1 / 16

An Interface and Algorithms for Authenticated Encryption (RFC 5116)

An Interface and Algorithms for Authenticated Encryption (RFC 5116). David McGrew mcgrew@cisco.com. Authenticated Encryption with Associated Data (AEAD). Single algorithm provides confidentiality and authenticity/integrity protection Useful abstraction for ‘ideal’ encryption

colton
Download Presentation

An Interface and Algorithms for Authenticated Encryption (RFC 5116)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. An Interface and Algorithms for Authenticated Encryption (RFC 5116) David McGrew mcgrew@cisco.com

  2. Authenticated Encryption with Associated Data (AEAD) • Single algorithm provides confidentiality and authenticity/integrity protection • Useful abstraction for ‘ideal’ encryption • Block cipher modes • GCM, CCM, SIV, and others • Dedicated algorithms • Phelix, SOBER-128

  3. RFC 5116 • Defines interface to AEAD algorithms • Defines four algorithms • AES GCM, AES CCM • Defines IANA registry for algorithms

  4. Example: Packet Protection Needs Authentication Header Payload Needs Confidentiality

  5. Plaintext Header Payload Plaintext AEAD Encryption Plaintext is encrypted and authenticated

  6. Associated Data Header Payload Associated Data Plaintext AEAD Encryption Associated Data is only authenticated

  7. Secret key Header Payload Associated Data Plaintext AEAD Encryption Key

  8. Nonce Header Payload Associated Data Plaintext AEAD Encryption Key Nonce Each encryption operation MUST have a distinct nonce

  9. (Authenticated) Ciphertext Header Payload Associated Data Plaintext AEAD Encryption Key Nonce Ciphertext

  10. Using AEAD Header Payload Associated Data Plaintext AEAD Encryption Key Nonce Ciphertext Header Nonce Protected Payload

  11. Example: ESP P = RestOfPayloadData || TFCpadding || Padding || PadLength || NextHeader N = Salt || IV A = SPI || SequenceNumber ESP = SPI || SequenceNumber || IV || C

  12. AEAD Benefits • Interface hides algorithm details from application • Application designer relieved of crypto issues • Promotes algorithm agility • Admits crypto optimizations • Simplifies analysis and testing

  13. RFC 5116 Uses • ESP • Backwards compatible with RFC 4106 • TLS • ecc-new-mac, rsa-aes-gcm • IKE • draft-black-ikev2-aead-modes • SRTP, SSH work underway • 802.1AE

  14. AEAD Algorithms • AES Galois/Counter Mode (GCM) • AES Counter & CBC-MAC (CCM) • AEAD_AES_128_CCM_SHORT • AES Synthetic IV (SIV) • draft-harkins-tls-rsa-aes-siv-00 • AES CBC, HMAC-SHA1 • draft-mcgrew-aead-aes-cbc-hmac-sha-00

  15. Issues & Future Work • Nonces aren’t user friendly • Security and usability • No nonceless algorithms in registry yet

  16. Acknowledgements • Thanks are due to: Hal Finney, Greg Rose, Russ Housley, Alfred Hines, John Wilkinson, Jack Lloyd, Scott Fluhrer, David Wagner, Ken Raeburn, Wei Dai, Aaron Christensen, Phil Rogaway, and Dan Harkins • IRTF CFRG participants

More Related