1 / 7

RSA-AES-SIV TLS Ciphersuites

This proposal introduces four new ciphersuites for TLS, using the SIV mode of authenticated encryption with RSA and Diffie-Hellman key exchange. SIV is resistant to nonce misuse and is suitable for applications where nonce management is outside the cryptographic engine.

lorenav
Download Presentation

RSA-AES-SIV TLS Ciphersuites

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. RSA-AES-SIV TLS Ciphersuites Dan Harkins

  2. RSA-AES-SIV Ciphersuites • What is being proposed? • New ciphersuites for TLS using SIV mode of authenticated encryption. • RSA key exchange and Diffie-Hellman key exchange both with RSA authentication and SIV using two different key sizes  Four new ciphersuites. • Draft modeled closely on draft-ietf-tls-rsa-aes-gcm but minus some of the verbage on nonce management.

  3. RSA-AES-SIV Ciphersuites • Why is it being proposed? • Unlike other authenticated encryption modes SIV is resistant to nonce misuse. • Uniquely suited when nonce management is outside the cryptographic engine– e.g. when applications receive TLS services via an API to a library. • For control-plane (versus data plane) applications where a two-pass mode is not onerous and where resistance to unintentional programming errors, misconfiguration, and intentional misuse are needed, e.g. CAPWAP’s control channel.

  4. What is SIV? • An Authenticated Encryption with Associated Data (AEAD) cipher mode. • Uses AES in CTR mode and CMAC mode. • PRF construction takes a vector of associated data (plus plaintext), a component in that vector is the nonce. • If a nonce is reused authenticity is retained and confidentiality is affected only to the extent that an adversary knows the same nonce was used with the same plaintext and key twice. • Provable security!

  5. SIV Encrypt SIV Decrypt … … AD1 ADn P AD1 ADn P S2V-CMAC CTR S2V-CMAC CTR IV C IV C IV’ != FAIL Associated Data Plaintext Ciphertext From “Deterministic Authenticated Encryption” by Phil Rogaway and Thomas Shrimpton

  6. Free Code! • http://www.lounge.org/siv_for_openssl.tgz % cd openssl-x-y-z % tar xzvf siv_for_openssl.tgz crypto/aes/Makefile crypto/aes/aes_siv.c crypto/aes/siv.h % make clean; make

  7. References • “Deterministic Authenticated Encryption, A Provable-Security Treatment of the Key-Wrap Problem”– Phil Rogaway and Thomas Shrimpton, from Advances in Cryptology EUROCRYPT ’06. • draft-harkins-tls-rsa-siv-00.txt • draft-dharkins-siv-aes-01.txt • draft-ietf-tls-rsa-aes-gcm-00.txt

More Related