Re: [Sframe] "AES-GCM" with secure short tags
Richard Barnes <rlb@ipv.sx> Mon, 27 March 2023 09:02 UTC
Return-Path: <rlb@ipv.sx>
X-Original-To: sframe@ietfa.amsl.com
Delivered-To: sframe@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B58FCC15C297 for <sframe@ietfa.amsl.com>; Mon, 27 Mar 2023 02:02:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.893
X-Spam-Level:
X-Spam-Status: No, score=-1.893 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ipv-sx.20210112.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iSPDPrLBCo7N for <sframe@ietfa.amsl.com>; Mon, 27 Mar 2023 02:02:15 -0700 (PDT)
Received: from mail-wr1-x42d.google.com (mail-wr1-x42d.google.com [IPv6:2a00:1450:4864:20::42d]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 28D31C15C29A for <sframe@ietf.org>; Mon, 27 Mar 2023 02:01:19 -0700 (PDT)
Received: by mail-wr1-x42d.google.com with SMTP id v1so7884572wrv.1 for <sframe@ietf.org>; Mon, 27 Mar 2023 02:01:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipv-sx.20210112.gappssmtp.com; s=20210112; t=1679907677; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=/8dbMO5tRI9TF1EhXSrGwGIBcmdEBy4OqZ1hqwei82I=; b=ggrio8S4xEDAh0+J7Nnbdh79yFG+otxUQawO/zy4omyFjMxIbqJ/fn5ZERGkUSk6Qe 0OL1qL0CxXd3u0+CUucoGVWKYvLhnMbrsBWJc+jaDfc+Wz3ptVfzGrix+wgv6z+NPOND a5kZ/CvZELtMaDX3+BQhKkoz0EQbKqHhnyQgn7kYle/hBoNurq4WtWPxTujPwWBaY1i4 u1dUwOn0CTBILAF6JMaUs+GDIQ/X75Qqfh1OK1/qZrDlvpnBHQKB2gJSudksAdMAHuFa 4GNXc0fhfKSx/s5Nj2p5qDSABAvY0n+uEYOaOCuCbfJfuyctmm9kcCEOrJwwlS9VROWN 7zDQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1679907677; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=/8dbMO5tRI9TF1EhXSrGwGIBcmdEBy4OqZ1hqwei82I=; b=6Vkpe5lbidma5hQpthf/IL3dz8/KBz14PAJj6ZIoOLgzl6tU1fQTIXMrklC+834Yfz QKIvyqQSy/ZbXERCcEkUWX5GcYorwkCHrQCmfWQzDnQKjY1shG3AC29wpZk8+1ykm2Cj AyRb0tWJEDgvQViYoM1Z4tHLQ41xT/wqf4ExO6EuoUo2qp8JcTb/1UKxM3F+JlB1WFgB cMzFbHcoc+W0bVBIXtPaXv5UlKD43ekiRbRgNCTgXRz6MWAWagaNNwrcj6UpgD+9CHra JBaTjYgL4PzNqIR+fx3dj6ixi7ufBPiWLr69y0Xkf3uHZZGaR85iXn/bZuYUkS9Pb6UM TVdA==
X-Gm-Message-State: AAQBX9efBQilR8F03EHL7ds98xXuVbgm/IslQMwHR+8cimz2ZQmDgWMH VMo1/ylY6X4pnbTSrB7kKkLlxzzqzEtXEucHzgycrA==
X-Google-Smtp-Source: AKy350YW7kI4r3zZAvLc6mgDYYNhkYA5ImLHFzDiVDTEBzwLAJOiXMkFFV7gRh0v1HL6mOe7eVwt1MIQG1PT/kpbWeM=
X-Received: by 2002:adf:e60e:0:b0:2cf:e44a:54a3 with SMTP id p14-20020adfe60e000000b002cfe44a54a3mr2201077wrm.5.1679907677217; Mon, 27 Mar 2023 02:01:17 -0700 (PDT)
MIME-Version: 1.0
References: <GVXPR07MB967868DFBBBE4EE9AB651B79898B9@GVXPR07MB9678.eurprd07.prod.outlook.com>
In-Reply-To: <GVXPR07MB967868DFBBBE4EE9AB651B79898B9@GVXPR07MB9678.eurprd07.prod.outlook.com>
From: Richard Barnes <rlb@ipv.sx>
Date: Mon, 27 Mar 2023 05:01:06 -0400
Message-ID: <CAL02cgTQoVe00-W9sZoF+c14dc4cxhR9=D_SZndhx5+g=6X-bQ@mail.gmail.com>
To: John Mattsson <john.mattsson=40ericsson.com@dmarc.ietf.org>
Cc: "sframe@ietf.org" <sframe@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000005b3c9b05f7ddfcbb"
Archived-At: <https://mailarchive.ietf.org/arch/msg/sframe/SoKyDZLDtqlgIzE7-dzA5H6SvfY>
Subject: Re: [Sframe] "AES-GCM" with secure short tags
X-BeenThere: sframe@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Secure Media Frames <sframe.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sframe>, <mailto:sframe-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sframe/>
List-Post: <mailto:sframe@ietf.org>
List-Help: <mailto:sframe-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sframe>, <mailto:sframe-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Mar 2023 09:02:19 -0000
Hi John, Thanks for taking a look at this. I expect something truncatable would be of interest for a variety of media-encryption things (SRTP, SFrame, MoQ, et al.). Audio packets are small, numerous, and ephemeral, so on the one hand, they are very sensitive in percentage terms to crypto overhead, and on the other hand, you don't care a ton about forgery of any individual packet. That said, support in practice might be limited until this GCM change was available in crypto libraries. --Richard On Mon, Mar 27, 2023 at 4:57 AM John Mattsson <john.mattsson= 40ericsson.com@dmarc.ietf.org> wrote: > Hi, > > > > I saw that draft-ietf-sframe-enc uses AES-CTR with HMAC-SHA-256 for 32, > 64, and 80 bit tags. 3GPP realised that 5G needs for something like AES-GCM > with short tags a few years ago and asked ETSI SAGE (the CFRG of 3GPP) to > suggest a solution. AES-GCM has quite bad properties if you truncate the > tags. > > > > ETSI SAGE recently specified and recommended a mode based on AES-GCM but > with some important differences. In addition to the GCM key H, the new mode > uses an additional secret point 𝑄 which is multiplied in the last step, > before the masking with the secret value. This allows short tags with > good security properties. This type of construction is not new and can be > in an old paper by Kaisa Nyberg. ETSI SAGE also recommends using a > different polynomial taken from GCM-SIV for impoved performance compared to > GCM but this is not needed for the trucation. > > > > Would SFRAME WG be interested in such an algorithm (AES-GCM with > trucatable tags)? If so I could submit such a draft to to CFRG. ETSI SAGE > has done quite a lot of security analysis on this. > > > > Cheers, > > John > -- > Sframe mailing list > Sframe@ietf.org > https://www.ietf.org/mailman/listinfo/sframe >
- Re: [Sframe] "AES-GCM" with secure short tags Richard Barnes
- [Sframe] "AES-GCM" with secure short tags John Mattsson
- Re: [Sframe] "AES-GCM" with secure short tags Benjamin Beurdouche
- Re: [Sframe] "AES-GCM" with secure short tags John Mattsson
- Re: [Sframe] "AES-GCM" with secure short tags Martin Thomson