prOtection AERO mcgrewciscocom AERO Authenticated Encryption algorithm Stateful and selfsynchronizing Easy to use Robust against nonce misuse and decryption misuse Saves bandwidth No nonce no sequence number ID: 218073
Download Presentation The PPT/PDF document "Authenticated Encryption with Replay" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Authenticated Encryption with Replay prOtection (AERO)
mcgrew@cisco.comSlide2
AEROAuthenticated Encryption algorithmStateful and self-synchronizingEasy to useRobust against nonce misuse and decryption misuseSaves bandwidthNo nonce, no sequence number
New standards contributions and researchSlide3
Communication Security GoalsUnreliable transportMessage loss Message reorderMultiple senders, multiple receiversAdaptive chosen plaintext, chosen ciphertext attacks
Security against forgeryPlaintext indistinguishable from randomSlide4
Conventional Encryption + AuthenticationCiphertext
Header
SEQ
IV
Tag
Message
AES-CBC Encryption
HMAC
Sequence
NumberSlide5
Conventional A+E with Extended SEQCiphertext
SEQ
IV
Tag
Message
AES-CBC Encryption
HMAC
SEQ
LO
SEQ
HI
HeaderSlide6
Conventional Decryption
Ciphertext
Header
SEQ
IV
Tag
Message
AES-CBC Decryption
HMAC
Sequence
Number
Check
SEQ
HISlide7
Authenticated Encryption with Associated Data (AEAD)Ciphertext
SEQ
IV
Tag
Message
AES-GCM Encryption
SEQ
LO
SEQ
HI
HeaderSlide8
Authenticated Encryption with Associated Data (AEAD)Ciphertext
SEQ
IV
Tag
Message
AES-GCM Encryption
SEQ
LO
SEQ
HI
Bandwidth: SEQ, IV, Tag
HeaderSlide9
Authenticated Encryption with Associated Data (AEAD)
Ciphertext
SEQ
IV
Tag
Message
AES-GCM Encryption
SEQ
LO
SEQ
HI
Multiple receivers awkward
Bandwidth: SEQ, IV, Tag
HeaderSlide10
Authenticated Encryption with Associated Data (AEAD)
Ciphertext
SEQ
IV
Tag
Message
AES-GCM Encryption
SEQ
LO
SEQ
HI
IV hard to manage
Multiple s
enders
INSECURE if mismanaged
Multiple receivers awkward
Bandwidth: SEQ, IV, Tag
HeaderSlide11
Header
Authenticated Encryption with Associated Data (AEAD)
Ciphertext
SEQ
IV
Tag
Message
AES-GCM Encryption
SEQ
LO
SEQ
HI
Complex to use
IV hard to manage
Multiple s
enders
INSECURE if mismanaged
Multiple receivers awkward
Bandwidth: SEQ, IV, TagSlide12
Header
Authenticated Encryption with Associated Data (AEAD)
Ciphertext
SEQ
IV
Tag
Message
AES-GCM Encryption
SEQ
LO
SEQ
HI
Complex to use
IV hard to manage
Multiple s
enders
INSECURE if mismanaged
Multiple receivers awkward
Bandwidth: SEQ, IV, Tag
Decryption MisuseSlide13
AERO
Ciphertext
Header
Message
AERO Encryption
Easy to use
No IV to manage
Multiple s
enders
Secure if misused
Multiple receivers easy
Minimal overhead
Robust against
decryption misuseSlide14
AERO Encryption
Wide Pseudo Random Permutation (WPRP) Encryption
Ciphertext
Sequence Number
Plaintext
||
HeaderSlide15
Wide Pseudo Random Permutation (WPRP)WPRP Encryption
562a666ab08dae419b3
0818a309a064f40a9b2Slide16
Wide Pseudo Random Permutation (WPRP)WPRP Encryption
562a666ab08dae419b3
0818a309a064f40a9b2
WPRP Encryption
562a666ab
1
8dae419bf
e295e324f8a7181ad927Slide17
Wide Pseudo Random Permutation (WPRP)WPRP Decryption
562a666ab08dae419b3
0818a309a064f40a9b2
WPRP Decryption
562a666ab
1
8dae419bf
e295e324f8a7181ad927
AES Extended Codebook (XCB) Mode of OperationSlide18
AERO Decryption
Wide Pseudo Random Permutation (WPRP) Decryption
Ciphertext
Candidate
Seq
Num
Plaintext
||
Header
Check
Return Plaintext,
Update
s
Return FAIL
Plaintext
FAIL
(or)
s, rSlide19
Candidate Sequence Number Checking
s
r
0
2
t
-1
Largest sequence number accepted so far
Last rejected candidate sequence number
CSNSlide20
Likely next candidates
s
r
0
2
t
-1
Largest sequence number accepted so far
Last rejected candidate sequence number
CSN
s
+1
s
+2Slide21
Candidate Sequence Number Checking
w
w
s
r
0
v
Largest sequence number accepted so far
Last rejected candidate sequence number
CSN
2
t
-1Slide22
(Re)synchronization
s
r
0
2
t
-1
Largest sequence number accepted so far
Last rejected candidate sequence number
CSN
Actual
Sequence NumberSlide23
(Re)synchronization
s
r
0
2
t
-1
Largest sequence number accepted so far
Last rejected candidate sequence number
CSN
Actual
Sequence Number
Actual
Sequence
Number +1Slide24
Candidate Sequence Number Checking
w
w
0
v
set
s
accept
check bitmask
accept
update
s
update bitmask
accept
set
r
to
s
reject
reject
CSN
s
r
2
t
-1Slide25
Security of Authentication
0
2
w
+
v ~
72 out of 2
t
accepted
CSN
s
r
Probability of successful forgery =
2
t
72
~
2
-
t+7
2
t
-1Slide26
IPSec
Ciphertext
SPI
SEQ
IV
Tag
4
bytes
4
bytes
8 bytes
12 bytes
Ciphertext
SPI
4
bytes
plaintext length + 12 bytes
ESP AES-GCM, AES-CCM, or AES-CTR plus HMAC-SHA1
ESP AERO
24+ bytes overhead per packet
12 bytes overhead per packet
no misuse resistance
misuse resistance
l
ength of plaintext + padSlide27
PerformanceWPRP CPB ~ 1.5 x GCM CPBInefficient on long messagesHigher latencyLarger memory requirements… but this is true of all AEAD methods …
More efficient on short messagesShort frames (about 100 bytes for 802.15) Four bytes less overhead means: ~
4% less power used in transmission
~
4% less power used in reception
~
4% lower probability that retransmission is neededSlide28
StatusResearchFormalization of security models and goalsWPRP encryption alternativesIETF
draft-mcgrew-aero-00.txtdraft-mcgrew-srtp-aero-01.txtdraft-mcgrew-dtls-aero-00.txt
CAESAR
Does not work with conventional AEAD API