IETF Logo Mail Archive

Re: [Lake] Discussion on IoT AEAD limits for AES_128_CCM_8

Tero Kivinen <kivinen@iki.fi> Wed, 18 November 2020 06:49 UTC

Return-Path: <kivinen@iki.fi>
X-Original-To: lake@ietfa.amsl.com
Delivered-To: lake@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CD2CB3A0BBA for <lake@ietfa.amsl.com>; Tue, 17 Nov 2020 22:49:31 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=iki.fi
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pm-HK6wBVjab for <lake@ietfa.amsl.com>; Tue, 17 Nov 2020 22:49:28 -0800 (PST)
Received: from meesny.iki.fi (meesny.iki.fi [IPv6:2001:67c:2b0:1c1::201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7F81F3A0BB6 for <lake@ietf.org>; Tue, 17 Nov 2020 22:49:27 -0800 (PST)
Received: from fireball.acr.fi (fireball.kivinen.iki.fi [IPv6:2001:1bc8:100d::2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: kivinen) by meesny.iki.fi (Postfix) with ESMTPSA id 4DDDA200E0; Wed, 18 Nov 2020 08:49:23 +0200 (EET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=iki.fi; s=meesny; t=1605682163; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=YdD2bATr0dA5XlqHOZHZff/Py1icoPKI9woPvDDMw7Y=; b=rLDiYQk7gtWr8ZzCrwLCQFNaOaP6AlEr6Jl7Hu70Uf2FJ+hR9jGrxtonU65DdX4CtA1oi8 Rge+9rGTKOCJgQJO55mP5UiCNoxOSMeehtIGdjsQeUU7R72jJ8jw45lKQvgWU9gexLCx6+ IjfMbAfKdBiiDgw9T2qeS0pgijHJTuU=
Received: by fireball.acr.fi (Postfix, from userid 15204) id 1F44B25C14C7; Wed, 18 Nov 2020 08:49:21 +0200 (EET)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-ID: <24500.50161.69429.793815@fireball.acr.fi>
Date: Wed, 18 Nov 2020 08:49:21 +0200
From: Tero Kivinen <kivinen@iki.fi>
To: Martin Thomson <mt@lowentropy.net>
Cc: lake@ietf.org
In-Reply-To: <e7ad2b16-c5b7-467e-9325-d7d9cccc9166@www.fastmail.com>
References: <0EB305C3-1751-45AA-A240-C6A3135C09CC@ericsson.com> <e7ad2b16-c5b7-467e-9325-d7d9cccc9166@www.fastmail.com>
X-Mailer: VM 8.2.0b under 26.3 (x86_64--netbsd)
X-Edit-Time: 13 min
X-Total-Time: 19 min
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=iki.fi; s=meesny; t=1605682163; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=YdD2bATr0dA5XlqHOZHZff/Py1icoPKI9woPvDDMw7Y=; b=AY3p/QJUwmJ3YdLXcCYZxxEKFd6OOrWQlX75VBmIIeISygbc97vsPfmgEv4dKBCQqTVVOP FUtPUutMIdRlQweObDGeuzsQVSVv/VXAM3sH5dX5aj0NnFSGvaYfEEUBFiEY0Lf70sQeEJ DFvaJTSE4t1ia5ZbCoENt8ck6yorcv4=
ARC-Authentication-Results: i=1; ORIGINATING; auth=pass smtp.auth=kivinen smtp.mailfrom=kivinen@iki.fi
ARC-Seal: i=1; s=meesny; d=iki.fi; t=1605682163; a=rsa-sha256; cv=none; b=MwMatIIYJsWdYVmNi4qISAXAU7tn0dKQKiUANgeMdNtc4wi35Fj7sCaywDok4CsoOrRK1T 8W17Ptc/0WfU6wYg8IPUlQecgapnV3a+0xfoSpqd/Zw/lhLnbcmpWk0JoBsULVxjUz+Ozy QzY8By9QovHxO080kdTVl/ImIUjIaY8=
Archived-At: <https://mailarchive.ietf.org/arch/msg/lake/FEpjsMDK3e1nJH2mrglcOJWh5Ls>
Subject: Re: [Lake] Discussion on IoT AEAD limits for AES_128_CCM_8
X-BeenThere: lake@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Lightweight Authenticated Key Exchange <lake.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/lake>, <mailto:lake-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/lake/>
List-Post: <mailto:lake@ietf.org>
List-Help: <mailto:lake-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/lake>, <mailto:lake-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Nov 2020 06:49:32 -0000

Martin Thomson writes:
> You might find this tool useful in evaluating this:
> 
> https://chris-wood.github.io/interactive-aead-limits/
> 
> Note that with the value of p that TLS uses (2^-57), this cipher
> performs very badly.  The number of forgery attempts you can
> tolerate is 128.  That's not 2^128, it's 128.  I don't think that is
> acceptable.  You might be able to increase your tolerance for attack
> (p) to get something more realistic. 

Also note, that the for example in IEEE 802.15.4 the maximum number of
messages which can be sent by one key is 2^32 messages, as the frame
counter is 32-bit counter, and when it reaches 0xffffffff the sending
of frames will fail.

When using TSCH the ASN is 40-bit incrementing timestamp, which
usually increments every 10 ms or so, meaning that for it to wrap
around it takes 348 years.

So the max q is 2^32 for 802.15.4 (or 2^40 if TCSH is used). I would
expect most of the other environments where lake is used will have
similar very small values of max q.

If I understood how the interactive tool works, then if I set p to 51
that would give log2(q) of 32 for message lengths of less than 256
bytes, but that gets log2(v) to quite low of 12.8.

On the other hand p of 32 and setting log2(q) to 33 will give log2(v)
of 32 for 256 byte messages.

So for AES_128_CCM_8 using p of 2^-32 allows sending max number of
messages for IEEE 802.15.4.
-- 
kivinen@iki.fi

v2.23.0 | Report a Bug | By Email