Re: [TLS] AAED ciphers: AES-GCM vs AES-EAX/AES-CCM: a meta-analysis
Michael Clark <michael@metaparadigm.com> Sun, 21 December 2014 00:19 UTC
Return-Path: <michael@metaparadigm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 07F4A1A008F for <tls@ietfa.amsl.com>; Sat, 20 Dec 2014 16:19:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.678
X-Spam-Level:
X-Spam-Status: No, score=-1.678 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, IP_NOT_FRIENDLY=0.334, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hAkp1GtW4LQV for <tls@ietfa.amsl.com>; Sat, 20 Dec 2014 16:19:24 -0800 (PST)
Received: from klaatu.metaparadigm.com (klaatu.metaparadigm.com [67.207.128.90]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A17C31A008B for <tls@ietf.org>; Sat, 20 Dec 2014 16:19:24 -0800 (PST)
Received: from monty.local (cm50.kappa90.maxonline.com.sg [58.182.90.50] (may be forged)) (authenticated bits=0) by klaatu.metaparadigm.com (8.14.4/8.14.4/Debian-4) with ESMTP id sBL0eI40022218 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Sun, 21 Dec 2014 00:40:21 GMT
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=metaparadigm.com; s=klaatu; t=1419122423; bh=UZZTpC0tfbNW9l2/5iaeZ7bnzzyahW0sfm1+Ri0T9x4=; h=Date:From:To:Subject:References:In-Reply-To:From; b=r0YigDEyTENduf/ZJ7PmjVy5jERRerOJsH0vRYFKCrOyGxhjLDerSczZOvvU3mACP 5H/yKFqwqYG/s0pluSioVNyHFb0ZaMkcOuDXyb3kNWSdQelOmi+HmFsclGGXkC9TH1 1ay+d2NVNM7+sUnc6XjfPb+JSIGPRJ47WZlniUmY=
Message-ID: <54961200.6030506@metaparadigm.com>
Date: Sun, 21 Dec 2014 08:19:12 +0800
From: Michael Clark <michael@metaparadigm.com>
Organization: Metaparadigm Pte Ltd
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:31.0) Gecko/20100101 Thunderbird/31.3.0
MIME-Version: 1.0
To: Tapio Sokura <tapio.sokura@iki.fi>, tls@ietf.org
References: <549538E5.7050109@metaparadigm.com> <5495BE11.4040703@iki.fi>
In-Reply-To: <5495BE11.4040703@iki.fi>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: 7bit
X-Virus-Scanned: clamav-milter 0.98.4 at klaatu.metaparadigm.com
X-Virus-Status: Clean
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/Bqb8FWxwISCW-vI1meRxFvdE91U
Subject: Re: [TLS] AAED ciphers: AES-GCM vs AES-EAX/AES-CCM: a meta-analysis
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 21 Dec 2014 00:19:26 -0000
On 21/12/14 2:21 am, Tapio Sokura wrote: > Hello, > > On 20.12.2014 10:52, Michael Clark wrote: >> CipherSuite TLS_DHE_DSS_WITH_AES_128_EAX_SHA256 >> CipherSuite TLS_DHE_DSS_WITH_AES_256_EAX_SHA384 >> CipherSuite TLS_ECDHE_DSS_WITH_AES_128_EAX_SHA256 >> CipherSuite TLS_ECDHE_DSS_WITH_AES_256_EAX_SHA384 >> CipherSuite TLS_DHE_DSS_WITH_AES_128_CCM_SHA256 >> CipherSuite TLS_DHE_DSS_WITH_AES_256_CCM_SHA384 >> CipherSuite TLS_ECDHE_DSS_WITH_AES_128_CCM_SHA256 >> CipherSuite TLS_ECDHE_DSS_WITH_AES_256_CCM_SHA384 > A bit off-topic on the actual question, but: Is DSS used anymore? Should > these be ECDSA instead? Thanks. Yes. I did mean ECDSA, the eliptic curve variant of DSA (DSS). It was a mistake on my part. Someone mentioned off list mentioned the AEAD ChaCha20-Poly1305 draft, however I note the authenticator is still 16 bytes (128 bits). I had seen the draft but wasn't sure if it was going to be included in TLSv1.3. It occurred to me that a (perhaps not fair) comparison would be with using MD5 which is 128 bits. MD5 has collisions. GHASH finite field and the cipher based MACS (including Poly1305) should be safe in this regard due to their construction. My understanding is that cipher based MACS are vulnerable to attacks that reverse rounds of the cipher after a certain number of texts have been seen (birthday attack). The fact that the nonce has a short lifetime probably makes this intractible however I began wondering about the 'designed in' lower entropy in GCM (IV suffix on first block 32-bits starting at 0x00000001 versus incrementing the whole IV and preserving entropy). Both this; and properties of the parallelizability GHASH construction. The IV construction effectively means only 96 bits need to be brute forced to forge an authenticator (unless in practice a random initial counter was used) as we know the counter for each block. It seems to be a designed in weakness along with excellent parallelizability. CCM and EAX are not exploitable in this manner. The main point was besides eavesdropping potential, was the ability of an attacker to inject random bit errors by finding authenticator collisions; i.e. message integrity; and also the parallelizability of GCM. Parallelizability lowering the barrier to anyone with sufficient resources. AES-GCM and AES-CCM are the only two implemented AEAD ciphers. The later is not present in openssl, boringssl, libressl (last time I looked). The thought that occurred to me was the idea of having a 256-bit authenticator with a 256-bit cipher. In practice we use 256-bit and 384-bit MACs. It's whether we consider the AEAD MAC as an "error correction code" or a "cryptographic MAC". People are widely deploying 256-bit and 384-bit MACs in areas where a "cryptographic MAC" is required. I guess it is also dependent on the time window (which in TLS is short) however someone with acres/hectares of computers could make a DHT (Distributed Hash Table). Drives are cheap and DHTs are fast for vast amounts of data. Reasoning is 32 bits lost entropy, n bits in storage, m bits computed online (from looking at table based GHASH). OMAC1/CMAC is limited to the block size of the underlying cipher which is 128 bits even with AES-256. EAX just seems simpler than CCM. Just thought I would question the convention and established thought... Cheers, Michael.
- [TLS] AAED ciphers: AES-GCM vs AES-EAX/AES-CCM: a… Michael Clark
- Re: [TLS] AAED ciphers: AES-GCM vs AES-EAX/AES-CC… Tapio Sokura
- Re: [TLS] AAED ciphers: AES-GCM vs AES-EAX/AES-CC… Michael Clark
- Re: [TLS] AAED ciphers: AES-GCM vs AES-EAX/AES-CC… Jeffrey Walton
- Re: [TLS] AAED ciphers: AES-GCM vs AES-EAX/AES-CC… Peter Gutmann
- Re: [TLS] AAED ciphers: AES-GCM vs AES-EAX/AES-CC… Michael Clark
- Re: [TLS] AAED ciphers: AES-GCM vs AES-EAX/AES-CC… Michael Clark
- Re: [TLS] AAED ciphers: AES-GCM vs AES-EAX/AES-CC… Russ Housley
- Re: [TLS] AAED ciphers: AES-GCM vs AES-EAX/AES-CC… Michael Clark
- Re: [TLS] AAED ciphers: AES-GCM vs AES-EAX/AES-CC… Michael Clark
- Re: [TLS] AAED ciphers: AES-GCM vs AES-EAX/AES-CC… Michael Clark
- Re: [TLS] AAED ciphers: AES-GCM vs AES-EAX/AES-CC… Watson Ladd
- Re: [TLS] AAED ciphers: AES-GCM vs AES-EAX/AES-CC… Michael Clark
- Re: [TLS] AAED ciphers: AES-GCM vs AES-EAX/AES-CC… Ilari Liusvaara
- Re: [TLS] AAED ciphers: AES-GCM vs AES-EAX/AES-CC… Yoav Nir
- Re: [TLS] AAED ciphers: AES-GCM vs AES-EAX/AES-CC… Peter Gutmann
- Re: [TLS] AAED ciphers: AES-GCM vs AES-EAX/AES-CC… Peter Gutmann
- Re: [TLS] AAED ciphers: AES-GCM vs AES-EAX/AES-CC… Paterson, Kenny
- Re: [TLS] AAED ciphers: AES-GCM vs AES-EAX/AES-CC… Peter Gutmann
- Re: [TLS] AAED ciphers: AES-GCM vs AES-EAX/AES-CC… Michael Clark
- Re: [TLS] AAED ciphers: AES-GCM vs AES-EAX/AES-CC… Manuel Pégourié-Gonnard
- Re: [TLS] AAED ciphers: AES-GCM vs AES-EAX/AES-CC… Paterson, Kenny
- Re: [TLS] AAED ciphers: AES-GCM vs AES-EAX/AES-CC… Watson Ladd
- Re: [TLS] AAED ciphers: AES-GCM vs AES-EAX/AES-CC… Watson Ladd
- Re: [TLS] AAED ciphers: AES-GCM vs AES-EAX/AES-CC… Paterson, Kenny
- Re: [TLS] AAED ciphers: AES-GCM vs AES-EAX/AES-CC… Martin Thomson
- Re: [TLS] AAED ciphers: AES-GCM vs AES-EAX/AES-CC… Michael Clark
- Re: [TLS] AAED ciphers: AES-GCM vs AES-EAX/AES-CC… Martin Thomson
- Re: [TLS] AAED ciphers: AES-GCM vs AES-EAX/AES-CC… Tom Ritter
- Re: [TLS] AAED ciphers: AES-GCM vs AES-EAX/AES-CC… Martin Rex
- Re: [TLS] AAED ciphers: AES-GCM vs AES-EAX/AES-CC… Joe Hall
- Re: [TLS] AAED ciphers: AES-GCM vs AES-EAX/AES-CC… Tom Ritter
- Re: [TLS] AAED ciphers: AES-GCM vs AES-EAX/AES-CC… Martin Thomson
- Re: [TLS] AAED ciphers: AES-GCM vs AES-EAX/AES-CC… Nikos Mavrogiannopoulos
- Re: [TLS] AAED ciphers: AES-GCM vs AES-EAX/AES-CC… Tom Ritter