IETF Logo Mail Archive

[Lake] Discussion on IoT AEAD limits for AES_128_CCM_8

John Mattsson <john.mattsson@ericsson.com> Mon, 16 November 2020 15:17 UTC

Return-Path: <john.mattsson@ericsson.com>
X-Original-To: lake@ietfa.amsl.com
Delivered-To: lake@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8EFBC3A116D for <lake@ietfa.amsl.com>; Mon, 16 Nov 2020 07:17:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.102
X-Spam-Level:
X-Spam-Status: No, score=-2.102 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id I101JW32Xb-2 for <lake@ietfa.amsl.com>; Mon, 16 Nov 2020 07:17:09 -0800 (PST)
Received: from EUR05-DB8-obe.outbound.protection.outlook.com (mail-db8eur05on2074.outbound.protection.outlook.com [40.107.20.74]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 908793A116C for <lake@ietf.org>; Mon, 16 Nov 2020 07:17:07 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=fFyyt/u31n3XDJEqdNwhOG/DpKhL7P4hElhYm8nWg+NvRC1OUbnBir2IyMdNFiOYGEVR/HyYY7J7+yzePlGqmhuGncnG8wOoc8BXNkUrkk9R7xM94G7jkrVVmxInDHtyDjqHXOnithzQXmjt6XO6lzZ6f21ji0D14bnByjU9FLRuHuzDZewtFAaO6FJVSUATQFmmSDLXp0dW7A/+zQB5Xn1MTBivzhvLQUR/7R/1ShGwyVi9p6BISBtR6oQ4Fvqia+zL/wN9tgBozHj+5Xs2kTYyVdOvUs+jxOiF2Z4XmSYWoMMwYDOstZf36v7ine7tPiQkLwGm0UEowP7RWrSyQw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=r/KjmXDH3Kfld0z//Cnhxa+miTLavuU49bV1/EWi/JE=; b=ilJRXt0/oLBAhyzW4RnalX68m26oSnMkUuIfVZsqpRPRxbTCZ7NcohhdGpXdBcvfxqA3O7uFSXCakT7YszcWuX1dNOy5BmvD308d+yrlnmG1WDlGx435IskCKvchEeohPC8dZ0PMrCuoBrL3up2LZcrCz+9QjQXqFuJ8ItYPljj7Iw+fq+C0ZYpyNfbUF5Bcgj1mQOvva6bDHUqFS2+GjfChh3woZuVQQqlgrK8xwMOeokvwwPD/zRr1a/bXm+J4+qkSiGUMlNdL+YFnZXPxY7uGR9UBPsQ6dTAwarMBBnchN5CXEw6oiowMDXJIIhe80wVOE470DcqruGXyIIVkzQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=r/KjmXDH3Kfld0z//Cnhxa+miTLavuU49bV1/EWi/JE=; b=hYk2deljuX0+iZKPz7MhHa3as1f82J/RBRlKN8d6gTlMee+xP8Ye+Cb24asF5UvHFZM6TzvooAH69ICWQ7n09hj0y7nOtVv8dzpFa+qMPHKVlEyxbq1B2snuZlqbOpF1HoauNh/neLKW1EF8uXK6irIxVRp5sDX1I88rSAQ6+N8=
Received: from AM6PR07MB4584.eurprd07.prod.outlook.com (2603:10a6:20b:17::24) by AM6PR07MB5974.eurprd07.prod.outlook.com (2603:10a6:20b:99::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3589.16; Mon, 16 Nov 2020 15:17:05 +0000
Received: from AM6PR07MB4584.eurprd07.prod.outlook.com ([fe80::951:a4c3:7f39:e39c]) by AM6PR07MB4584.eurprd07.prod.outlook.com ([fe80::951:a4c3:7f39:e39c%5]) with mapi id 15.20.3564.021; Mon, 16 Nov 2020 15:17:04 +0000
From: John Mattsson <john.mattsson@ericsson.com>
To: "lake@ietf.org" <lake@ietf.org>
Thread-Topic: Discussion on IoT AEAD limits for AES_128_CCM_8
Thread-Index: AQHWvCuK4+D2UIrsPkK08fN+8+vQDQ==
Date: Mon, 16 Nov 2020 15:17:04 +0000
Message-ID: <0EB305C3-1751-45AA-A240-C6A3135C09CC@ericsson.com>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.42.20101102
authentication-results: ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=ericsson.com;
x-originating-ip: [81.225.97.222]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 94446f3e-3d30-4d3b-df50-08d88a42ad19
x-ms-traffictypediagnostic: AM6PR07MB5974:
x-microsoft-antispam-prvs: <AM6PR07MB5974B739AD2106A71D39202F89E30@AM6PR07MB5974.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: zLMEE2hxsWwPabi0b5An4BfCcc8Yf6umManZ/qjXBrSXRPzPoPji7Yy6qM24pS24lHzr8A0ae2kK2yx9ReYUmOe2cE/RXNm5mkHRI5TbzHz2R6wfne4WGjaV7QYWlat6PJI1licahjMeFRQzvaV+LW9na1kg/rhvq5RuMXOdEpdzgPlvF8ajTPPYwewKpR24lvcuj3bMUv1mmmVtJb/EYQB+ux+s9G8lYvrgJdH7tCN5j4zBUGIFtf9wWX5GUjPXoEFQl58ghXaFG0aRDm/1xYC1tv9DnutMqJc5zMmip54B/7b8NcZMvVz7VVR/xW5cIy/oLaKopwZHL8Xhu450+wu1iTW9ETwNC5ed44xE1aL514rc80xEd7jMcreanHLqm5ZDLBlG8+wmuUKhuWARPQ==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM6PR07MB4584.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(136003)(366004)(39860400002)(396003)(346002)(376002)(44832011)(2616005)(186003)(6916009)(6506007)(76116006)(64756008)(66476007)(5660300002)(26005)(33656002)(66446008)(66556008)(8936002)(66946007)(86362001)(8676002)(316002)(2906002)(478600001)(83380400001)(36756003)(966005)(71200400001)(6486002)(91956017)(6512007); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: xLQkFdyq9J2FcdAcND/koVi4ogTyZ9LiOET9n6N+MUzK22ZPaqlIRYtLh41dwhJPTw6RdBxHRZalQV05a0fVlokfuyRNisVxREekjEtiky2M7sm90rWFb/p1uqIVmpI+WcPqvOOez4h8yt+GjDuXeIjn9M4r1XGsOAzHfmLHwF9/Pw1qdqE9ujWO4/KTPTNBLo/FQDrnIf4vEb0FuzhEYiP2PIN+Ry9FaS324l84ugNw563bRJI7rS+h/5xGqJyaQ068wztwH5gi2fjnffrLsOwPcP7aaBkCSuhGQ3Y5dyBDJalxEbUqD1heoPm8EjdZtwAB2RZiyupOxnD7LwcKnxZtd0YsA1to0lkGs+j2lwEUYt6MOXIhv7LnBkax7wPTvZxiQV5QSGBy0NR4BPzz7ncLcoPTTMGVuhdScbnIIXZEpGcu/XX4W/JI2LtKAY/er8DoQPeb1ITFx4ZBHvipYskxDUVHGtW0qS7VkSfMMHhr08noY4Fvtx6MDtUkvCHhIOo/MZ6rEBXhh7rkx2RLRdMiXRgY4W6/zGNnIsITOuAyuvxUOGUT656cxqPxeAaCgyo6fB8pDIky/WEEZ4xvrH4hxdXpzCyNsaUs2ywa/I0uMkM7lmtqTVyu6ZRrSed1mIr/rWSR+KDddew1bWiyIg==
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-ID: <E07FB491A7605E479E8026155DFB5CD5@eurprd07.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: AM6PR07MB4584.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 94446f3e-3d30-4d3b-df50-08d88a42ad19
X-MS-Exchange-CrossTenant-originalarrivaltime: 16 Nov 2020 15:17:04.8134 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: Xf2/wtOejDkW3JhB4ujvMdCq4dY6m+ZBTHSqZ446/TJYGHlelLA1d1lhBMoedG6WTqTG30XWwDiSyKXlysyF6dEA09aryqKQt3HfBdEzH+8=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM6PR07MB5974
Archived-At: <https://mailarchive.ietf.org/arch/msg/lake/jxnTTX2L6HM9ZeVrQ4TNHdISulA>
Subject: [Lake] Discussion on IoT AEAD limits for AES_128_CCM_8
X-BeenThere: lake@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Lightweight Authenticated Key Exchange <lake.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/lake>, <mailto:lake-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/lake/>
List-Post: <mailto:lake@ietf.org>
List-Help: <mailto:lake-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/lake>, <mailto:lake-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 16 Nov 2020 15:17:12 -0000

Hi,

As discussed during the meeting today, CFRG is working on an excellent document specifying equations to calculate AEAD limits for the number of encryption operations q and the number of forgery attempts v. TLS, DTLS, and QUIC have adopted strict limits based on these equations. Having strict limits is not a problem if re-keying is easy.

https://tools.ietf.org/html/draft-irtf-cfrg-aead-limits

Most constrained IoT systems today use some variant of AES-128 in CCM mode with a 32- or 64-bit tag. IETF use of AES-128 in CCM mode typically only use 64-bit tags.

The important equations for AEAD_AES_128_CCM_8 (AES-CCM-16-64-128, AES-CCM-64-64-128) are:

Confidentiality Limit:
q <= sqrt((p * 2^126) / l^2)

Integrity Limit:
v * 2^64 + (2l * (v + q))^2 <= p * 2^128

where:

q = Number of protected messages (AEAD encryption invocations)
v = Number of attacker forgery attempts (failed AEAD decryption invocations)    
p = Adversary attack probability
l = input length (plaintext + additional data) in blocks

For AEAD_AES_128_CCM_8 the integrity limit is the most limiting. DTLS 1.3 sets the limits for CCM to q = 2^23 and v = 2^23.5 and states that AES_128_CCM_8 MUST NOT used in DTLS without additional safeguards against forgery. This unfortunately severely limits the use case for DTLS 1.3 in very constrained IoT.

The assumptions used DTLS 1.3 (still a draft) are:

p = 2^-57
l = 2^10 (2^14 bytes)

It should be discussed which assumptions are relevant for IoT systems. It was suggested during the meeting today that this discussion should be held in a IoT focused security area WG like LAKE. There are a large number of aspects that affect how the limits v and q should be assigned:

- The probability p can be set to basically any value, it decides the security level. Some IoT systems might accept a higher forgery probability that (D)TLS in general.

- To optimize the forgery probablity the attacker cannot send a chosen message, the attacker has to settle for something that looks like a random string. For use cases where the payload has a certain format, this means that succesfull forgeries will likely be discarded on a higher level in the stack.

- The forgery probability is for a single forgery. In some systems a single forgery may not matter much and several forgeries might be needed to do any harm.

- The input lengths are typically much much smaller for most constrained IoT systems than the 16 KB packets assumed in the (D)TLS calculations.

- If the attacker uses a high speed broadband connection, a lot of forgeries can be sent quickly. On most constained IoT systems, the bandwith is very limited and it would take takes a long time to send forged message.

- Any denial-of-service resulting from low limits on v should be compared to other denial-of-service attacks on the system. If there are even easier ways to reduce the availability of a system, a low limit on v does not matter.

Looking forward to hear the IETF IoT communities comments on the above.

Cheers,
John

v2.23.0 | Report a Bug | By Email