Re: [MLS] Proposal: Change AES-GCM to AES-SIV
Dennis Jackson <dennis.jackson@cs.ox.ac.uk> Wed, 26 September 2018 23:16 UTC
Return-Path: <dennis.jackson@cs.ox.ac.uk>
X-Original-To: mls@ietfa.amsl.com
Delivered-To: mls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0EF0C130DCE for <mls@ietfa.amsl.com>; Wed, 26 Sep 2018 16:16:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.201
X-Spam-Level:
X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XWqT0lQcuEBN for <mls@ietfa.amsl.com>; Wed, 26 Sep 2018 16:16:22 -0700 (PDT)
Received: from relay13.mail.ox.ac.uk (relay13.mail.ox.ac.uk [129.67.1.166]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C9C7B130DC4 for <mls@ietf.org>; Wed, 26 Sep 2018 16:16:21 -0700 (PDT)
Received: from smtp4.mail.ox.ac.uk ([129.67.1.207]) by relay13.mail.ox.ac.uk with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from <dennis.jackson@cs.ox.ac.uk>) id 1g5J2Z-0001FU-ir for mls@ietf.org; Thu, 27 Sep 2018 00:16:20 +0100
Received: from 61.ip-51-38-113.eu ([51.38.113.61] helo=T-200) by smtp4.mail.ox.ac.uk with esmtpsa (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.89) (envelope-from <dennis.jackson@cs.ox.ac.uk>) id 1g5J2Z-0001pj-Ex for mls@ietf.org; Thu, 27 Sep 2018 00:16:19 +0100
Date: Thu, 27 Sep 2018 00:16:17 +0100
From: Dennis Jackson <dennis.jackson@cs.ox.ac.uk>
To: mls@ietf.org
Message-ID: <20180927001617.16e26b5a@T-200>
In-Reply-To: <CAL02cgQ4xRDy0DTT+x_vySY3VJRP64bdSn2utBPpOPV3c9EAJA@mail.gmail.com>
References: <20180926223043.106fb209@T-200> <CAL02cgQ4xRDy0DTT+x_vySY3VJRP64bdSn2utBPpOPV3c9EAJA@mail.gmail.com>
X-Mailer: Claws Mail 3.13.2 (GTK+ 2.24.30; x86_64-pc-linux-gnu)
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Oxford-Username: exet4027
X-Oxmail-Spam-Status: score=0.0 tests=none
X-Oxmail-Spam-Level: /
Archived-At: <https://mailarchive.ietf.org/arch/msg/mls/3HiOO6Z2Dg7MY6W2jRo4J5KQ94Q>
Subject: Re: [MLS] Proposal: Change AES-GCM to AES-SIV
X-BeenThere: mls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Messaging Layer Security <mls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mls>, <mailto:mls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mls/>
List-Post: <mailto:mls@ietf.org>
List-Help: <mailto:mls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mls>, <mailto:mls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Sep 2018 23:16:25 -0000
Hi Richard, The use of implicit nonces is complementary to SIV, but certainly doesn't replace it. To be precise, implicit nonces ensures all implementations use the same scheme for nonce generation. It does not ensure that nonce generation scheme is correct. One possible source of error is an edge case in which the implementation unintentionally deviates from the standard. This is hard to catch in practice. With AES-GCM, an attacker able to detect (or force) this edge case would be able to derive the authentication key and attack the protocol. With AES-SIV, the attacker would gain very limited information about the message sent and the protocol would abort normally. A second, more serious source of error is when the nonce generation scheme is not correctly designed. This was the case in the KRACK attack on WPA2. Despite the comparative simplicity of a 4-message 2-party handshake and WPA2's wide deployment, every single implementation had at least one nonce reuse attack. Although WPA2 does use explicit nonces (since it is over a lossy medium), implicit nonces would not have caught the KRACK attack, as both parties reset their nonce counter in accordance with the specification. Given we are implementing a novel multi party asynchronous group key exchange from scratch, I don't think we should shrug this away. Not when the code level difference for implementors is only whether to pick EVP_CIPH_GCM_MODE or EVP_CIPH_SIV_MODE. All the best, Dennis On Wed, 26 Sep 2018 23:53:24 +0200 Richard Barnes <rlb@ipv.sx> wrote: > Hi Dennis, > > Thanks for writing this up. One brief note: The Böck et al. paper > you cite is about TLS 1.2 and earlier, which use explicit nonces. In > fact, that paper cites the implicit nonce approach in TLS 1.3 as one > of their two recommended approaches. That seems to support the idea > that generating nonces in the TLS 1.3 style is a reasonable solution > here. > > That, together with the persistent lack of implementation of > AES-GCM-SIV, makes me inclined to stick with normal AES-GCM, while > assuring adequate safeguards. > > --Richard > > > On Wed, Sep 26, 2018 at 11:31 PM Dennis Jackson > <dennis.jackson@cs.ox.ac.uk> wrote: > > > Proposal: Change AES-GCM to AES-SIV > > > > Rationale: > > > > AES-GCM requires a unique nonce for every message, otherwise it > > fails catastrophically by directly leaking the authentication key > > and consequently provides no resistance to active attacks on > > confidentiality. > > > > AES-SIV is a drop in replacement for AES-GCM which significantly > > mitigates the impact of repeated nonces. For a message pair with > > repeated nonces the attacker only learns if the two plaintexts were > > equal. There is no other loss of confidentiality or authenticity. > > This is provably the minimum leakage possible in the event of a > > repeated nonce. > > > > Handling nonces is a tricky part of any implementation and easy to > > get wrong in the presence of state loss or concurrency. Failures > > in nonce generation are both catastrophic and subtle. Richard Barnes > > has already improved the specification by moving from explicit to > > implicit nonces which can aid the discovery of faulty > > implementations. However, implicit nonces are not a silver bullet > > and recent papers have uncovered serious nonce reuse issues in both > > TLS [1] and WPA [2]. > > > > + AES-SIV significantly mitigates the impact of nonce reuse > > + AES-SIV is a drop in replacement with the same interface as > > AES-GCM > > + AES-SIV makes use of the same hardware support as AES-GCM > > + AES-SIV has a proof of security [3] and is described in RFC 5297 > > [4] > > * AES-SIV has reasonable (but not extensive) library support > > (including OpenSSL, BoringSSL, Intel IPP) > > * Despite being over 10 years old, AES-SIV has not seen widespread > > deployment > > * AES-SIV Encryption is ~70% of the speed of AES-GCM Encryption > > (Decryption is the same speed as AES-GCM) > > > > References: > > > > [1] > > https://www.usenix.org/system/files/conference/woot16/woot16-paper-bock.pdf > > > > [2] https://www.krackattacks.com/ > > > > [3] http://web.cs.ucdavis.edu/~rogaway/papers/keywrap.pdf > > > > [4] https://datatracker.ietf.org/doc/rfc5297/ > > > > _______________________________________________ > > MLS mailing list > > MLS@ietf.org > > https://www.ietf.org/mailman/listinfo/mls > > -- PGP Fingerprint: 5B93 F0B9 D6A8 9BC1 546B C98C 6105 A775 8CD2 46AC
- [MLS] Proposal: Change AES-GCM to AES-SIV Dennis Jackson
- Re: [MLS] Proposal: Change AES-GCM to AES-SIV Richard Barnes
- Re: [MLS] Proposal: Change AES-GCM to AES-SIV Dennis Jackson
- Re: [MLS] Proposal: Change AES-GCM to AES-SIV Brendan McMillion
- Re: [MLS] Proposal: Change AES-GCM to AES-SIV Dennis Jackson