Re: [MLS] Proposal: Change AES-GCM to AES-SIV
Richard Barnes <rlb@ipv.sx> Wed, 26 September 2018 21:53 UTC
Return-Path: <rlb@ipv.sx>
X-Original-To: mls@ietfa.amsl.com
Delivered-To: mls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6CE99130DDE for <mls@ietfa.amsl.com>; Wed, 26 Sep 2018 14:53:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ipv-sx.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ciLZYjbRL9ZE for <mls@ietfa.amsl.com>; Wed, 26 Sep 2018 14:53:39 -0700 (PDT)
Received: from mail-ot1-x32b.google.com (mail-ot1-x32b.google.com [IPv6:2607:f8b0:4864:20::32b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E1484129C6A for <mls@ietf.org>; Wed, 26 Sep 2018 14:53:38 -0700 (PDT)
Received: by mail-ot1-x32b.google.com with SMTP id h15-v6so536021otj.5 for <mls@ietf.org>; Wed, 26 Sep 2018 14:53:38 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipv-sx.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=sK3l1UrwEPQ6OoImZvXvWdYTdiHnTkTEODbo7uOpfZQ=; b=a4mE7UrUNb/mb6ROnuHoqMjLz91Nj1toI2hvKMMjEcXRfqvOl65+2/+LQrycG/RSYi 0h5WiJjEVl1CMu4zMLxAeEI1I3SS0BPv7qsuWbyq1rLhDM1yti502MC9sOVMKZb/3bRL x3s+kTHMl5Bjd4F6xtny6owapZPsfQPnB9M5rlSPPaPMnn8MD951q0SD5phzhpFSYwiK nBkDJMe1WE2qptur/cN1ozL/gaEVoCDqg+22Y64b8HiobPOY/PaXGS+8IahBaDwximod xPUjgfs4FtzWsFvFFEM+g02i3LEGRTs7tx1R3z8QNMiYODz3WJh9XLY/e0Xi04rdABrf tyPw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=sK3l1UrwEPQ6OoImZvXvWdYTdiHnTkTEODbo7uOpfZQ=; b=QFaNngA8C2FqpPxdjwm3DnT+U3EBZ/oSb58aoYliMZBaoK2AfKgeOqS01/hINf2hw+ RP1aR4HGcxAWmfVVSuvdiHtte+sNSrGPOshDMzolMA7hX0VOkCLV5ylc9s+Qg0yhLAo6 lKoVaTC7R0eQIJwulP59Pad1jHsSGnH9lvWAwm5JLUK/nuX30+EDLHJOTgeAV19A0C4N YkxhTTIREHb3eILo87lam6xD/QDkMtk0wBIKAI6Fkt2ylEGYXqnXCpJDW29BNONK9ZFi M40SnVJmOWwiHKXiTuk7Xj66nvlgn+8ccpEb6nuoCTpOjAOzmRZUVfdP5r22zS78yrwC MRtA==
X-Gm-Message-State: ABuFfojEIe3uMQAxECARFPqV97dWene7RdGE+S8BNWIBzznD3eB9ghS7 LIYZizMXaBxMbDeAPqsGXpmc6UpCXio+YQz7PUCYHA==
X-Google-Smtp-Source: ACcGV62EeUn36kSkClcGumcbEmXwY6gJvf35sCGV6juQ6TW8ppny3V4gYVKhHheru4zMt/MaQQY0woiicbrX4+0R3ew=
X-Received: by 2002:a9d:30c:: with SMTP id 12-v6mr4192668otv.165.1537998818070; Wed, 26 Sep 2018 14:53:38 -0700 (PDT)
MIME-Version: 1.0
References: <20180926223043.106fb209@T-200>
In-Reply-To: <20180926223043.106fb209@T-200>
From: Richard Barnes <rlb@ipv.sx>
Date: Wed, 26 Sep 2018 23:53:24 +0200
Message-ID: <CAL02cgQ4xRDy0DTT+x_vySY3VJRP64bdSn2utBPpOPV3c9EAJA@mail.gmail.com>
To: dennis.jackson@cs.ox.ac.uk
Cc: mls@ietf.org
Content-Type: multipart/alternative; boundary="00000000000037723a0576cd411b"
Archived-At: <https://mailarchive.ietf.org/arch/msg/mls/bsdKNexKVN7SM-xwTWAyucuAXcM>
Subject: Re: [MLS] Proposal: Change AES-GCM to AES-SIV
X-BeenThere: mls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Messaging Layer Security <mls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mls>, <mailto:mls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mls/>
List-Post: <mailto:mls@ietf.org>
List-Help: <mailto:mls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mls>, <mailto:mls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Sep 2018 21:53:41 -0000
Hi Dennis, Thanks for writing this up. One brief note: The Böck et al. paper you cite is about TLS 1.2 and earlier, which use explicit nonces. In fact, that paper cites the implicit nonce approach in TLS 1.3 as one of their two recommended approaches. That seems to support the idea that generating nonces in the TLS 1.3 style is a reasonable solution here. That, together with the persistent lack of implementation of AES-GCM-SIV, makes me inclined to stick with normal AES-GCM, while assuring adequate safeguards. --Richard On Wed, Sep 26, 2018 at 11:31 PM Dennis Jackson <dennis.jackson@cs.ox.ac.uk> wrote: > Proposal: Change AES-GCM to AES-SIV > > Rationale: > > AES-GCM requires a unique nonce for every message, otherwise it > fails catastrophically by directly leaking the authentication key > and consequently provides no resistance to active attacks on > confidentiality. > > AES-SIV is a drop in replacement for AES-GCM which significantly > mitigates the impact of repeated nonces. For a message pair with > repeated nonces the attacker only learns if the two plaintexts were > equal. There is no other loss of confidentiality or authenticity. This > is provably the minimum leakage possible in the event of a repeated > nonce. > > Handling nonces is a tricky part of any implementation and easy to get > wrong in the presence of state loss or concurrency. Failures > in nonce generation are both catastrophic and subtle. Richard Barnes > has already improved the specification by moving from explicit to > implicit nonces which can aid the discovery of faulty implementations. > However, implicit nonces are not a silver bullet and recent papers have > uncovered serious nonce reuse issues in both TLS [1] and WPA [2]. > > + AES-SIV significantly mitigates the impact of nonce reuse > + AES-SIV is a drop in replacement with the same interface as AES-GCM > + AES-SIV makes use of the same hardware support as AES-GCM > + AES-SIV has a proof of security [3] and is described in RFC 5297 [4] > * AES-SIV has reasonable (but not extensive) library support (including > OpenSSL, BoringSSL, Intel IPP) > * Despite being over 10 years old, AES-SIV has not seen widespread > deployment > * AES-SIV Encryption is ~70% of the speed of AES-GCM Encryption > (Decryption is the same speed as AES-GCM) > > References: > > [1] > https://www.usenix.org/system/files/conference/woot16/woot16-paper-bock.pdf > > [2] https://www.krackattacks.com/ > > [3] http://web.cs.ucdavis.edu/~rogaway/papers/keywrap.pdf > > [4] https://datatracker.ietf.org/doc/rfc5297/ > > _______________________________________________ > MLS mailing list > MLS@ietf.org > https://www.ietf.org/mailman/listinfo/mls >
- [MLS] Proposal: Change AES-GCM to AES-SIV Dennis Jackson
- Re: [MLS] Proposal: Change AES-GCM to AES-SIV Richard Barnes
- Re: [MLS] Proposal: Change AES-GCM to AES-SIV Dennis Jackson
- Re: [MLS] Proposal: Change AES-GCM to AES-SIV Brendan McMillion
- Re: [MLS] Proposal: Change AES-GCM to AES-SIV Dennis Jackson