[openpgp] Proposed patch to add OCB to AEAD section
Ronald Tse <tse@ribose.com> Thu, 26 October 2017 01:25 UTC
Return-Path: <tse@ribose.com>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4F923139D0B for <openpgp@ietfa.amsl.com>; Wed, 25 Oct 2017 18:25:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.919
X-Spam-Level:
X-Spam-Status: No, score=-1.919 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ribose.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6BDL32MC02hp for <openpgp@ietfa.amsl.com>; Wed, 25 Oct 2017 18:25:32 -0700 (PDT)
Received: from APC01-SG2-obe.outbound.protection.outlook.com (mail-sg2apc01on0062.outbound.protection.outlook.com [104.47.125.62]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 47484139689 for <openpgp@ietf.org>; Wed, 25 Oct 2017 18:25:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ribose.onmicrosoft.com; s=selector1-ribose-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=iPWfB7SQE/gSOfL9/vpClT5yuD7pLXc/2dxpMWmGlRE=; b=a7cbf1etbf3ODHmWfyWnh87uECJTfUyghkvCULqRMHh4J5KGshRE612vgvHswrwCN3n8wDHke8n8V2GpQi5QMg1u6guIOJDDDKNZkl5pSiuCGKVN4F2bcetZHhYzb6tA+2d9DGwX3xM4ERhrAlShwffWdTaro0L1roVltoV9FAQ=
Received: from PS1PR01MB1050.apcprd01.prod.exchangelabs.com (10.165.210.30) by PS1PR01MB1050.apcprd01.prod.exchangelabs.com (10.165.210.30) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.156.4; Thu, 26 Oct 2017 01:25:28 +0000
Received: from PS1PR01MB1050.apcprd01.prod.exchangelabs.com ([fe80::f0e3:51e5:3abd:6c17]) by PS1PR01MB1050.apcprd01.prod.exchangelabs.com ([fe80::f0e3:51e5:3abd:6c17%14]) with mapi id 15.20.0156.007; Thu, 26 Oct 2017 01:25:28 +0000
From: Ronald Tse <tse@ribose.com>
To: "openpgp@ietf.org" <openpgp@ietf.org>
Thread-Topic: Proposed patch to add OCB to AEAD section
Thread-Index: AQHTTflO/pfJTU25R0aWPpY2ootd9A==
Date: Thu, 26 Oct 2017 01:25:27 +0000
Message-ID: <87F231F7-04A6-485A-822F-B6BFFD13C6DE@ribose.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=tse@ribose.com;
x-originating-ip: [118.140.121.70]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; PS1PR01MB1050; 6:1gLRIe3VzhgLSotcXI9fwkI0yVFCbY5ZRjluxNBGiLbbubJa4xmPVrE+1tBkfEGrf/rRKZB2FA1Z/uTq9VrmGxq+JG2/tUNBTjWtkNtucnWe+qX0dWl2FI9UKwY631U4136LIcJ/aJ/vCM8/7tDv+y0Mc+buGSXv2uzhjbcdHgYSFrm9zulwiW2uKtuxBNDd3INSCRJfT8boDwjl8mMYMZWcjiNrnzup7bkd2CEzIDu2crWVG//60Wl+QODfbA0DcogS2vrY6Py8GFKpcq03GO50yzGm6MPke85L3WaN7+l1owFIUj65U4CVwWOZw9EUFeXADft4yGncon+0ufHC+w==; 5:PpJZNC6ferTp+UuFkMuEFILbamXSxtnCLwmK8qJRqwWtAKsO5CsRpO73A/9k2LHWrER8v4J0d/5z2E/+lMa6ZLpuNLC7SEJSDAjsBP4i+ACkQViO2SQUOkwZpsYsodeENe0UwuQ726wLrzEQWlaF9Q==; 24:P3f57h+FaO0arE0d7OmvDg4ZOEypkzvYejS3+56oUnf3vpCL5uRMciX8BdlHFrNHui3bWNsrqT5RabdxG0d34j+93ey3HX3VOLnH8EPNHWQ=; 7:m6BpI141ENIWGKkTni8K5LVKZhTdx0qsTLyTZOtc4KhWgSW7GUDvm43QeXmbRfGDRUpfQVRWQIo6AikBpOqNb989+M5JFFOukAxLyTgNd222sDRqJ/n/mBBqc0J+22gcBH/f8Uc/jLy3PV+uvxTSiq2SoYS8bIvGFwCI9MhJBtZRn6pU1qjw12H4RIBpjiADoL4ovzb7kw20g9bTUygtNdZzhdj/3IGlRYMHzHJN9uo=
x-ms-exchange-antispam-srfa-diagnostics: SSOS;
x-ms-office365-filtering-correlation-id: 4f16847e-f1ac-404d-c174-08d51c1070d5
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001)(4534020)(4602075)(4603075)(4627075)(201702281549075)(2017052603199); SRVR:PS1PR01MB1050;
x-ms-traffictypediagnostic: PS1PR01MB1050:
x-exchange-antispam-report-test: UriScan:(192374486261705)(4782527817362);
x-microsoft-antispam-prvs: <PS1PR01MB105025648C6AD0A1C65B5851D7450@PS1PR01MB1050.apcprd01.prod.exchangelabs.com>
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(100000700101)(100105000095)(100000701101)(100105300095)(100000702101)(100105100095)(6040450)(2401047)(5005006)(8121501046)(3002001)(10201501046)(93006095)(93001095)(100000703101)(100105400095)(3231020)(6041248)(20161123562025)(20161123558100)(2016111802025)(20161123555025)(201703131423075)(201702281528075)(201703061421075)(201703061406153)(20161123560025)(20161123564025)(6043046)(6072148)(201708071742011)(100000704101)(100105200095)(100000705101)(100105500095); SRVR:PS1PR01MB1050; BCL:0; PCL:0; RULEID:(100000800101)(100110000095)(100000801101)(100110300095)(100000802101)(100110100095)(100000803101)(100110400095)(100000804101)(100110200095)(100000805101)(100110500095); SRVR:PS1PR01MB1050;
x-forefront-prvs: 04724A515E
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(39830400002)(376002)(346002)(189002)(199003)(2900100001)(97736004)(478600001)(6506006)(3846002)(6116002)(102836003)(2501003)(5890100001)(5250100002)(83716003)(86362001)(53936002)(54896002)(345774005)(6512007)(236005)(6436002)(99286003)(6306002)(2351001)(316002)(575784001)(966005)(2906002)(50986999)(54356999)(1730700003)(81166006)(6916009)(33656002)(5660300001)(81156014)(8676002)(106356001)(6486002)(606006)(8936002)(3280700002)(14454004)(3660700001)(68736007)(7736002)(101416001)(5640700003)(82746002)(66066001)(105586002)(25786009)(189998001)(36756003)(403724002); DIR:OUT; SFP:1101; SCL:1; SRVR:PS1PR01MB1050; H:PS1PR01MB1050.apcprd01.prod.exchangelabs.com; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
received-spf: None (protection.outlook.com: ribose.com does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_87F231F704A6485A822FB6BFFD13C6DEribosecom_"
MIME-Version: 1.0
X-OriginatorOrg: ribose.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 4f16847e-f1ac-404d-c174-08d51c1070d5
X-MS-Exchange-CrossTenant-originalarrivaltime: 26 Oct 2017 01:25:27.9029 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: d98a04ff-ef98-489b-b33c-13c23a2e091a
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PS1PR01MB1050
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/wsZ0byzA1qTTsqKEMDoLqo595uw>
Subject: [openpgp] Proposed patch to add OCB to AEAD section
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 26 Oct 2017 01:25:35 -0000
Hi openpgp WGers, This is the proposed patch to add OCB to 4880bis. The proposed patch can be seen at this link and also attached below: - https://gitlab.com/openpgp-wg/rfc4880bis/merge_requests/8<https://gitlab.com/openpgp-wg/rfc4880bis/merge_requests/7> commit 74052ffc18c60d5388475a34ffb78d82b3cecd65 Author: Ronald Tse <ronald.tse@ribose.com<mailto:ronald.tse@ribose.com>> Date: Wed Oct 25 17:01:25 2017 +0800 Propose addition of OCB mode to AEAD. diff --git a/middle.mkd b/middle.mkd index 686c1cf..835906b 100644 --- a/middle.mkd +++ b/middle.mkd @@ -2645,8 +2645,7 @@ A new random initialization vector MUST be used for each message. ### EAX Mode -The only currently defined AEAD algorithm is EAX Mode -[](#EAX). This algorithm can only use block ciphers with 16-octet +The EAX algorithm can only use block ciphers with 16-octet blocks. The starting initialization vector and authentication tag are both 16 octets long. @@ -2660,6 +2659,51 @@ exclusive-oring the low eight octets of it with the chunk index. The security of EAX requires that the nonce is never reused, hence the requirement that the starting initialization vector be unique. + +### OCB Mode + +The OCB Authenticated-Encryption Algorithm used in this document is +defined in [](#RFC7253). + +OCB was initially defined in [](#OCB1) (now called "OCB1") for +authenticated encryption, then as an authenticated encryption with +associated data algorithm with tweakable blockciphers in [](#OCB2) +("OCB2"), and finally with performance enhancements as [](#OCB3) +("OCB3"). + +The [](#RFC7253) algorithm differs from "OCB3" such that tag length +is encoded into the internally formatted nonce. + +OCB usage requires specification of the following parameters: + + * a blockcipher that operate on 128-bit (16-octet) blocks + * an authentication tag length of 128 bits + +While OCB [](#RFC7253) allows the authentication tag length to be of +any number up to 128 bits long, this document requires a fixed +authentication tag length of 128 bits (16 octets) for simplicity. + +The nonce for a chunk of chunk index "i" in OCB processing is defined +as: + + OCB-Nonce_{i} = IV[1..120] xor i + +Where, + + * IV is the initialization vector of the message; + * IV[i..j] is the substring of IV consisting of bits i through j, + inclusive, in big-endian format. + +The value of OCB-Nonce_{i} is always 120 bits (15 octets) long as the +longest allowed nonce length of OCB mode according to [](#RFC7253). + +Security of OCB mode depends on the non-repeated nature of nonces used +for the same key on distinct plaintext [](#RFC7253). Therefore the +initialization vector per message MUST be distinct, and OCB mode +SHOULD only be used in environments when there is certainty to +fulfilling this requirement. + + # {6} Radix-64 Conversions As stated in the introduction, OpenPGP's underlying native @@ -3214,10 +3258,11 @@ SHOULD NOT use MD5 or RIPE-MD/160. ID Algorithm -------- --------- 1 EAX [](#EAX) + 2 OCB [](#RFC7253) 100--110 Private/Experimental algorithm Implementations MUST implement EAX. Implementations MAY implement -other algorithms. +OCB and other algorithms. # {10} IANA Considerations diff --git a/reference.RFC.7253.xml b/reference.RFC.7253.xml new file mode 100644 index 0000000..5e8cdf3 --- /dev/null +++ b/reference.RFC.7253.xml @@ -0,0 +1,13 @@ +<?xml version='1.0' encoding='UTF-8'?> + +<reference anchor='RFC7253' target='https://www.rfc-editor.org/info/rfc7253'> +<front> +<title>The OCB Authenticated-Encryption Algorithm</title> +<author initials='T.' surname='Krovetz' fullname='T. Krovetz'><organization /></author> +<author initials='P.' surname='Rogaway' fullname='P. Rogaway'><organization /></author> +<date year='2014' month='May' /> +<abstract><t>This document specifies OCB, a shared-key blockcipher-based encryption scheme that provides confidentiality and authenticity for plaintexts and authenticity for associated data. This document is a product of the Crypto Forum Research Group (CFRG).</t></abstract> +</front> +<seriesInfo name='RFC' value='7253'/> +<seriesInfo name='DOI' value='10.17487/RFC7253'/> +</reference> diff --git a/template.xml b/template.xml index 2527e28..28f0cac 100644 --- a/template.xml +++ b/template.xml @@ -22,6 +22,7 @@ <!ENTITY rfc.5639 PUBLIC '' 'reference.RFC.5639.xml'> <!ENTITY rfc.5870 PUBLIC '' 'reference.RFC.5870.xml'> <!ENTITY rfc.6090 PUBLIC '' 'reference.RFC.6090.xml'> + <!ENTITY rfc.7253 PUBLIC '' 'reference.RFC.7253.xml'> <!ENTITY rfc.7748 PUBLIC '' 'reference.RFC.7748.xml'> <!ENTITY iso.10646 PUBLIC '' 'reference.ISO.10646-1.1993.xml'> <!ENTITY eddsa PUBLIC '' 'reference.I-D.irtf-cfrg-eddsa.xml'> @@ -102,7 +103,35 @@ <author surname="Wagner" initials="D." /> <date year="2003" month="April" /> </front> - </reference> + </reference> + + <reference anchor='OCB1'> + <front> + <title>OCB: A Block-Cipher Mode of Operation for Efficient Authenticated Encryption</title> + <author surname="Rogaway" initials="P." /> + <author surname="Bellare" initials="M." /> + <author surname="Black" initials="J." /> + <author surname="Krovetz" initials="T." /> + <date year="2001" month="April" /> + </front> + </reference> + + <reference anchor='OCB2'> + <front> + <title>Efficient Instantiations of Tweakable Blockciphers and Refinements to Modes OCB and PMAC.</title> + <author surname="Rogaway" initials="P." /> + <date year="2004" month="April" /> + </front> + </reference> + + <reference anchor='OCB3'> + <front> + <title>The Software Performance of Authenticated-Encryption Modes</title> + <author surname="Krovetz" initials="T." /> + <author surname="Rogaway" initials="P." /> + <date year="2011" month="April" /> + </front> + </reference> <reference anchor='ELGAMAL'> <front> @@ -216,6 +245,7 @@ &rfc.4086; &rfc.5639; &rfc.5870; + &rfc.7253; &rfc.7748; &eddsa; _____________________________________ Ronald Tse Ribose Inc. +=========================================================+ This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation. +=========================================================+