IETF Logo Mail Archive

Re: [Lake] Discussion on IoT AEAD limits for AES_128_CCM_8

John Mattsson <john.mattsson@ericsson.com> Wed, 18 November 2020 07:38 UTC

Return-Path: <john.mattsson@ericsson.com>
X-Original-To: lake@ietfa.amsl.com
Delivered-To: lake@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1D77F3A0E44 for <lake@ietfa.amsl.com>; Tue, 17 Nov 2020 23:38:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.102
X-Spam-Level:
X-Spam-Status: No, score=-2.102 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2UKvGnGFN8jt for <lake@ietfa.amsl.com>; Tue, 17 Nov 2020 23:38:01 -0800 (PST)
Received: from EUR05-DB8-obe.outbound.protection.outlook.com (mail-db8eur05on2056.outbound.protection.outlook.com [40.107.20.56]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7C5A13A0CDF for <lake@ietf.org>; Tue, 17 Nov 2020 23:38:01 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=HphFJZWOSWE26iNy7rqPGg7BKD0HHNPYcozHVxIl6YBY73FZk7yvYvkgJaUl/QTKIVN6w9E8ilfib7Nq6MOPb+I/kjOoDZCjM2aBe7QAdAfCPTDRBlfUsk3zE0WXRf18t6SBx4J5hEULhSl8XCEzqNtmp2Vel46ZtnIgnDyDIa6HpE6fJC3VJIamfMYYTUDX7AyoRXg8xb/EUU0NMtRnX6yCKSeCDPuEZj32SLFL0RYG0+lOPMipugZQnNqp1V3rEWt1ohSNlmC1E3CP6IgaTc5m58tiiF1zmL0GcdSUHKGO+XjXCE1n7V4OwM1WL00JP0vlLPOYlYAryTjZ33lxGQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=SWJUrr8aTG+Fvk89Fuhje324kIe82yMUwS0nvWL7fxI=; b=DjTYjrCEJaX7Yo9ddEEOnp0uMIBtRz/m5BhV3z5ecybCjSqme5DbBX1bH6QhQP1j3xpvLCFA3IfSD3DB4y8tCqSgA7djq0rQYz7h3Wk5QiuUxbLwq4QVQcBecwg8txaLYfwyhMDkuSVyY1Z251oWVUBt/MxzWJD/NX9B2KI840i+vZgUP1Eb/f+3tU0eMmbF+X6XsLwRu5iuCJ+hdCt6eK4DgpFwOD9T4ujcFghrakEiF97t60E5Hvb1vK3J8VgYaAVEhjZhDChS2JBzB9bURiyGzGrAdsGLswpR3cWtAFzXXCGvxyaVuC0v8buolBc5U/KdZjr5OwUvzwGz4ZjgdQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=SWJUrr8aTG+Fvk89Fuhje324kIe82yMUwS0nvWL7fxI=; b=A4OkW9sUSl/5O4Joby67+hU0bg8umHj03VTmXnnyTQudu/8Yv3yyNZR+K9csp7nf19zrcH70R0YkMIiftP+t3z9i/Mt51wGYI0P6I1RML49dk97771CQVUrghn4exDLUZE/gnoe3VI6ah+b5Ol8W00Bxb7FujcHegCL/w151Ccg=
Received: from AM6PR07MB4584.eurprd07.prod.outlook.com (2603:10a6:20b:17::24) by AS8PR07MB7560.eurprd07.prod.outlook.com (2603:10a6:20b:2ae::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3589.12; Wed, 18 Nov 2020 07:37:59 +0000
Received: from AM6PR07MB4584.eurprd07.prod.outlook.com ([fe80::951:a4c3:7f39:e39c]) by AM6PR07MB4584.eurprd07.prod.outlook.com ([fe80::951:a4c3:7f39:e39c%5]) with mapi id 15.20.3589.017; Wed, 18 Nov 2020 07:37:59 +0000
From: John Mattsson <john.mattsson@ericsson.com>
To: Martin Thomson <mt@lowentropy.net>, "lake@ietf.org" <lake@ietf.org>
Thread-Topic: [Lake] Discussion on IoT AEAD limits for AES_128_CCM_8
Thread-Index: AQHWvCuK4+D2UIrsPkK08fN+8+vQDanNEKiAgACDPAA=
Date: Wed, 18 Nov 2020 07:37:59 +0000
Message-ID: <EB57AF37-7497-4DF7-9535-90C36FDACC43@ericsson.com>
References: <0EB305C3-1751-45AA-A240-C6A3135C09CC@ericsson.com> <e7ad2b16-c5b7-467e-9325-d7d9cccc9166@www.fastmail.com>
In-Reply-To: <e7ad2b16-c5b7-467e-9325-d7d9cccc9166@www.fastmail.com>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.42.20101102
authentication-results: lowentropy.net; dkim=none (message not signed) header.d=none;lowentropy.net; dmarc=none action=none header.from=ericsson.com;
x-originating-ip: [81.225.97.222]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 56334723-3d5b-40f7-22de-08d88b94df6c
x-ms-traffictypediagnostic: AS8PR07MB7560:
x-microsoft-antispam-prvs: <AS8PR07MB7560B0AE82B30A4CF820EC7B89E10@AS8PR07MB7560.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:8882;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: JFkFqgBCevGEf0ptGbAxAbCu6su7CyNwWAkh9emjDaFmCqOVyCY1v8pUeAFwi010OVmw+gxtM/ae4Kr+mGKEOnJO+O9JOtgt8nS4VyDeS7/FxKo9xIlvhkwY55tjoQeSCK76lp3a/oTiI05z/BgeqD2X/708YKY5y+0837oLaVP8j/CQ8fXlfNN/L+g0NGr6AxEaIpKgkEDDmPDXXoWpkgkdt0mnRU89MWtsyuqC8zTFBiGtJFCA5tNaorjIeTdXL49WIlUxhpEo5WreNEVPNbjN7S/6XmHt/0lif1G6rxaRi4WBfEfhY3KA2IeDNZYLFWMkgYnUS8tzaJLvYMJKr15SfiVYbxtTUBBTLMJPUx3LZKwzaFrSzRn2U1Z7g2oY01zVkAV768O4qRm/xuIKXw==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM6PR07MB4584.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(136003)(346002)(396003)(376002)(366004)(39860400002)(316002)(8676002)(8936002)(5660300002)(44832011)(83380400001)(66476007)(66946007)(71200400001)(76116006)(66556008)(6512007)(91956017)(6486002)(110136005)(33656002)(186003)(26005)(478600001)(36756003)(6506007)(64756008)(966005)(2906002)(53546011)(2616005)(86362001)(66446008); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: QcEMUCoOh0p+fAESRmk8TH8tbHueO+fW1rZp3LwRT7esuAJCxgtpMTN8taI3gy+I6ssM70+kk/I1L4KZHT82C/glfvqUlR7aV+DwRBpe+HrPmXA4bUw6fvIMm+/loCDzq53x1PNt1YIiGgNzEN80UxAP1PX1lO849wP4vQiUAd29TQBIixsTVPW3I294ueSZKvDOq6OJNp7txNJJESYUbVpYMl0s0WWvrvzhNcB+S6sQ2sBFSKfitbfNgt19em46M0qCgFmAlAtsGxJKUAUb7nzsIC8LLwPqb7L7Fjz4/3Dfhw3bIRH8MXadmITepuaY06Jok5CfyEeB/SnpWZcfKNnAGJyCGB/Fcmmn7++RJzrsH9M/r+W0JZMnJSV/1eLwSy1DIK2TAvqBR5g7FUMaxnNIK288Q4q4M0VbZYFWbjOiyptRjlYLT1oIh+PE/vTQ/M4uOAl6JVTHvgyHIU41/Z8bFddNcbMGP8pzGHvjtOFJX73h4+uwsOlD/hSIW8oSQPkSTBL2TSx0MNKMaI85O6Z3hqtcA1KdRbv+44gAuox2/CJVzIqIfipG/rLkq3xFjI9a4Cehn1GBJovKuJyH05WLAxq4vO3ZM9KWmepdMcWn9JnfVv68Jk+yAkN/j+wJAc4EsYJiIZRjqowIzzQ46g==
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-ID: <1F8F69DCEE46EC43AB75B708C09D5210@eurprd07.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: AM6PR07MB4584.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 56334723-3d5b-40f7-22de-08d88b94df6c
X-MS-Exchange-CrossTenant-originalarrivaltime: 18 Nov 2020 07:37:59.2192 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: sw2s50XQSd3NS1OdQbBchMHRe3wXbnp1NB9ba2cHhmeM9kQOOi0mSWi9c6xw5a+sdC4KsAl31SuDULlLd/FUeQXx6ZBrKZo8du0V8K4jr4o=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AS8PR07MB7560
Archived-At: <https://mailarchive.ietf.org/arch/msg/lake/_8RBS__1wlHRaHtyeWHF0iH9ZfU>
Subject: Re: [Lake] Discussion on IoT AEAD limits for AES_128_CCM_8
X-BeenThere: lake@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Lightweight Authenticated Key Exchange <lake.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/lake>, <mailto:lake-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/lake/>
List-Post: <mailto:lake@ietf.org>
List-Help: <mailto:lake-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/lake>, <mailto:lake-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Nov 2020 07:38:10 -0000

Thanks Martin,

It is very good that you point out that it is always true that 

v <= p * 2^64

That simplifies analysis. I think most constrained IoT systems could live with slightly higher bounds on p. 

But I do not see why even 128 would be unacceptable. It is only a denial-of-service problem if the endpoint becomes unavailable or have to do a heavy key exchange/handshake.

When the counter of failed decryptions reaches v, the endpoint does not necessarily need to stop processing incoming messages, the important thing is that any successful forgeries are not forwarded to the higher layers and acted upon in any way. When the counter of failed decryption reaches v the endpoint can wait for a valid ciphertext, throw away the plaintext, and send an error message indicating that the other endpoint need to re-key. Re-keying can be done almost for free. So even with v = 128, an adversary would have to send 128 messages to force the endpoints to send 1 message each. 

Cheers,
John

-----Original Message-----
From: Lake <lake-bounces@ietf.org> on behalf of Martin Thomson <mt@lowentropy.net>
Date: Wednesday, 18 November 2020 at 01:48
To: "lake@ietf.org" <lake@ietf.org>
Subject: Re: [Lake] Discussion on IoT AEAD limits for AES_128_CCM_8

You might find this tool useful in evaluating this:

https://protect2.fireeye.com/v1/url?k=3eb60f28-612d37fa-3eb64fb3-866132fe445e-96ffc5c77ab20edd&q=1&e=b4763ea2-5ec7-4458-aa23-03e11fd005d5&u=https%3A%2F%2Fchris-wood.github.io%2Finteractive-aead-limits%2F

Note that with the value of p that TLS uses (2^-57), this cipher performs very badly.  The number of forgery attempts you can tolerate is 128.  That's not 2^128, it's 128.  I don't think that is acceptable.  You might be able to increase your tolerance for attack (p) to get something more realistic.

On Tue, Nov 17, 2020, at 02:17, John Mattsson wrote:
> Hi,
> 
> As discussed during the meeting today, CFRG is working on an excellent 
> document specifying equations to calculate AEAD limits for the number 
> of encryption operations q and the number of forgery attempts v. TLS, 
> DTLS, and QUIC have adopted strict limits based on these equations. 
> Having strict limits is not a problem if re-keying is easy.
> 
> https://tools.ietf.org/html/draft-irtf-cfrg-aead-limits
> 
> Most constrained IoT systems today use some variant of AES-128 in CCM 
> mode with a 32- or 64-bit tag. IETF use of AES-128 in CCM mode 
> typically only use 64-bit tags.
> 
> The important equations for AEAD_AES_128_CCM_8 (AES-CCM-16-64-128, 
> AES-CCM-64-64-128) are:
> 
> Confidentiality Limit:
> q <= sqrt((p * 2^126) / l^2)
> 
> Integrity Limit:
> v * 2^64 + (2l * (v + q))^2 <= p * 2^128
> 
> where:
> 
> q = Number of protected messages (AEAD encryption invocations)
> v = Number of attacker forgery attempts (failed AEAD decryption invocations)    
> p = Adversary attack probability
> l = input length (plaintext + additional data) in blocks
> 
> For AEAD_AES_128_CCM_8 the integrity limit is the most limiting. DTLS 
> 1.3 sets the limits for CCM to q = 2^23 and v = 2^23.5 and states that 
> AES_128_CCM_8 MUST NOT used in DTLS without additional safeguards 
> against forgery. This unfortunately severely limits the use case for 
> DTLS 1.3 in very constrained IoT.
> 
> The assumptions used DTLS 1.3 (still a draft) are:
> 
> p = 2^-57
> l = 2^10 (2^14 bytes)
> 
> It should be discussed which assumptions are relevant for IoT systems. 
> It was suggested during the meeting today that this discussion should 
> be held in a IoT focused security area WG like LAKE. There are a large 
> number of aspects that affect how the limits v and q should be assigned:
> 
> - The probability p can be set to basically any value, it decides the 
> security level. Some IoT systems might accept a higher forgery 
> probability that (D)TLS in general.
> 
> - To optimize the forgery probablity the attacker cannot send a chosen 
> message, the attacker has to settle for something that looks like a 
> random string. For use cases where the payload has a certain format, 
> this means that succesfull forgeries will likely be discarded on a 
> higher level in the stack.
> 
> - The forgery probability is for a single forgery. In some systems a 
> single forgery may not matter much and several forgeries might be 
> needed to do any harm.
> 
> - The input lengths are typically much much smaller for most 
> constrained IoT systems than the 16 KB packets assumed in the (D)TLS 
> calculations.
> 
> - If the attacker uses a high speed broadband connection, a lot of 
> forgeries can be sent quickly. On most constained IoT systems, the 
> bandwith is very limited and it would take takes a long time to send 
> forged message.
> 
> - Any denial-of-service resulting from low limits on v should be 
> compared to other denial-of-service attacks on the system. If there are 
> even easier ways to reduce the availability of a system, a low limit on 
> v does not matter.
> 
> Looking forward to hear the IETF IoT communities comments on the above.
> 
> Cheers,
> John
> 
> -- 
> Lake mailing list
> Lake@ietf.org
> https://www.ietf.org/mailman/listinfo/lake
>

-- 
Lake mailing list
Lake@ietf.org
https://www.ietf.org/mailman/listinfo/lake

v2.23.0 | Report a Bug | By Email