1 / 0

mcgrew@cisco.com

Authenticated Encryption with Replay prOtection (AERO). mcgrew@cisco.com. AERO. Authenticated Encryption algorithm Stateful and self-synchronizing Easy to use Robust against nonce misuse and decryption misuse Saves bandwidth No nonce, no sequence number

talia
Download Presentation

mcgrew@cisco.com

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Authenticated Encryption with Replay prOtection (AERO) mcgrew@cisco.com
  2. AERO Authenticated Encryption algorithm Stateful and self-synchronizing Easy to use Robust against nonce misuse and decryption misuse Saves bandwidth No nonce, no sequence number New standards contributions and research
  3. Communication Security Goals Unreliable transport Message loss Message reorder Multiple senders, multiple receivers Adaptive chosen plaintext, chosen ciphertext attacks Security against forgery Plaintext indistinguishable from random
  4. Conventional Encryption + Authentication Message Sequence Number AES-CBC Encryption Header SEQ IV Ciphertext Tag HMAC
  5. Conventional A+E with Extended SEQ Message AES-CBC Encryption SEQ HI SEQ LO Header SEQ IV Ciphertext Tag HMAC
  6. Conventional Decryption Header SEQ IV Ciphertext Tag HMAC Sequence Number Check AES-CBC Decryption SEQ HI Message
  7. Authenticated Encryption with Associated Data (AEAD) Message SEQ HI SEQ LO AES-GCM Encryption Header SEQ IV Ciphertext Tag
  8. Authenticated Encryption with Associated Data (AEAD) Message SEQ HI SEQ LO AES-GCM Encryption Header SEQ IV Ciphertext Tag Bandwidth: SEQ, IV, Tag
  9. Authenticated Encryption with Associated Data (AEAD) Message SEQ HI SEQ LO Multiple receivers awkward AES-GCM Encryption Header SEQ IV Ciphertext Tag Bandwidth: SEQ, IV, Tag
  10. Authenticated Encryption with Associated Data (AEAD) Message SEQ HI SEQ LO Multiple receivers awkward AES-GCM Encryption Header SEQ IV Ciphertext Tag IV hard to manage Multiple senders INSECURE if mismanaged Bandwidth: SEQ, IV, Tag
  11. Authenticated Encryption with Associated Data (AEAD) Message SEQ HI SEQ LO Multiple receivers awkward AES-GCM Encryption Header SEQ IV Ciphertext Tag IV hard to manage Multiple senders INSECURE if mismanaged Bandwidth: SEQ, IV, Tag Complex to use
  12. Authenticated Encryption with Associated Data (AEAD) Message SEQ HI SEQ LO Multiple receivers awkward AES-GCM Encryption Header SEQ IV Ciphertext Tag IV hard to manage Multiple senders INSECURE if mismanaged Bandwidth: SEQ, IV, Tag Complex to use Decryption Misuse
  13. AERO Message Multiple receivers easy AERO Encryption Header Ciphertext No IV to manage Multiple senders Secure if misused Minimal overhead Easy to use Robust against decryption misuse
  14. AERO Encryption Header Plaintext Sequence Number || Wide Pseudo Random Permutation (WPRP) Encryption Ciphertext
  15. Wide Pseudo Random Permutation (WPRP) 562a666ab08dae419b3 WPRP Encryption 0818a309a064f40a9b2
  16. Wide Pseudo Random Permutation (WPRP) 562a666ab08dae419b3 562a666ab18dae419bf WPRP Encryption WPRP Encryption 0818a309a064f40a9b2 e295e324f8a7181ad927
  17. Wide Pseudo Random Permutation (WPRP) 562a666ab08dae419b3 562a666ab18dae419bf WPRP Decryption WPRP Decryption 0818a309a064f40a9b2 e295e324f8a7181ad927 AES Extended Codebook (XCB) Mode of Operation
  18. AERO Decryption Header Ciphertext Wide Pseudo Random Permutation (WPRP) Decryption Candidate SeqNum Plaintext || s, r Return Plaintext, Update s Return FAIL Check FAIL Plaintext (or)
  19. Candidate Sequence Number Checking CSN 0 s r 2t-1 Largest sequence number accepted so far Last rejected candidate sequence number
  20. Likely next candidates s+1 s+2 CSN 0 s r 2t-1 Largest sequence number accepted so far Last rejected candidate sequence number
  21. Candidate Sequence Number Checking w w v CSN 0 s r 2t-1 Largest sequence number accepted so far Last rejected candidate sequence number
  22. (Re)synchronization Actual Sequence Number CSN 0 s r 2t-1 Largest sequence number accepted so far Last rejected candidate sequence number
  23. (Re)synchronization Actual Sequence Number Actual Sequence Number +1 CSN 0 s r 2t-1 Largest sequence number accepted so far Last rejected candidate sequence number
  24. Candidate Sequence Number Checking set r to s reject reject w w v CSN 0 s r 2t-1 update s update bitmask accept set s accept check bitmask accept
  25. Security of Authentication 2w+v ~ 72 out of 2t accepted CSN 0 s r 2t-1 2-t+7 ~ Probability of successful forgery = 72 2t
  26. IPSec no misuse resistance ESP AES-GCM, AES-CCM, or AES-CTR plus HMAC-SHA1 24+ bytes overhead per packet length of plaintext + pad 12 bytes 8 bytes 4bytes 4bytes SPI SEQ IV Tag Ciphertext misuse resistance ESP AERO 12 bytes overhead per packet plaintext length + 12 bytes 4bytes SPI Ciphertext
  27. Performance WPRP CPB ~ 1.5 x GCM CPB Inefficient on long messages Higher latency Larger memory requirements … but this is true of all AEAD methods … More efficient on short messages Short frames (about 100 bytes for 802.15) Four bytes less overhead means: ~ 4% less power used in transmission ~ 4% less power used in reception ~ 4% lower probability that retransmission is needed
  28. Status Research Formalization of security models and goals WPRP encryption alternatives IETF draft-mcgrew-aero-00.txt draft-mcgrew-srtp-aero-01.txt draft-mcgrew-dtls-aero-00.txt CAESAR Does not work with conventional AEAD API
More Related