subject:"Encryption and authentication modes"

Re: Encryption and authentication modes

2010-07-25 Thread Justin Troutman

Florian Weimer wrote:

 I just want to create a generic API which takes a key (most of the
 time, a randomly generated session key) and can encrypt and decrypt
 small blobs.  Application code should not need to worry about details
 (except getting key management right, which is difficult enough).
 More popular modes such as CBC lack this property, it's too easy to
 misuse them.
   

As David [McGrew] mentioned -- thanks, David -- I've been working
towards drafting a proposal for standardizing encrypt-then-authenticate
generic composition, and David [McGrew, again] has been quite generous
in sharing his work in this area.  Working towards this is one aspect of
our work (Vincent Rijmen and I) in making cryptography easier to get
right at the implementation level, so that its true potential can be
realized in practice.  Developers shouldn't be making cryptographic
decisions, which is one of the driving forces behind our push for
standardizing encrypt-then-authenticate generic composition; they
needn't be burdened with addressing the subtleties that go along with
composite authenticated encryption schemes.

The desire to push for this was born out of green cryptography, which
Vincent and I introduced in IEEE Security  Privacy last year.  The
premise behind green cryptography was to recycle cryptographic
primitives whenever and wherever possible, and do so in a way that not
only minimizes implementation complexity, but maximizes cryptographic
security.  What we ended up with is AES-based encrypt-then-authenticate
(e.g., AES-CBC-then-AES-CMAC); this achieves the strongest notions of
confidentiality and integrity per Bellare and Namprempre (i.e., IND-CCA2
/\ INT-CTXT) and -- here's the best part -- it's the easiest for
developers to get right, since it is secure for all possible secure
instantiations of its constituent primitives.

If we are to standardize encrypt-then-authenticate generic composition,
we would most likely have to include support for SHA-1, SHA-2, and
SHA-3; this isn't exactly in line with the recycling paradigm, but a
necessary compromise in regards to support across the board.  You can
get the same security out of AES-CMAC and SHA-*-HMAC, either way.
Still, it's important to limit the number of options available, since
the more options you have, the more complexity you introduce to the
implementation.  Perhaps having a standard that supports
AES-CBC/AES-CTR-then-AES-CMAC/SHA-*-HMAC would work; this is where
community feedback is really useful, since such a standard needs to be
as flexible as it is secure.  Any thoughts?

I've recently spoke with Steve Weis and Ben Laurie at Google, who put
together the open-source Keyczar (keyczar.org) cryptographic toolkit,
aimed at making cryptography safe and simple for developers to use;
they did say, however, that oftentimes, they found themselves backed
into a corner with allowing configurations that may be secure, and
reasonable, for niche applications, but insecure elsewhere -- in other
words, no good for standards.  I mention Keyczar because it may be
something of interest to you, and I think it serves as a progressive
model for the direction we need to be going in -- making cryptography
easier to get right.  You're absolutely right that you shouldn't have to
worry about the details, and that it is easy to misuse.  That needs to
change.

In closing, I'll mention that green cryptography's design paradigm of
do a lot with a little; less is more has found its way into a
conceptual framework we're working on, dubbed Mackerel, which looks at
abstracting away as much of the cryptography as possible and, instead,
focus on the higher level concepts of confidentiality and integrity, and
why they're mutually necessary.  Just as green cryptography is concerned
with the assurance of cryptographic implementations, Mackerel is
concerned with the tightness of the interface between cryptography and
cryptographers, developers, and users.  We're drawing a lot from the
field of HCIsec, or Human Computer Interaction Security --  of which
another Googler, Alma Whitten, is a pioneer*.

So, that's a snapshot of what we -- Vincent Rijmen and I -- have been up
to over the past couple of years, and I look forward to sharing more as
it develops and evolves.  I had hoped to have a draft together earlier,
but it just wasn't in line with the workload and pace over the past few
months; it does appear that I'll have something together by the end of
August, which is a plus.  We're wide open to thoughts on this.


* http://gaudior.net/alma/johnny.pdf

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com

Re: Encryption and authentication modes

2010-07-24 Thread David McGrew

Hi Florian,

On Jul 23, 2010, at 1:14 AM, Florian Weimer wrote:

* David McGrew:

can I ask what your interest in AEAD is? Is there a particular
application that you have in mind?

I just want to create a generic API which takes a key (most of the
time, a randomly generated session key) and can encrypt and decrypt
small blobs. Application code should not need to worry about details
(except getting key management right, which is difficult enough).
More popular modes such as CBC lack this property, it's too easy to
misuse them.

I suppose a superficially similar primitive is contained in
Bernstein's NaCl library. I was intrigued by its simplicity, but the
cryptographic algorithms it uses are a bit non-standard.

RFC 5116 sounds perfect. It might be worthwhile to publish a C API
for that interface, along with detailed documentation. That would be
fairly straightforward; I think the only complexity is supporting an
incremental init/update/final interface. For your application, it
sounds like you don't need the incremental API.

thanks,

David

Right now, I would probably use it to forward session state through
browser URLs in areas which are not actually security-relevant.
Somewhat more sensitive applications are possible in the future. In
no case I expect adversaries to actually have access to ciphertext.
To some degree, it's about being able to say yes, we use encryption
for X, and it's algorithm Y, and I want to do it right without using
CMS or modern OpenPGP, with all the complexities that come with that.

When I said that CCM wasn't widely implemented, I was referring to the
fact that none of the cryptographic libraries on my system supports it
directly. This is a pity because once you fix the parameters, it's
much simpler to use safely than pure encryption modes.

There seems to be one downside with the CCM instance specified towards
the end of the NIST standard, though: If you on an architecture where
sizeof(size_t) == 8, then your encryption function isn't total because
it can't accept the full range of possible input lengths---or you end
up with just 64 bit for the tag, which seems to be a bit on the small
side. I'm not sure if this is a compelling reason to use EAX or GCM,
though---especially since we're strictly limited to 31 bit array
length in some places by software and not hardware (so this limitation
will be in place for a long time).

A mode which does not rely as much on proper randomness for the IV
would be somewhat nice to have, but it seems that the only choice
there is SIV, which has received less scrutiny than other modes.

OCB is very attractive in software, but GCM is more efficient in
hardware because it can be implemented without pipeline stalls. GCM
can perform well in software, though it can't be as compact as CCM,
and it excells with SIMD (http://eprint.iacr.org/2009/129) or modest
hardware support like Intel's new PCLMULQDQ instruction
(http://www.drdobbs.com/security/218102294;jsessionid=GMTY4RCFLHBMRQE1GHOSKHWATMY32JVN?pgno=3
).

Interesting. But it will take about five years until our crypto code
would make use of a new hardware instruction, assuming that we'd
implement all the necessary pieces right now (thanks to desynchronized
software release cycles at several layers of the software stack).
Speed is of no particular concern anyway. Increase in message size is
somewhat relevant (think about the URL case I mentioned), but only to
up to a degree.

--
Florian Weimerfwei...@bfk.de
BFK edv-consulting GmbH http://www.bfk.de/
Kriegsstraße 100 tel: +49-721-96201-1
D-76133 Karlsruhe fax: +49-721-96201-99

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com

Re: Encryption and authentication modes

2010-07-24 Thread Chris Palmer

Florian Weimer writes:

 I just want to create a generic API which takes a key (most of the time, a
 randomly generated session key) and can encrypt and decrypt small blobs.
 Application code should not need to worry about details (except getting
 key management right, which is difficult enough).  More popular modes such
 as CBC lack this property, it's too easy to misuse them.

I wrote such a thing for web developers, and other people have too.

I can't see a reason to do anything other than

  ciphertext = aes_cbc(enc-key, random-iv, plaintext)

  sealed-blob = hmac(mac-key, ciphertext + timestamp) +
ciphertext + timestamp

You wrap this magic up in a trivial interface:

  byte [] seal(byte [] macKey, byte [] encKey, byte [] plaintext)
throws GeneralSecurityException
  { ... }

  byte [] unseal(byte [] macKey, byte [] encKey, byte [] ciphertext,
 long expirationInterval)
throws UnexplodedCowException
  { ... }

You can find my Java code with a google search, but it's not special.  You
can write it yourself in your favorite language with small effort.

This gives you expiration, integrity, and confidentiality. You can make the
keys implicit by getting them from the server config variables or something.
In case of mangled or expired ciphertext, the checking function can fail
fast (no need to decrypt, since you do the hmac check first).

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com

Re: Encryption and authentication modes

2010-07-24 Thread David Wagner


Florian Weimer  wrote:
* David McGrew:
 can I ask what your interest in AEAD is?  Is there a particular
 application that you have in mind?

 I just want to create a generic API which takes a key (most of the
 time, a randomly generated session key) and can encrypt and decrypt
 small blobs.  Application code should not need to worry about details
 (except getting key management right, which is difficult enough).
 More popular modes such as CBC lack this property, it's too easy to
 misuse them.

Thanks for explaining the use case.

In addition to the dedicated AEAD modes (e.g., CCM, EAX, GCM) that
you already know about, you might look at encrypt-then-authenticate.
It might make a nice and simple solution for this particular use case.
In EtA, you encrypt with any secure encryption scheme, then append a
MAC that covers the entire ciphertext (including the IV).  For instance,
AES-CBC + CMAC is a fine combination.  It's pretty simple to implement.

 A mode which does not rely as much on proper randomness for the IV
 would be somewhat nice to have, but it seems that the only choice
 there is SIV, which has received less scrutiny than other modes.

I'm afraid that, for full security, secure encryption does require
either randomness or state.  The technical slogan is deterministic
encryption schemes are not semantically secure.  A more down-to-earth
way to say it is that if you use a deterministic, stateless encryption
scheme to encrypt the same message twice, you'll get the same ciphertext
both times, which leaks some information to an eavesdropper.  In some
applications that might be OK, but for a general-purpose encryption
scheme, one might arguably prefer something that doesn't have such
an unnecessary weakness.

A weaker goal is graceful degradation: a weak random-number source
should not cause a catastrophic loss of security.  Some modes of
operation are more robust in the face of repeated or non-random IVs;
e.g., CBC mode is more robust than CTR mode.

Is obtaining proper randomness hard on your platform?  On most
desktop/server platforms, it is easy: just read from /dev/urandom.

If it's hard, there are various hardening schemes you can use to reduce
your dependence upon randomness.  I don't know whether they're worth the
effort/complexity/performance loss; that depends upon your usage scenario.
For instance, one cute hardening step you can do is to pick a separate
secret key for a PRF (e.g., CMAC), and then hash a random value together
with the message itself to obtain the IV for the encryption mode.  e.g.,
to encrypt message M:

  Encrypt(M):
  1. IV = CMAC(K0, random || M)
  2. C = AES-CBC-Encrypt(K1, IV, M)
  3. T = CMAC(K2, IV || C)
  4. return IV || C || T

(If you don't like storing 3 separate keys, use standard key separation
techniques: K0 = CMAC(K, 0), K1 = CMAC(K, 1), K2 = CMAC(K, 3).)

Of course, this hardening scheme does have a performance impact.

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com

Re: Encryption and authentication modes

2010-07-23 Thread Florian Weimer

* David McGrew:

can I ask what your interest in AEAD is? Is there a particular
application that you have in mind?

I suppose a superficially similar primitive is contained in
Bernstein's NaCl library. I was intrigued by its simplicity, but the
cryptographic algorithms it uses are a bit non-standard.

A mode which does not rely as much on proper randomness for the IV
would be somewhat nice to have, but it seems that the only choice
there is SIV, which has received less scrutiny than other modes.

--
Florian Weimerfwei...@bfk.de
BFK edv-consulting GmbH http://www.bfk.de/
Kriegsstraße 100 tel: +49-721-96201-1
D-76133 Karlsruhe fax: +49-721-96201-99

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com

Re: Encryption and authentication modes

2010-07-22 Thread David McGrew

Hi Florian,

can I ask what your interest in AEAD is? Is there a particular
application that you have in mind?

DJ provided a good summary of CCM and GCM. To add some follow-on to
that, RFC 5116 defines an interface to an AEAD algorithm, and a
registry of such algorithms. TLS 1.2 ties into this interface, though
currently only GCM is defined in TLS. Both GCM and CCM are defined
for use in IPsec, and GCM is in Suite B.

The other AEAD algorithm that's been defined is SIV mode; AFAIK it has
not been in any standards to date.

On Jul 14, 2010, at 10:22 AM, d...@deadhat.com wrote:

What's the current state of affairs regarding combined encryption and
authentication modes?

I've implemented draft-mcgrew-aead-aes-cbc-hmac-sha1-01 (I think, I
couldn't find test vectors),

The motivations for aead-aes-cbc-hmac-sha1 were 1) to match legacy
situations in which only the older algorithms are available, and 2) to
define an AEAD algorithm that does not need a unique IV (a
randomized algorithm in the terms of RFC5116). The draft could
probably be re-spun to better meet goal #1, though I am not sure how
important that goal is. In general, it would be valuable to have a
randomized algorithm, though it would be preferable to have one that
met the higher performance standard of GCM, which anything CBC based
won't meet.

More recently Justin Troutman has expressed an interest in possibly
carrying forward work on generic composition; I've copied him.

but I later came across CCM and EAX. CCM
has the advantage of being NIST-reviewed. EAX can do streaming (but
that's less useful when doing authentication). Neither seems to be
widely implemented. But both offer a considerable reduction in
per-message overhead when compared to the HMAC-SHA1/AES combination.

Are there any other alternatives to consider? Are there any traps I
should be aware of when implementing CCM?

--
Florian Weimerfwei...@bfk.de
BFK edv-consulting GmbH http://www.bfk.de/
Kriegsstraße 100 tel: +49-721-96201-1
D-76133 Karlsruhe fax: +49-721-96201-99

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to
majord...@metzdowd.com

CCM is widely implemented. It's a matter of where you look.

Down at the MAC layer, AES-CCM has proved popular in wireless packet
communication because it is well adapted for separating the
treatment of
the header as plaintext AAD from the packet body as ciphertext. Also
it is
relatively efficient to implement in hardware since it relies only
on a

single AES encrypt block cipher and the birthday resistance of the
ciphertext MAC reduces on-air per packet overhead. This is the why for
example that you see AES-CCM in wireles USB, 802.11, 802.16 and WiMAX
management protocols.

A couple of years after 802 went for AES-CCM, AES-GCM became the
802.3/ethernet choice since it is more parallelizable and so can be
implemented for 10Gbps+ links where CCM becomes trickier. The per
packet

overhead is higher, but bandwidth on wires is cheap.

I don't think you can really implement CCM except in the context of
a more
detailed specification for a protocol. CCM is a flexible
specification and

protocols that use it must nail down a number of parameters and field
sizes in order to be interoperable. It's not so easy to just plug it
in

which makes is less convenient for the more pluggable software based
protocols higher up the stack.

That's true, though there are some particular CCM parameter choices
made in http://www.iana.org/assignments/aead-parameters/aead-parameters.xhtml

Some technically good candidates for standards adoption, E.G. OCB met
resistance due to licensing issues.

OCB is very attractive in software, but GCM is more efficient in
hardware because it can be implemented without pipeline stalls. GCM
can perform well in software, though it can't be as compact as CCM,
and it excells with SIMD (http://eprint.iacr.org/2009/129) or modest
hardware support like Intel's new PCLMULQDQ instruction (http://www.drdobbs.com/security/218102294;jsessionid=GMTY4RCFLHBMRQE1GHOSKHWATMY32JVN?pgno=3
).

regards,

David

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com

Re: Encryption and authentication modes

2010-07-15 Thread markus reichelt

* james hughes hugh...@mac.com wrote:

 If there is no room for or an integrity field, you can look at
 XTS-AES.
 http://csrc.nist.gov/publications/nistpubs/800-38E/nist-sp-800-38E.pdf

A not so well-known statement of said PDF certainly is the following,
especially in light of today's storage device capacities:

The length of the data unit for any instance of an implementation of
XTS-AES shall not exceed 2^20 AES blocks.

It seems to have made it smartly into openbsd, at least this
commit-info hints it:

http://marc.info/?l=openbsd-cvsm=121341266715025

-- 
left blank, right bald


pgpjXNpaGVZ6T.pgp
Description: PGP signature

Encryption and authentication modes

2010-07-14 Thread Florian Weimer

What's the current state of affairs regarding combined encryption and
authentication modes?

I've implemented draft-mcgrew-aead-aes-cbc-hmac-sha1-01 (I think, I
couldn't find test vectors), but I later came across CCM and EAX.  CCM
has the advantage of being NIST-reviewed.  EAX can do streaming (but
that's less useful when doing authentication).  Neither seems to be
widely implemented.  But both offer a considerable reduction in
per-message overhead when compared to the HMAC-SHA1/AES combination.

Are there any other alternatives to consider?  Are there any traps I
should be aware of when implementing CCM?

-- 
Florian Weimerfwei...@bfk.de
BFK edv-consulting GmbH   http://www.bfk.de/
Kriegsstraße 100  tel: +49-721-96201-1
D-76133 Karlsruhe fax: +49-721-96201-99

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com

Re: Encryption and authentication modes

2010-07-14 Thread james hughes

On Jul 14, 2010, at 1:52 AM, Florian Weimer wrote:

 What's the current state of affairs regarding combined encryption and
 authentication modes?
 
 I've implemented draft-mcgrew-aead-aes-cbc-hmac-sha1-01 (I think, I
 couldn't find test vectors), but I later came across CCM and EAX.  CCM
 has the advantage of being NIST-reviewed.  EAX can do streaming (but
 that's less useful when doing authentication).  Neither seems to be
 widely implemented.  But both offer a considerable reduction in
 per-message overhead when compared to the HMAC-SHA1/AES combination.
 
 Are there any other alternatives to consider?  

If there is no room for or an integrity field, you can look at XTS-AES.
http://csrc.nist.gov/publications/nistpubs/800-38E/nist-sp-800-38E.pdf

 Are there any traps  should be aware of when implementing CCM?

CCM is a counter mode cipher, so don't reuse the count (with any reasonable 
probability).

Jim

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com

Re: Encryption and authentication modes

2010-07-14 Thread dj

 What's the current state of affairs regarding combined encryption and
 authentication modes?

 I've implemented draft-mcgrew-aead-aes-cbc-hmac-sha1-01 (I think, I
 couldn't find test vectors), but I later came across CCM and EAX.  CCM
 has the advantage of being NIST-reviewed.  EAX can do streaming (but
 that's less useful when doing authentication).  Neither seems to be
 widely implemented.  But both offer a considerable reduction in
 per-message overhead when compared to the HMAC-SHA1/AES combination.

 Are there any other alternatives to consider?  Are there any traps I
 should be aware of when implementing CCM?

 --
 Florian Weimerfwei...@bfk.de
 BFK edv-consulting GmbH   http://www.bfk.de/
 Kriegsstraße 100  tel: +49-721-96201-1
 D-76133 Karlsruhe fax: +49-721-96201-99

 -
 The Cryptography Mailing List
 Unsubscribe by sending unsubscribe cryptography to
 majord...@metzdowd.com


CCM is widely implemented. It's a matter of where you look.

Down at the MAC layer, AES-CCM has proved popular in wireless packet
communication because it is well adapted for separating the treatment of
the header as plaintext AAD from the packet body as ciphertext. Also it is
relatively efficient to implement in hardware since it relies only on a
single AES encrypt block cipher and the birthday resistance of the
ciphertext MAC reduces on-air per packet overhead. This is the why for
example that you see AES-CCM in wireles USB, 802.11, 802.16 and WiMAX
management protocols.

A couple of years after 802 went for AES-CCM, AES-GCM became the
802.3/ethernet choice since it is more parallelizable and so can be
implemented for 10Gbps+ links where CCM becomes trickier. The per packet
overhead is higher, but bandwidth on wires is cheap.

I don't think you can really implement CCM except in the context of a more
detailed specification for a protocol. CCM is a flexible specification and
protocols that use it must nail down a number of parameters and field
sizes in order to be interoperable. It's not so easy to just plug it in
which makes is less convenient for the more pluggable software based
protocols higher up the stack.

Some technically good candidates for standards adoption, E.G. OCB met
resistance due to licensing issues.

DJ

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com

Re: Encryption and authentication modes

Re: Encryption and authentication modes

Re: Encryption and authentication modes

Re: Encryption and authentication modes

Re: Encryption and authentication modes

Re: Encryption and authentication modes

Re: Encryption and authentication modes

Encryption and authentication modes

Re: Encryption and authentication modes

Re: Encryption and authentication modes

10 matches

Site Navigation

Mail list logo

Footer information