Mcgrew@cisco com
This presentation is the property of its rightful owner.
Sponsored Links
1 / 28

[email protected] PowerPoint PPT Presentation


  • 108 Views
  • Uploaded on
  • Presentation posted in: General

Authenticated Encryption with Replay prOtection (AERO). [email protected] AERO. Authenticated Encryption algorithm Stateful and self-synchronizing Easy to use Robust against nonce misuse and decryption misuse Saves bandwidth No nonce, no sequence number

Download Presentation

[email protected]

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Mcgrew@cisco com

  • Authenticated Encryption with Replay prOtection (AERO)

[email protected]


Mcgrew cisco com

AERO

  • Authenticated Encryption algorithm

  • Stateful and self-synchronizing

  • Easy to use

  • Robust against nonce misuse and decryption misuse

  • Saves bandwidth

    • No nonce, no sequence number

  • New standards contributions and research


Communication security goals

Communication Security Goals

  • Unreliable transport

    • Message loss

    • Message reorder

  • Multiple senders, multiple receivers

  • Adaptive chosen plaintext, chosen ciphertext attacks

    • Security against forgery

    • Plaintext indistinguishable from random


Conventional encryption authentication

Conventional Encryption + Authentication

Message

Sequence

Number

AES-CBC Encryption

Header

SEQ

IV

Ciphertext

Tag

HMAC


Conventional a e with extended seq

Conventional A+E with Extended SEQ

Message

AES-CBC Encryption

SEQ

HI

SEQ

LO

Header

SEQ

IV

Ciphertext

Tag

HMAC


Conventional decryption

Conventional Decryption

Header

SEQ

IV

Ciphertext

Tag

HMAC

Sequence

Number

Check

AES-CBC Decryption

SEQ

HI

Message


Authenticated encryption with associated data aead

Authenticated Encryption with Associated Data (AEAD)

Message

SEQ

HI

SEQ

LO

AES-GCM Encryption

Header

SEQ

IV

Ciphertext

Tag


Authenticated encryption with associated data aead1

Authenticated Encryption with Associated Data (AEAD)

Message

SEQ

HI

SEQ

LO

AES-GCM Encryption

Header

SEQ

IV

Ciphertext

Tag

Bandwidth: SEQ, IV, Tag


Authenticated encryption with associated data aead2

Authenticated Encryption with Associated Data (AEAD)

Message

SEQ

HI

SEQ

LO

Multiple receivers awkward

AES-GCM Encryption

Header

SEQ

IV

Ciphertext

Tag

Bandwidth: SEQ, IV, Tag


Authenticated encryption with associated data aead3

Authenticated Encryption with Associated Data (AEAD)

Message

SEQ

HI

SEQ

LO

Multiple receivers awkward

AES-GCM Encryption

Header

SEQ

IV

Ciphertext

Tag

IV hard to manage

Multiple senders

INSECURE if mismanaged

Bandwidth: SEQ, IV, Tag


Authenticated encryption with associated data aead4

Authenticated Encryption with Associated Data (AEAD)

Message

SEQ

HI

SEQ

LO

Multiple receivers awkward

AES-GCM Encryption

Header

SEQ

IV

Ciphertext

Tag

IV hard to manage

Multiple senders

INSECURE if mismanaged

Bandwidth: SEQ, IV, Tag

Complex to use


Authenticated encryption with associated data aead5

Authenticated Encryption with Associated Data (AEAD)

Message

SEQ

HI

SEQ

LO

Multiple receivers awkward

AES-GCM Encryption

Header

SEQ

IV

Ciphertext

Tag

IV hard to manage

Multiple senders

INSECURE if mismanaged

Bandwidth: SEQ, IV, Tag

Complex to use

Decryption Misuse


Mcgrew cisco com

AERO

Message

Multiple receivers easy

AERO Encryption

Header

Ciphertext

No IV to manage

Multiple senders

Secure if misused

Minimal overhead

Easy to use

Robust against

decryption misuse


Aero encryption

AERO Encryption

Header

Plaintext

Sequence Number

||

Wide Pseudo Random Permutation (WPRP) Encryption

Ciphertext


Wide pseudo random permutation wprp

Wide Pseudo Random Permutation (WPRP)

562a666ab08dae419b3

WPRP Encryption

0818a309a064f40a9b2


Wide pseudo random permutation wprp1

Wide Pseudo Random Permutation (WPRP)

562a666ab08dae419b3

562a666ab18dae419bf

WPRP Encryption

WPRP Encryption

0818a309a064f40a9b2

e295e324f8a7181ad927


Wide pseudo random permutation wprp2

Wide Pseudo Random Permutation (WPRP)

562a666ab08dae419b3

562a666ab18dae419bf

WPRP Decryption

WPRP Decryption

0818a309a064f40a9b2

e295e324f8a7181ad927

AES Extended Codebook (XCB) Mode of Operation


Aero decryption

AERO Decryption

Header

Ciphertext

Wide Pseudo Random Permutation (WPRP) Decryption

Candidate

SeqNum

Plaintext

||

s, r

Return Plaintext,

Update s

Return FAIL

Check

FAIL

Plaintext

(or)


Candidate sequence number checking

Candidate Sequence Number Checking

CSN

0

s

r

2t-1

Largest sequence number accepted so far

Last rejected candidate sequence number


Likely next candidates

Likely next candidates

s+1

s+2

CSN

0

s

r

2t-1

Largest sequence number accepted so far

Last rejected candidate sequence number


Candidate sequence number checking1

Candidate Sequence Number Checking

w

w

v

CSN

0

s

r

2t-1

Largest sequence number accepted so far

Last rejected candidate sequence number


Re synchronization

(Re)synchronization

Actual

Sequence Number

CSN

0

s

r

2t-1

Largest sequence number accepted so far

Last rejected candidate sequence number


Re synchronization1

(Re)synchronization

Actual

Sequence Number

Actual

Sequence

Number +1

CSN

0

s

r

2t-1

Largest sequence number accepted so far

Last rejected candidate sequence number


Candidate sequence number checking2

Candidate Sequence Number Checking

set r to s

reject

reject

w

w

v

CSN

0

s

r

2t-1

update s

update bitmask

accept

set s

accept

check bitmask

accept


Security of authentication

Security of Authentication

2w+v ~ 72 out of 2t accepted

CSN

0

s

r

2t-1

2-t+7

~

Probability of successful forgery =

72

2t


Ipsec

IPSec

no misuse resistance

ESP AES-GCM, AES-CCM, or AES-CTR plus HMAC-SHA1

24+ bytes overhead per packet

length of plaintext + pad

12 bytes

8 bytes

4bytes

4bytes

SPI

SEQ

IV

Tag

Ciphertext

misuse resistance

ESP AERO

12 bytes overhead per packet

plaintext length + 12 bytes

4bytes

SPI

Ciphertext


Performance

Performance

  • WPRP CPB ~ 1.5 x GCM CPB

  • Inefficient on long messages

    • Higher latency

    • Larger memory requirements

    • … but this is true of all AEAD methods …

  • More efficient on short messages

    • Short frames (about 100 bytes for 802.15)

    • Four bytes less overhead means:

    • ~ 4% less power used in transmission

    • ~ 4% less power used in reception

    • ~ 4% lower probability that retransmission is needed


Status

Status

  • Research

    • Formalization of security models and goals

    • WPRP encryption alternatives

  • IETF

    • draft-mcgrew-aero-00.txt

    • draft-mcgrew-srtp-aero-01.txt

    • draft-mcgrew-dtls-aero-00.txt

  • CAESAR

    • Does not work with conventional AEAD API


  • Login