slide1 n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Project: IEEE P802.15 Working Group for Wireless Personal Area Networks (WPANs) Submission Title: [AES Mode Discussion] PowerPoint Presentation
Download Presentation
Project: IEEE P802.15 Working Group for Wireless Personal Area Networks (WPANs) Submission Title: [AES Mode Discussion]

Loading in 2 Seconds...

play fullscreen
1 / 14

Project: IEEE P802.15 Working Group for Wireless Personal Area Networks (WPANs) Submission Title: [AES Mode Discussion] - PowerPoint PPT Presentation


  • 129 Views
  • Uploaded on

Project: IEEE P802.15 Working Group for Wireless Personal Area Networks (WPANs) Submission Title: [AES Mode Discussion] Date Submitted: [12 May, 2002] Source: [Rene Struik] Company [Certicom Corp.] Address [5520 Explorer Drive, 4th Floor, Mississauga, ON Canada L4W 5L1]

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Project: IEEE P802.15 Working Group for Wireless Personal Area Networks (WPANs) Submission Title: [AES Mode Discussion]' - virginia


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
slide1

Project: IEEE P802.15 Working Group for Wireless Personal Area Networks (WPANs)

Submission Title: [AES Mode Discussion]

Date Submitted: [12 May, 2002]

Source: [Rene Struik] Company [Certicom Corp.]

Address [5520 Explorer Drive, 4th Floor, Mississauga, ON Canada L4W 5L1]

Voice:[+1 (905) 501-6083], FAX: [+1 (905) 507-4230], E-Mail:[rstruik@certicom.com]

Re: []

Abstract: [This document discusses trade-offs between different block-cipher modes of operation and their suitability within the IEEE 802.15.3 High-Rate WPAN context.]

Purpose: [Highlight trade-offs that govern the choice of symmetric algorithms for the IEEE 802.15.3 WPAN.]

Notice: This document has been prepared to assist the IEEE P802.15. It is offered as a basis for discussion and is not binding on the contributing individual(s) or organization(s). The material in this document is subject to change in form and content after further study. The contributor(s) reserve(s) the right to add, amend or withdraw material contained herein.

Release: The contributor acknowledges and accepts that this contribution becomes the property of IEEE and may be made publicly available by P802.15.

Rene Struik, Certicom Corp.

aes mode of operation and mac function discussion for ieee 802 15 3 wpans

AES-Mode of Operation (and MAC-function) Discussion for IEEE 802.15.3 WPANs

René Struik, Certicom Research

Rene Struik, Certicom Corp.

slide3

Outline:

  • Block Cipher Modes of Operation:
  • - Cipher-Block Chaining (CBC Mode);
  • - Counter Mode (CTR Mode)
  • Message Authentication Codes:
      • Based on Block Codes: CBC-MAC;
      • Based on Un-Keyed Hash Functions: HMAC
  • Implementation Issues
  • - Hardware vs. software implementation;
  • - Computational efficiency considerations.

Rene Struik, Certicom Corp.

slide4

x1

x2

x3

xm-1

xm

DK

DK

DK

DK

DK

EK

EK

EK

EK

EK

c0:=IV

c1

c2

c3

cm-1

cm

c0:=IV

c3

cm-1

c1

c2

cm

x3

xm-1

x1

x2

xm

Block-Cipher Modes of Operation: CBC Mode (1)

Encryption:

Encryption algorithm:

cj:=EK(xj cj-1) for all j>0;

c0:=IV.

Decryption:

Decryption algorithm:

xj:=DK(cj) cj-1for all j>0;

c0:=IV.

Rene Struik, Certicom Corp.

slide5

Block-Cipher Modes of Operation: CBC Mode (2)

  • Security requirement:
  • -IV should be unpredictable.
  • Encryption computation:
  • -No parallelization of computation possible;
  • -Access to plaintext required for computation;
  • -Access to IV needed for computation.
  • Decryption computation:
  • -Full parallelization of computation possible;
  • -Access to ciphertext required for computation;
  • -Access to IV needed for computation.
  • Message size:
  • -Plaintext expansion might be needed
  • (size is multiple of encryption block length).
  • Implementation:
  • -Both encryption function EK and decryption
  • function DK need to be implemented.

Encryption algorithm:

cj:=EK(xj cj-1) for all j>0;

c0:=IV.

Decryption algorithm:

xj:=DK(cj) cj-1for all j>0;

c0:=IV.

Rene Struik, Certicom Corp.

slide6

Block-Cipher Modes of Operation: CBC Mode (3)

  • Example: Use of CBC-mode of operation in IEEE 802.15.3 High-Rate WPAN.
  • Block-cipher: AES-128 {block-cipher length: 128 bits}.
  • IV=EK( IdA || Nonce || j), where
      • IdA: identifier of sender (64-bits field, right-adjusted);
      • Nonce: inter-frame sequence number (48-bits field, right-adjusted);
      • j: intra-frame sequence number (16-bits field, right-adjusted).
  • Motivation:
  • IV is obtained via encryption, to ensure unpredictability hereof for outsiders;
  • IdA is included to ensure logical separation between senders who have same key
  • (no re-use of same IV value between different senders; no synchronization required);
  • Nonce and j are included to ensure no re-use of same IV between different data
  • frames (via increment of Nonce-value) and within data blocks in a frame (via increment of j-value).
  • Combinatorial freedom:
  • Maximum size of data frame= max. #blocks  encryption block size = 216 * 27= 223 = 1Mbytes;
  • Maximum #data frames = max. #Nonce values = 248data frames
  • (At 1Gbps data rate, exhaustion after roughly 1 year, if all data frames consist of only 1 block.)
  • NB: current max. frame length: 214 bits = 2 kbytes; at 55 Mbps data rate, exhaustion after >20 yrs.

Rene Struik, Certicom Corp.

slide7

tm

tm

t2

t1

t1

t2

t3

t3

tm-1

tm-1

counters

counters

EK

EK

EK

EK

EK

EK

EK

EK

EK

EK

xm

cm

c1

x1

x2

c2

x3

c3

xm-1

cm-1

xm

cm

x1

x2

c2

c1

x3

c3

xm-1

cm-1

Block-Cipher Modes of Operation: CTR Mode (1)

Encryption:

Encryption algorithm:

cj:=EK(tj) xjfor all j>0.

Decryption:

Decryption algorithm:

xj:=DK(tj) cjfor all j>0.

Rene Struik, Certicom Corp.

slide8

Block-Cipher Modes of Operation: CTR Mode (2)

  • Security requirement:
  • -Counters t1, t2, t3, … shall all be distinct over
  • lifetime key K.
  • Encryption computation:
  • -Full parallelization of computation possible;
  • -No access to plaintext required for computation;
  • -Access to t1, t2, t3, … needed for computation.
  • Decryption computation:
  • -Full parallelization of computation possible;
  • -No access to ciphertext required for computation;
  • -Access to t1, t2, t3, … needed for computation.
  • Message size:
  • -No plaintext expansion needed!
  • (ciphertext can be truncated to plaintext length).
  • Implementation:
  • -Only encryption function EK needs to be
  • implemented.

Encryption algorithm:

cj:=EK(tj) xjfor all j>0.

Decryption algorithm:

xj:=DK(tj) xjfor all j>0.

Rene Struik, Certicom Corp.

slide9

Block-Cipher Modes of Operation: CTR Mode (3)

  • Example: Use of CTR-mode of operation in IEEE 802.15.3 High-Rate WPAN.
  • Block-cipher: AES-128 {block-cipher length: 128 bits}.
  • counter value=(IdA || Nonce || j), where
      • IdA: identifier of sender (64-bits field, right-adjusted);
      • Nonce: inter-frame sequence number (48-bits field, right-adjusted);
      • j: intra-frame sequence number (16-bits field, right-adjusted).
  • Motivation:
  • IdA is included to ensure logical separation between senders who have same key
  • (no re-use of same IV value between different senders; no synchronization required);
  • Nonce and j are included to ensure no re-use of same IV between different data
  • frames (via increment of Nonce-value) and within blocks in a frame (via increment of j-value).
  • Combinatorial freedom:
  • Maximum size of data frame= max. #blocks  encryption block size = 216 * 27= 223 = 1Mbytes;
  • Maximum #data frames = max. #Nonce values = 248data frames.
  • (At 1Gbps data rate, exhaustion after roughly 1 year, if all data frames consist of only 1 block.)
  • NB: current max. frame length: 214 bits = 2 kbytes; at 55 Mbps data rate, exhaustion after >20 yrs.

Rene Struik, Certicom Corp.

slide10

x3

xm-1

xm

IV:=0

CBC-MAC algorithm:

cj:=EK(xj cj-1) for j=1,…,m;

c0:=IV:=0;

MAC:=cm.

EK

EK

EK

EK

EK

EK

EK

EK

cm

x1

x2

x3

xm-1

xm

IV:=0

EK

DK’

EK

EK

MAC

MACs Based on Block-Ciphers : CBC-MAC (1)

CBC-MAC:

x1

x2

Strengthened CBC-MAC:

Strengthened CBC-MAC algorithm:

cj:=EK(xj cj-1) for j=1,…,m;

c0:=IV:=0;

MAC:=EK(DK’(cm)).

(Bellare, Kilian, Rogaway)

Rene Struik, Certicom Corp.

slide11

MACs Based on Block-Ciphers: CBC-MAC (2)

  • Security requirement:
  • -Keys K and K’ should be independent;
  • {This prevents chosen-text existential forgery attacks.}
  • - If K=K’, then
  • Strengthened CBC-MAC=CBC-MAC.
  • (Strengthened) CBC-MAC computation:
  • -No parallelization of computation possible;
  • -Management of two keys, K and K’, required.
  • Data integrity field size:
  • -MAC value has size equal to encryption block length
  • (truncated outputs possible, in exchange for reduced security level).
  • Implementation:
  • -Both encryption function EKand decryption function DK’
  • need to be implemented.
  • Standard: FIPS Pub 113 for DES; unknown whether continued for AES-128

Rene Struik, Certicom Corp.

slide12

MACs Based on Un-keyed Hash Functions: HMAC (1)

  • Security requirement:
  • - HMAC should use un-keyed hash function of same security level;
  • HMAC computation:
  • -No parallelization of computation possible;
  • -Management of 1 key, viz. K, required.
  • Data integrity field size:
  • -HMAC value has size equal to 1 encryption block length
  • (truncated outputs possible, in exchange for reduced security level).
  • Implementation:
  • -Un-keyed hash function needs to be implemented.
  • Standard:
      • Draft FIPS Pub #HMAC (specification of HMAC)
      • Draft FIPS Pub 180-2 (specification of SHA-256)

Rene Struik, Certicom Corp.

slide13

MACs Based on Un-keyed Hash Functions: HMAC (2)

  • HMAC-256:
  • Building block: SHA-256.
  • Block size: 512 bits.
  • Operations on 32-bits words:
      • logical AND, XOR, NOT;
      • integer additions modulo 232;
      • rotations, shifts.
  • Storage:
      • temporary storage: roughly 10 words (of 32 bits);
      • permanent storage: roughly 8 words (of 32 bits).
  • -Computational overhead:
  • - roughly same as SHA-256.

Rene Struik, Certicom Corp.

slide14

Implementation Issues

Block-Cipher: AES-128 in one of the following modes:

(1) CBC mode;

(2) CTR mode.

Un-keyed hash function: SHA-256 {block length: 512 bits}.

Keyed hash function: (1) HMAC-256;

(2) CBC-MAC function.

AES-128 implementation:

CBC Mode: implement both AES-128 encryption and AES-128 decryption;

CTR Mode: implement AES-128 encryption only.

Lowest gate count: AES-128 in CTR mode.

SHA-256 cost during key agreement (if implemented in software):

Full MQV with Key Confirmation: additional 15% workload compared to hardware only.

Modified-ECIES TLS-Variant Key agreement: additional 30% workload compared to hardware only.

MAC implementation (in hardware):

CBC-MAC: implement both AES-128 encryption and AES-128 decryption

HMAC: implement SHA-256.

Lowest gate count: CBC-MAC (if encr + auth computations not carried out in parallel)

*AES-OCB with Authentic Side Information: implement both AES-128 encryption and decryption

(Note: Attractive if 55 Mbps 500 Mbps, since encr + auth computations carried out in parallel.)

Rene Struik, Certicom Corp.