why use siv for 11ai n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Why Use SIV for 11ai? PowerPoint Presentation
Download Presentation
Why Use SIV for 11ai?

Loading in 2 Seconds...

play fullscreen
1 / 11

Why Use SIV for 11ai? - PowerPoint PPT Presentation


  • 136 Views
  • Uploaded on

Why Use SIV for 11ai?. Authors:. Date: 2012-10-30. Abstract. This presentation suggests the best solution to a problem that TGai has . What’s the Problem that Needs Solving?.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Why Use SIV for 11ai?' - mandar


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
why use siv for 11ai
Why Use SIV for 11ai?

Authors:

  • Date:2012-10-30

Dan Harkins, Aruba Networks

abstract
Abstract
  • This presentation suggests the best solution to a problem that TGai has

Dan Harkins, Aruba Networks

what s the problem that needs solving
What’s the Problem that Needs Solving?
  • The Association Request/Response is used for key confirmation– to prove possession of the key that results from exchanging Authentication frames
  • Some parts need authentication and encryption
    • KDEs containing keys
    • Potentially DHCP
  • Some parts need authentication but no encryption
    • The session IE
    • Other stuff?
  • We need some way to do this is an authenticated encryption that takes additional associated data– an AEAD mode

Dan Harkins, Aruba Networks

aead cipher modes
AEAD Cipher Modes
  • There are quite a few AEAD modes that encrypt and authenticate a plaintext and authenticate associated data
    • GCM, CCM, SIV, CWC, OCB, …
  • Similar interface:
    • Input: key, plaintext, nonce/IV/counter, AAD
    • Output: ciphertext (including a MIC/tag)
  • Key is used to encrypt and authenticate the plaintext and AAD.
  • The nonce/IV/counter is to make the mode probabilistic and is critical for security (for all but one mode)

Dan Harkins, Aruba Networks

nonce construction for aead schemes
Nonce Construction for AEAD Schemes
  • Nonce must be unique for all calls to encryption API, otherwise (according to RFC 5116, for GCM):
    • a loss of confidentialityensues because an attacker can reconstruct the bitwise exclusive-or of the two plaintext values
    • a loss of integrity ensues because the attacker will be able to recover the internal hash key used to provide data integrity
  • A loss of confidentiality and integrity for a scheme that is supposed to provide confidentiality and integrity means it’s security is completely voided!
  • Nonce hygiene must be strictly enforced! Unless…

Dan Harkins, Aruba Networks

misuse resistant aead
Misuse-Resistant AEAD
  • SIV does not require a nonce and does not lose all security if one is used and it is repeated
  • If two identical messages, and identical AAD, get enciphered using the same key (and same nonce) then:
    • No loss of integrity
    • Loss of privacy in the sense that adversary knows two identical messages (with identical AAD) were protected with the same key
  • Using SIV means we don’t need to worry about the nonce!
    • It does not need to be passed in the message
    • It does not need to be reconstructed on both sides
    • It does not need to be managed to ensure uniqueness

Dan Harkins, Aruba Networks

opposition to using siv
Opposition to Using SIV?
  • It’s not a NIST-approved mode of operation. True but…
    • NIST does not approve modes prior to use
      • GCM was proposed for use by IPsec before NIST approved it
      • CCM was proposed for use by 802.11 before NIST approved it
    • When did prior NIST approved become a requirement? Never.
    • SIV is a secure composition of two NIST-approved modes: CTR and CMAC!
  • It’s not as efficient as GCM. True but…
    • Very few encryptions mean efficiency advantage is negligible
    • The small gain in efficiency must be weighed against the increased cost of nonce maintenance and hygiene
    • Easiest way to manage nonce uniqueness (random bit string) would make GCM less efficient

Dan Harkins, Aruba Networks

a misunderstanding about proposal
A Misunderstanding about Proposal
  • Not proposing to protect the whole Association frame!
  • Not doing 11w-style management frame protection!

NO!!!

authenticated (some fields masked to zero)

encrypted

MAC Header

SIV Header

MIC

FCS

Data (PDU)

Apologies to Figure 11-16 from 802.11-2012

Dan Harkins, Aruba Networks

a misunderstanding about proposal1
A Misunderstanding about Proposal
  • Just want to protect the sequence of IEs in the data
  • Does not require hardware changes!
    • SIV is NOT intended for the radio chipset
    • We don’t want to plumb an unconfirmed key to hardware anyway
  • Software solution by same module that does 1x/EAP/FILS

authenticated

encrypted

MAC Header

FCS

sequence of IEs and fields defining the Association frame

Dan Harkins, Aruba Networks

why use siv for 802 11ai
Why Use SIV for 802.11ai?
  • It has properties that are very attractive
    • Provably secure
    • Can’t talk about patents but it does not have the cost impact to an implementation that other schemes have
    • Robust and misuse resistant
  • It’s the right tool for the right job
    • Performs authenticated encryption with associated data
    • No need to worry about what we don’t have to worry about
  • It’s already defined for use in 802.11
  • Standardizedin RFC 5297

Dan Harkins, Aruba Networks

references
References
  • Rogaway, P. and T. Shrimpton, “Deterministic Authenticated Encryption, A Provable-Security Treatment of the Key-Wrap Problem”, Advances in Cryptology –EUROCRYPT '06 St. Petersburg, Russia, 2006.
  • McGrew, D., “An Interface and Algorithms for Authenticated Encryption”, RFC 5116, January 2008
  • Harkins, D, “Synthetic Initialization Vector (SIV) Authenticated EncryptionUsing the Advanced Encryption Standard (AES)”, RFC 5297, October 2008.

Dan Harkins, Aruba Networks