Re: [TLS] Weakly authenticated ciphers (was about draft-mattsson-cfrg-aes-gcm-sst)
John Mattsson <john.mattsson@ericsson.com> Tue, 09 May 2023 05:27 UTC
Return-Path: <john.mattsson@ericsson.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5E28CC1595FE; Mon, 8 May 2023 22:27:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.098
X-Spam-Level:
X-Spam-Status: No, score=-7.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SqtzjZy5U3-o; Mon, 8 May 2023 22:27:55 -0700 (PDT)
Received: from EUR05-DB8-obe.outbound.protection.outlook.com (mail-db8eur05on2062b.outbound.protection.outlook.com [IPv6:2a01:111:f400:7e1a::62b]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AFCBFC15152B; Mon, 8 May 2023 22:27:54 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=AUbsWD7UopY8QumND36TwC1CZzzhzwJJDkfqIjwXMk85O14xHaWsX4os90ITdvqBJ3wYt/v3QLz3WNJVLptC6wfq3HiY2YFolwGxzK6y9UGxnfnCHpo7UGc2F1Vmw7WvRz01Y+MgM6fAvJLGgF/sw28sAXgwQvsp/lEE6DqLcS8CPcaG/6n0Dq0drp0wk2mDrroFyUSMebpJwOggnpBxV+z1lkZE1DJb8OtuZcXoTQt7E8dcKcjrip/yungbWJPgaSsoPV0beiBRjehohGi4h5UO2U0DJxccQsZjum/qVEtRizWFAcfHOK+potktjXsOkEA9M2NUpg9x+l2BXTnfjg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=wRM1xFEZrZMVXMAc1PocDbuzRD6pqgObB4MTATA/cNk=; b=gjDceEl13JOFzrxHiRcCpQ4GrxJP8rHgjzgxk/g9GwD1NV/Bjwma6DbAtsB6yBp5LyZk7irdChLHJoLpxiBF5ePkaIzf0LbXsXYCvGjACBmKuTQ/qLZSs4MRXjhmGldjijqMGPMUjUQcMxIBktDB8R25hjxck+/5bw4E7OC/KuKMoqeJ/XleSMqV45NIKrveRjHfVCRA+0BwjY0tn+rV0BIP5QS/IaU8QlpXRELPl/xSGFC+KC2FUgujzOcwXDJsIeLJ9NZT57cfKB7smB+gZgES7oAik87AJ1NByKE/w02+oKO3HhhqWht6MGHC+VHxLUQrShsJRSV3uprfqS3EKQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=wRM1xFEZrZMVXMAc1PocDbuzRD6pqgObB4MTATA/cNk=; b=T3zzjPhRVzrpMzt3d7eHS9KTrT/0mu5R0PvW+0FdHxHt8UTwaxmawLIwANgB8klhNE6G0qAnXGAiCvfWu60KGYLpUiEGBClUa9kJRzwm9bQhrZlcRlIaMb5f/y2iv3XhHy7iGru3Iau78XFwhhlDBESy2iu2GIqQuYNYQvj+XKU=
Received: from GVXPR07MB9678.eurprd07.prod.outlook.com (2603:10a6:150:114::10) by AS2PR07MB9123.eurprd07.prod.outlook.com (2603:10a6:20b:55a::8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6363.33; Tue, 9 May 2023 05:27:50 +0000
Received: from GVXPR07MB9678.eurprd07.prod.outlook.com ([fe80::47af:87d7:c8ce:1957]) by GVXPR07MB9678.eurprd07.prod.outlook.com ([fe80::47af:87d7:c8ce:1957%7]) with mapi id 15.20.6363.032; Tue, 9 May 2023 05:27:49 +0000
From: John Mattsson <john.mattsson@ericsson.com>
To: Martin Thomson <mt@lowentropy.net>, "quic@ietf.org" <quic@ietf.org>, "tls@ietf.org" <tls@ietf.org>
Thread-Topic: [TLS] Weakly authenticated ciphers (was about draft-mattsson-cfrg-aes-gcm-sst)
Thread-Index: AQHZggzCqUGAZPOCeUCn7A4sgEqlSq9RacMC
Date: Tue, 09 May 2023 05:27:49 +0000
Message-ID: <GVXPR07MB9678412FBDA9797882ED63AB89769@GVXPR07MB9678.eurprd07.prod.outlook.com>
References: <168329718302.50127.18120629996969657@ietfa.amsl.com> <GVXPR07MB96781F20D284D7C999F7BBA789729@GVXPR07MB9678.eurprd07.prod.outlook.com> <343a4bf1-7a57-0084-5280-1556c9da4c36@huitema.net> <GVXPR07MB967862CF57FEC0EB180C75F789719@GVXPR07MB9678.eurprd07.prod.outlook.com> <68a78e2c-1510-48ed-9644-2e81c5f66d53@betaapp.fastmail.com>
In-Reply-To: <68a78e2c-1510-48ed-9644-2e81c5f66d53@betaapp.fastmail.com>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=ericsson.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: GVXPR07MB9678:EE_|AS2PR07MB9123:EE_
x-ms-office365-filtering-correlation-id: 52266b8b-2716-42fb-bf2f-08db504e2126
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: lLof/tzg3KNghitW366j2c6gkjqGTHmcMMpaBLPtpvbrXI8laDgEJUAU4vPl7B6qrOl+qAC06+pqBUJdcVlYxHg0vyT8mutIWqa9qQeZvE6zKZyXFJRRYMW4UdYOMsoZZvXT8y+Ep7wy4D2ufpTtRe8cxoD596KTjlYOzBt0WRycQepQMqaFJsyjZaXGonJuhKcbJxeidNHp6b59cee4VTSdgniiLObnWKjd8pIzR4E99RqzapaZ4bvgvToZXDcQhlrt9rq4Yjq5GnmHAcdkCFMRoFIdkDMLS/U7whuMvKZjLD9kT0/QtI0ywNtsKM+6SHLy42vDg/njKw25kdqqItaA2gTXqe8KfXV54ySlLkYGp1JaAdZ++wk2ao7nI3cX6OU5JY4kKOOVH6lKoyj3EMDwwIqeFQYzsFEl+NTa2ELaUcNpgRA3ggKpbX/L6tVGVjvZBYvZgWZ5C2q/7OMaqi/KUnO7QbLzAlRVb7iyj+u3vU2RBmd89dBkR1xinTmgmqIt207S4oeHSkydg9C4RGVxvg344kWgG8wrTSa60TBFNiH+Gslw0FctyBi9p4WINNXmfvvppwhKyk7vb7CvO/2Dxh/8nixtasMP9FJEeV6Ax9WjE/9qN6C5CFgj0NxcjAQu/54RE1GvgYzQ9d3dWH+diP7JKAHqgQEwczs4wCB7EAgu2ZwbR32MZlEXvBhE
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:GVXPR07MB9678.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230028)(4636009)(346002)(366004)(136003)(396003)(376002)(39860400002)(451199021)(66899021)(41300700001)(82960400001)(2906002)(33656002)(55016003)(86362001)(38100700002)(8676002)(8936002)(38070700005)(44832011)(5660300002)(52536014)(166002)(21615005)(122000001)(66446008)(66476007)(66556008)(64756008)(76116006)(83380400001)(7696005)(478600001)(66574015)(66946007)(316002)(110136005)(53546011)(9686003)(6506007)(26005)(186003)(966005)(71200400001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: m5R4+XHxfW7Y1TlR9POJ588phYpX2SwtwdZTuKC+HNt6Tg0OpYBkVZxe5y03DLxftwyCXSGHRj8dbCK3jkFPE1GUe3nIbWXdx5KF197HexjtUOldp3vQ286rkP1TXwA8dd98NKJLAzAyQci8gdwHQ4u4NoGdQSIxXqZuhYEG3HfncvM0gTAtQxQb0b+yuc5NIKSPSa0RiF5dT2TQz2uN3HfPijXHhCJgT3vLN2u5NjgNQ/4Y48RPto0qKoKIYYCRhilrSzgwYFxM3OWnj0FzS9IwFR3p28BRgW7Iecd6KkBT6kUYuMVRCsrvCXx8urXWpaHDNI10blEohe8Hi9bwsa0ALG8g7OI68Ht37YurWuoRjIJw8+P3uiBR01EgOtthTd+Tgm5xrlKAQAM9+edaKgdSRnWHOQ4EXHk5FOtCbq4xIj+OwoaNfpa75IyhOgcYLHi7wuA1oZtXPBGelpQnh0/6jyCzHayg2YTSTFPgoh5rU29PX+e1YplMZ2jTrrFJBokQAL4Mwrur/Hav8xxyYdCHBnx5CfslUSDMUrH2nkGjao1dgsgqgzXHxIFjLSFVazZ0+FS8fuRW1oA+9wtjNwx6CTKO2/6DJfz3VrT1Rmc+TNVlaPFT1j7QZA+wO1EaSHVflyuPM1OPSeAVjNNAMdxSBZ+92/4hy42qX3Yd22MTmAl/Xm4JcauBDCKmCs5Bhdd8TRN3+LLnOcqxZSN5c7CJ94r2GzJBu5ZfmkiJrnSRXCM9NVuEi5hFhEkrI0PRvm9hUVwBjkjjib5iS9PBdDPi4ooUlxerkLDz7CjoxZylHbEOFPm0HBSCSPEI5GySOUTH1mxAhGxIpdXTb9sDAhQdCIkTMsJrDh1U0i2GxIGLCs/EoDfGal2Es0WmLtd8Zty2SFo5c1SqUK521SuR2/ePwx2fUMsHtB5flvgLoPOFekp2tYU6nbkT8F2VjmTvy0isEtwuXZ4T7Qwe9T8RcWpmSiNw8eA7l38RbM6hYb1KsnljJIufPBMDL4SDOqwlIZZUFm1aDT5r4+pMJhJTBW7rJNDg73VKdkabdsDoRyjKpPd5YA5Sz1qBdIooPaIBY4lbDW18VAwecRBMOqi54uox5DO4gzuxsgQZpPttjB274/3tQdOWp0CZlWJE8+Qxq743OjUJEEvthPOfC6wlKRblCRNFOFegN5bDfZIcfrkGfaAppB4fFzQtC+Fixdu635Gk14/5VZDU6GRT95O/+emUwiBqvOqXdRu5gebZ9UgQRQvHYtBb6JmJwbgrArAy0t4w/Dnhei396PoJ/Ligo4nRyLerp2GbMCO7FLufAxjnuw47WGjaB2b4okTJhKhESyMLu66bpFZS2sFyofL5J1aWMx263xIkqM78k6rO8jUrkCRxa5KpkaA40g26e0qBVpTG9Aajl2H00i5Hs9+Vmu1LRDAWMnPt1hRXl3OE4mcxp3IzVo5bJQnF9z2tzs7drWbZXhiyOwX2mrNVVvm/8A7hY5z+sW5EVmHGSFxwMEZipcneesuoXMGBavjxKnWuzQjyIW/mlvnXvsVWtS8m6+Xp3J31IYMV8R4exiLSAWVV8NlOJ9S2JN8LNrvbfL9BiB6+U4eLot321u+yO+cUt+uZUrXQKLFzVsJttm6Qbhg=
Content-Type: multipart/alternative; boundary="_000_GVXPR07MB9678412FBDA9797882ED63AB89769GVXPR07MB9678eurp_"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: GVXPR07MB9678.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 52266b8b-2716-42fb-bf2f-08db504e2126
X-MS-Exchange-CrossTenant-originalarrivaltime: 09 May 2023 05:27:49.6606 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: iddbK+RE3iMN8DUuIwDGDiRgyuTp6wFsUdF165UbnyzaGwpDlfDjcC34cfYy5sQ1AMnLZqcHYXCQwTGvUW4c4OX4A08UBrlEJFmAtwIOaeg=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AS2PR07MB9123
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/GeBO9h-qIaPlgD8qYKTgAEPu_L4>
Subject: Re: [TLS] Weakly authenticated ciphers (was about draft-mattsson-cfrg-aes-gcm-sst)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 09 May 2023 05:27:59 -0000
Hi Martin, It is true that with the current construction, the short tags would be used also in the TLS 1.3 handshake, but it is worth noting that the TLS 1.3 handshake is built on SIGMA-I where the security proof is done without the AEAD. The AEAD in the SIGMA-I handshake is for confidentiality. TLS 1.3 have giant (256- and 384-bit) MACs in the finished messages and the tickets have their own independent security. I don't see any big impact looking at it quickly. That said, I don't have any interest in driving short tags for general applications. I think it would be useful in specialized use cases like MoQ only. It is a bit uncertain which protocols will be used in the future. Long-term, QUIC might replace not only most use of TLS and DTLS, but also SCTP and SRTP. Martin Thompson wrote: >It might be possible to build a QUIC extension that allowed some data to >be protected differently than other (perhaps using connection IDs; a >popular technique). That seems like a good idea and a requirement if you are also sending application data with higher security requirements. Cheers, John From: TLS <tls-bounces@ietf.org> on behalf of Martin Thomson <mt@lowentropy.net> Date: Tuesday, 9 May 2023 at 02:25 To: quic@ietf.org <quic@ietf.org>, tls@ietf.org <tls@ietf.org> Subject: [TLS] Weakly authenticated ciphers (was about draft-mattsson-cfrg-aes-gcm-sst) I like the idea that we might have a more efficient cipher in this particular way. I've been a fan of OCB for that reason for some time. However, I don't think that QUIC or TLS integration is necessarily a good idea for this cipher. SRTP is one thing, but QUIC and TLS have an entirely different structure that might make short tags more risky than otherwise. DTLS-SRTP has a split structure, with the important key agreement piece being done with a full (D)TLS handshake. The handshake is typically protected with ciphers that have strong protections against forgery. In a context where you have signaling or data transfer (like WebRTC data channels), that data is also protected by the stronger cipher. Individual media streams are then protected with a different cipher, in SRTP. For instance, you might protect audio with one of the truncated HMAC modes. Now, setting aside the bit where it is ridiculous to insist on shaving a few bytes off packets when you have a multi-megabit video flow alongside, weaker protections can be useful. Authentication is a non-trivial proportion of the overall cost of sending audio, especially when you want to keep packet rates high to reduce latency. More so when you consider the potential to have multiple layers of protection (SFrame), potentially with different tolerance to forgery on each. Choosing a weak cipher (and we should not pretend that this is anything but that) means that any weakness affects everything on a connection. That isn't good for QUIC or TLS. It might be possible to build a QUIC extension that allowed some data to be protected differently than other (perhaps using connection IDs; a popular technique). For me, I'd need something like that for this cipher to find a role in QUIC. To that end, I have no interest in negotiating this cipher for use in TLS proper. Cheers, Martin On Tue, May 9, 2023, at 06:53, John Mattsson wrote: > Hi Christian, > > Yes, sending to the quic list is a good idea. I think QUIC is likely to > be used in a huge number of future use cases. Secure short tags might > be interesting for more use cases than Media over QUIC. > > Christian Huitema wrote: >>If the "short tags" can save per packet overhead while maintaining security properties > > The short tags do increase the forgery probability. The security is only > ideal with respect to the tag length. For general applications like HTTP/3 > I think you would like to keep the forgery probability per packet close to > the current level. > > In QUIC my understanding is that the maximum plaintext is 2^12 128-bit > blocks and the length of the associated data is negligible. The > security level of the 128-bit AES-GCM tags is therefore t – log2(n + m > + 1) ≈ 128 - 12 = 116 bits. > > With AES-GCM-SST in QUIC you would get ideal forgery probability ≈ 2^-t > for tags of length t <= 14 bytes. > > Cheers, > John > > *From: *CFRG <cfrg-bounces@irtf.org> on behalf of Christian Huitema > <huitema@huitema.net> > *Date: *Sunday, 7 May 2023 at 20:07 > *To: *John Mattsson <john.mattsson=40ericsson.com@dmarc.ietf.org>, IRTF > CFRG <cfrg@irtf.org>, sframe@ietf.org <sframe@ietf.org>, moq@ietf.org > <moq@ietf.org> > *Subject: *Re: [CFRG] [Moq] FW: New Version Notification for > draft-mattsson-cfrg-aes-gcm-sst-00.txt > John, > > You should probably send this to the QUIC list as well. Media over QUIC > is just one application of QUIC. If the "short tags" can save per packet > overhead while maintaining security properties, then they are > interesting for many QUIC applications. > > -- Christian Huitema > > On 5/5/2023 7:45 AM, John Mattsson wrote: >> Hi, >> >> We just submitted draft-mattsson-cfrg-aes-gcm-sst-00. Advanced Encryption Standard (AES) with Galois Counter Mode with Secure Short Tags (AES-GCM-SST) is very similar to AES-GCM but have short tags with forgery probabilities close to ideal. The changes to AES-GCM were suggested by Nyberg et al. in 2005 as a comment to NIST and are based on proven theoretical constructions. >> >> AES-GCM performance with secure short tags have many applications, one of them is media encryption. Audio packets are small, numerous, and ephemeral, so on the one hand, they are very sensitive in percentage terms to crypto overhead, and on the other hand, forgery of individual packets is not a big concern. >> >> Cheers, >> John >> >> From: internet-drafts@ietf.org <internet-drafts@ietf.org> >> Date: Friday, 5 May 2023 at 16:33 >> To: John Mattsson <john.mattsson@ericsson.com>, Alexander Maximov <alexander.maximov@ericsson.com>, John Mattsson <john.mattsson@ericsson.com>, Matt Campagna <campagna@amazon.com>, Matthew Campagna <campagna@amazon.com> >> Subject: New Version Notification for draft-mattsson-cfrg-aes-gcm-sst-00.txt >> >> A new version of I-D, draft-mattsson-cfrg-aes-gcm-sst-00.txt >> has been successfully submitted by John Preuß Mattsson and posted to the >> IETF repository. >> >> Name: draft-mattsson-cfrg-aes-gcm-sst >> Revision: 00 >> Title: Galois Counter Mode with Secure Short Tags (GCM-SST) >> Document date: 2023-05-05 >> Group: Individual Submission >> Pages: 16 >> URL: https://www.ietf.org/archive/id/draft-mattsson-cfrg-aes-gcm-sst-00.txt >> Status: https://datatracker.ietf.org/doc/draft-mattsson-cfrg-aes-gcm-sst/ >> Html: https://www.ietf.org/archive/id/draft-mattsson-cfrg-aes-gcm-sst-00.html >> Htmlized: https://datatracker.ietf.org/doc/html/draft-mattsson-cfrg-aes-gcm-sst >> >> >> Abstract: >> This document defines the Galois Counter Mode with Secure Short Tags >> (GCM-SST) Authenticated Encryption with Associated Data (AEAD) >> algorithm. GCM-SST can be used with any keystream generator, not >> just a block cipher. The main differences compared to GCM [GCM] is >> that GCM-SST uses an additional subkey Q, that fresh subkeys H and Q >> are derived for each nonce, and that the POLYVAL function from AES- >> GCM-SIV is used instead of GHASH. This enables short tags with >> forgery probabilities close to ideal. This document also registers >> several instances of Advanced Encryption Standard (AES) with Galois >> Counter Mode with Secure Short Tags (AES-GCM-SST). >> >> This document is the product of the Crypto Forum Research Group. >> >> >> >> >> The IETF Secretariat >> >> > > _______________________________________________ > CFRG mailing list > CFRG@irtf.org > https://protect2.fireeye.com/v1/url?k=31323334-501cfaf3-313273af-454445554331-9034b67a44f3143f&q=1&e=59d3bb57-6543-430e-8ba2-f3a9248d7619&u=https%3A%2F%2Fwww.irtf.org%2Fmailman%2Flistinfo%2Fcfrg _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
- [TLS] Weakly authenticated ciphers (was about dra… Martin Thomson
- Re: [TLS] Weakly authenticated ciphers (was about… John Mattsson
- Re: [TLS] Weakly authenticated ciphers (was about… John Mattsson