IETF Logo Mail Archive

Re: [MLS] Proposal: Change AES-GCM to AES-SIV

Brendan McMillion <brendan@cloudflare.com> Thu, 27 September 2018 06:04 UTC

Return-Path: <brendan@cloudflare.com>
X-Original-To: mls@ietfa.amsl.com
Delivered-To: mls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 53CDA130DEE for <mls@ietfa.amsl.com>; Wed, 26 Sep 2018 23:04:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.455
X-Spam-Level:
X-Spam-Status: No, score=-2.455 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.456, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cloudflare.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2bjJ8wlc6hQO for <mls@ietfa.amsl.com>; Wed, 26 Sep 2018 23:04:54 -0700 (PDT)
Received: from mail-pf1-x42b.google.com (mail-pf1-x42b.google.com [IPv6:2607:f8b0:4864:20::42b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5CB90126DBF for <mls@ietf.org>; Wed, 26 Sep 2018 23:04:54 -0700 (PDT)
Received: by mail-pf1-x42b.google.com with SMTP id s5-v6so1078095pfj.7 for <mls@ietf.org>; Wed, 26 Sep 2018 23:04:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cloudflare.com; s=google; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=+sckrESCLhN7EdnKotsLzzT1WyeD2JC89s+S70Zqp/8=; b=tadDEveU85udLfIejsqhtBI3BJ1LoGfb3s1/2iyHP1T7GQiUcS0OpvOyRi5ZdBvmVG /YJWH20qAHfVWHwe1aFUZL28KsA5ci2ytTGGsjOVDtDSlKRaTusSA5z1Ddp0hIgofRfb s5n1L6XVsvqdz20SLc1LCtOmNXFPlKmNhHXc4=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=+sckrESCLhN7EdnKotsLzzT1WyeD2JC89s+S70Zqp/8=; b=AUG329d7KQwaswzh+wEyiBikabBilEjSCxHy0WTeTueb4XeuIi7yTrfkFDLj3KRGiB IjXjG/Z52G9ES7sysYtMeyl5l779RLdCQ2d+c0QopgogVG9UkhOW2NwZWwYjaiu0olg3 N2CSSZdvQS5M+o3YtYEqIqzckCVcL05vfscGJjzlBhOHS8JO2nLMJwMhrn04kO2JKRoO s+qlwFZlURNS5/D4RUK9d6dtXLMMgHOBkA/ymXnDSj6ol0FdIXPiRtui8OPn+o+hVzQu za4XtvCZ4WPyKP9HfqLIyWYIFkr0mA/JX4ycufznYWhKkKkAAck5zW42fctjocevMtEX 2biA==
X-Gm-Message-State: ABuFfohmhf4yRX6TjnMIi7Bcsg/u2mMG8QXirCcGuDw3YznIKPptNgMk hUalRdUF/t5rwhy/FiV9rfFmNHRnYtI6nw==
X-Google-Smtp-Source: ACcGV62XQOMLzUMXZ6Dz7TzhQuWyfU/UydlvNKlP2GbTi92wxiBTUVi3iaxX/hgGnL7mE0tmKYIJpA==
X-Received: by 2002:a17:902:2:: with SMTP id 2-v6mr9432478pla.178.1538028293748; Wed, 26 Sep 2018 23:04:53 -0700 (PDT)
Received: from ?IPv6:2601:646:c601:83b0:3c5b:ed67:dd95:933a? ([2601:646:c601:83b0:3c5b:ed67:dd95:933a]) by smtp.gmail.com with ESMTPSA id c1-v6sm1086107pgp.34.2018.09.26.23.04.52 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 26 Sep 2018 23:04:53 -0700 (PDT)
From: Brendan McMillion <brendan@cloudflare.com>
Message-Id: <0A6E4266-DACE-4F0A-AF31-855FFB33B106@cloudflare.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_1A2F7BC6-6502-4F65-9422-67E242260034"
Mime-Version: 1.0 (Mac OS X Mail 12.0 \(3445.100.39\))
Date: Wed, 26 Sep 2018 23:04:52 -0700
In-Reply-To: <20180927001617.16e26b5a@T-200>
Cc: mls@ietf.org
To: Dennis Jackson <dennis.jackson@cs.ox.ac.uk>
References: <20180926223043.106fb209@T-200> <CAL02cgQ4xRDy0DTT+x_vySY3VJRP64bdSn2utBPpOPV3c9EAJA@mail.gmail.com> <20180927001617.16e26b5a@T-200>
X-Mailer: Apple Mail (2.3445.100.39)
Archived-At: <https://mailarchive.ietf.org/arch/msg/mls/clpZKUiGkE2bTM-UuDA-VgLLuO4>
Subject: Re: [MLS] Proposal: Change AES-GCM to AES-SIV
X-BeenThere: mls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Messaging Layer Security <mls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mls>, <mailto:mls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mls/>
List-Post: <mailto:mls@ietf.org>
List-Help: <mailto:mls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mls>, <mailto:mls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 27 Sep 2018 06:04:59 -0000

> Handling nonces is a tricky part of any implementation and easy to get wrong in the presence of state loss

I think this is the core reason to consider using SIV. Since nonces are generated deterministically and statefully, is it possible for state loss (caused by an app crash) to cause nonce reuse? If so, SIV is necessary assuming implicit nonces.

Another solution is to use explicit random IVs, as this prevents nonce reuse (statistically, with a correct implementation) and means we can keep using abundantly available AES-GCM implementations.

> On Sep 26, 2018, at 4:16 PM, Dennis Jackson <dennis.jackson@cs.ox.ac.uk> wrote:
> 
> Hi Richard, 
> 
> The use of implicit nonces is complementary to SIV, but certainly
> doesn't replace it. To be precise, implicit nonces ensures all
> implementations use the same scheme for nonce generation. It does not
> ensure that nonce generation scheme is correct.
> 
> One possible source of error is an edge case in which the
> implementation unintentionally deviates from the standard. This is hard
> to catch in practice. With AES-GCM, an attacker able to detect (or
> force) this edge case would be able to derive the authentication key
> and attack the protocol. With AES-SIV, the attacker would gain very
> limited information about the message sent and the protocol would abort
> normally. 
> 
> A second, more serious source of error is when the nonce generation
> scheme is not correctly designed. This was the case in the KRACK attack
> on WPA2. Despite the comparative simplicity of a 4-message 2-party
> handshake and WPA2's wide deployment, every single implementation had
> at least one nonce reuse attack. Although WPA2 does use explicit nonces
> (since it is over a lossy medium), implicit nonces would not have
> caught the KRACK attack, as both parties reset their nonce
> counter in accordance with the specification. 
> 
> Given we are implementing a novel multi party asynchronous group key
> exchange from scratch, I don't think we should shrug this away. Not
> when the code level difference for implementors is only whether to pick
> EVP_CIPH_GCM_MODE or EVP_CIPH_SIV_MODE. 
> 
> All the best,
> Dennis 
> 
> On Wed, 26 Sep 2018 23:53:24 +0200
> Richard Barnes <rlb@ipv.sx <mailto:rlb@ipv.sx>> wrote:
> 
>> Hi Dennis,
>> 
>> Thanks for writing this up.  One brief note: The Böck et al. paper
>> you cite is about TLS 1.2 and earlier, which use explicit nonces.  In
>> fact, that paper cites the implicit nonce approach in TLS 1.3 as one
>> of their two recommended approaches.  That seems to support the idea
>> that generating nonces in the TLS 1.3 style is a reasonable solution
>> here.
>> 
>> That, together with the persistent lack of implementation of
>> AES-GCM-SIV, makes me inclined to stick with normal AES-GCM, while
>> assuring adequate safeguards.
>> 
>> --Richard
>> 
>> 
>> On Wed, Sep 26, 2018 at 11:31 PM Dennis Jackson
>> <dennis.jackson@cs.ox.ac.uk> wrote:
>> 
>>> Proposal: Change AES-GCM to AES-SIV
>>> 
>>> Rationale:
>>> 
>>> AES-GCM requires a unique nonce for every message, otherwise it
>>> fails catastrophically by directly leaking the authentication key
>>> and consequently provides no resistance to active attacks on
>>> confidentiality.
>>> 
>>> AES-SIV is a drop in replacement for AES-GCM which significantly
>>> mitigates the impact of repeated nonces. For a message pair with
>>> repeated nonces the attacker only learns if the two plaintexts were
>>> equal. There is no other loss of confidentiality or authenticity.
>>> This is provably the minimum leakage possible in the event of a
>>> repeated nonce.
>>> 
>>> Handling nonces is a tricky part of any implementation and easy to
>>> get wrong in the presence of state loss or concurrency. Failures
>>> in nonce generation are both catastrophic and subtle. Richard Barnes
>>> has already improved the specification by moving from explicit to
>>> implicit nonces which can aid the discovery of faulty
>>> implementations. However, implicit nonces are not a silver bullet
>>> and recent papers have uncovered serious nonce reuse issues in both
>>> TLS [1] and WPA [2].
>>> 
>>> + AES-SIV significantly mitigates the impact of nonce reuse
>>> + AES-SIV is a drop in replacement with the same interface as
>>> AES-GCM
>>> + AES-SIV makes use of the same hardware support as AES-GCM
>>> + AES-SIV has a proof of security [3] and is described in RFC 5297
>>> [4]
>>> * AES-SIV has reasonable (but not extensive) library support
>>> (including OpenSSL, BoringSSL, Intel IPP)
>>> * Despite being over 10 years old, AES-SIV has not seen widespread
>>>  deployment
>>> * AES-SIV Encryption is ~70% of the speed of AES-GCM Encryption
>>>  (Decryption is the same speed as AES-GCM)
>>> 
>>> References:
>>> 
>>> [1]
>>> https://www.usenix.org/system/files/conference/woot16/woot16-paper-bock.pdf
>>> 
>>> [2] https://www.krackattacks.com/
>>> 
>>> [3] http://web.cs.ucdavis.edu/~rogaway/papers/keywrap.pdf
>>> 
>>> [4] https://datatracker.ietf.org/doc/rfc5297/
>>> 
>>> _______________________________________________
>>> MLS mailing list
>>> MLS@ietf.org
>>> https://www.ietf.org/mailman/listinfo/mls
>>> 
> 
> 
> 
> -- 
> PGP Fingerprint: 5B93 F0B9 D6A8 9BC1 546B C98C 6105 A775 8CD2 46AC
> 
> _______________________________________________
> MLS mailing list
> MLS@ietf.org <mailto:MLS@ietf.org>
> https://www.ietf.org/mailman/listinfo/mls <https://www.ietf.org/mailman/listinfo/mls>

v2.23.0 | Report a Bug | By Email