likely be discarded on a > higher level in the stack. > > - The forgery probability is for a single forgery. In some systems a > single forgery may not matter much and several forgeries might be > needed to do any harm. > > - The input lengths are typically much much smaller for most > constrained IoT systems than the 16 KB packets assumed in the (D)TLS > calculations. > > - If the attacker uses a high speed broadband connection, a lot of > forgeries can be sent quickly. On most constained IoT systems, the > bandwith is very limited and it would take takes a long time to send > forged message. > > - Any denial-of-service resulting from low limits on v should be > compared to other denial-of-service attacks on the system. If there are > even easier ways to reduce the availability of a system, a low limit on > v does not matter. > > Looking forward to hear the IETF IoT communities comments on the above. > > Cheers, > John > > -- > Lake mailing list > Lake@ietf.org > https://www.ietf.org/mailman/listinfo/lake >
- [Lake] Discussion on IoT AEAD limits for AES_128_… John Mattsson
- Re: [Lake] Discussion on IoT AEAD limits for AES_… Martin Thomson
- Re: [Lake] Discussion on IoT AEAD limits for AES_… Tero Kivinen
- Re: [Lake] Discussion on IoT AEAD limits for AES_… John Mattsson
- Re: [Lake] Discussion on IoT AEAD limits for AES_… Blomqvist, Peter
- Re: [Lake] Discussion on IoT AEAD limits for AES_… Martin Thomson