[MLS] Proposal: Change AES-GCM to AES-SIV
Dennis Jackson <dennis.jackson@cs.ox.ac.uk> Wed, 26 September 2018 21:30 UTC
Return-Path: <dennis.jackson@cs.ox.ac.uk>
X-Original-To: mls@ietfa.amsl.com
Delivered-To: mls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EC67D130DC0 for <mls@ietfa.amsl.com>; Wed, 26 Sep 2018 14:30:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.201
X-Spam-Level:
X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Z6fVn2fH2lsF for <mls@ietfa.amsl.com>; Wed, 26 Sep 2018 14:30:50 -0700 (PDT)
Received: from relay13.mail.ox.ac.uk (relay13.mail.ox.ac.uk [129.67.1.166]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 47DFE1294D7 for <mls@ietf.org>; Wed, 26 Sep 2018 14:30:50 -0700 (PDT)
Received: from smtp4.mail.ox.ac.uk ([129.67.1.207]) by relay13.mail.ox.ac.uk with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from <dennis.jackson@cs.ox.ac.uk>) id 1g5HOR-0005YL-iE for mls@ietf.org; Wed, 26 Sep 2018 22:30:48 +0100
Received: from 61.ip-51-38-113.eu ([51.38.113.61] helo=T-200) by smtp4.mail.ox.ac.uk with esmtpsa (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.89) (envelope-from <dennis.jackson@cs.ox.ac.uk>) id 1g5HOR-0006bz-EI for mls@ietf.org; Wed, 26 Sep 2018 22:30:47 +0100
Date: Wed, 26 Sep 2018 22:30:43 +0100
From: Dennis Jackson <dennis.jackson@cs.ox.ac.uk>
To: mls@ietf.org
Message-ID: <20180926223043.106fb209@T-200>
X-Mailer: Claws Mail 3.13.2 (GTK+ 2.24.30; x86_64-pc-linux-gnu)
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
Content-Transfer-Encoding: 7bit
X-Oxford-Username: exet4027
X-Oxmail-Spam-Status: score=0.0 tests=none
X-Oxmail-Spam-Level: /
Archived-At: <https://mailarchive.ietf.org/arch/msg/mls/gvszahIKpQ5CYJG-ARwi9MGURGo>
Subject: [MLS] Proposal: Change AES-GCM to AES-SIV
X-BeenThere: mls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Messaging Layer Security <mls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mls>, <mailto:mls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mls/>
List-Post: <mailto:mls@ietf.org>
List-Help: <mailto:mls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mls>, <mailto:mls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Sep 2018 21:30:54 -0000
Proposal: Change AES-GCM to AES-SIV Rationale: AES-GCM requires a unique nonce for every message, otherwise it fails catastrophically by directly leaking the authentication key and consequently provides no resistance to active attacks on confidentiality. AES-SIV is a drop in replacement for AES-GCM which significantly mitigates the impact of repeated nonces. For a message pair with repeated nonces the attacker only learns if the two plaintexts were equal. There is no other loss of confidentiality or authenticity. This is provably the minimum leakage possible in the event of a repeated nonce. Handling nonces is a tricky part of any implementation and easy to get wrong in the presence of state loss or concurrency. Failures in nonce generation are both catastrophic and subtle. Richard Barnes has already improved the specification by moving from explicit to implicit nonces which can aid the discovery of faulty implementations. However, implicit nonces are not a silver bullet and recent papers have uncovered serious nonce reuse issues in both TLS [1] and WPA [2]. + AES-SIV significantly mitigates the impact of nonce reuse + AES-SIV is a drop in replacement with the same interface as AES-GCM + AES-SIV makes use of the same hardware support as AES-GCM + AES-SIV has a proof of security [3] and is described in RFC 5297 [4] * AES-SIV has reasonable (but not extensive) library support (including OpenSSL, BoringSSL, Intel IPP) * Despite being over 10 years old, AES-SIV has not seen widespread deployment * AES-SIV Encryption is ~70% of the speed of AES-GCM Encryption (Decryption is the same speed as AES-GCM) References: [1] https://www.usenix.org/system/files/conference/woot16/woot16-paper-bock.pdf [2] https://www.krackattacks.com/ [3] http://web.cs.ucdavis.edu/~rogaway/papers/keywrap.pdf [4] https://datatracker.ietf.org/doc/rfc5297/
- [MLS] Proposal: Change AES-GCM to AES-SIV Dennis Jackson
- Re: [MLS] Proposal: Change AES-GCM to AES-SIV Richard Barnes
- Re: [MLS] Proposal: Change AES-GCM to AES-SIV Dennis Jackson
- Re: [MLS] Proposal: Change AES-GCM to AES-SIV Brendan McMillion
- Re: [MLS] Proposal: Change AES-GCM to AES-SIV Dennis Jackson