an interface and algorithms for authenticated encryption (rfc 5116)
DESCRIPTION
An Interface and Algorithms for Authenticated Encryption (RFC 5116). David McGrew [email protected]. Authenticated Encryption with Associated Data (AEAD). Single algorithm provides confidentiality and authenticity/integrity protection Useful abstraction for ‘ideal’ encryption - PowerPoint PPT PresentationTRANSCRIPT
Authenticated Encryption with Associated Data (AEAD)
• Single algorithm provides confidentiality and authenticity/integrity protection
• Useful abstraction for ‘ideal’ encryption
• Block cipher modes– GCM, CCM, SIV, and others
• Dedicated algorithms– Phelix, SOBER-128
RFC 5116
• Defines interface to AEAD algorithms
• Defines four algorithms– AES GCM, AES CCM
• Defines IANA registry for algorithms
Example: Packet Protection
Header Payload
Needs Authentication
Needs Confidentiality
Plaintext
Header Payload
AEADEncryption
Plaintext
Plaintext is encrypted and authenticated
Associated Data
Header Payload
AEADEncryption
Associated Data Plaintext
Associated Data is only authenticated
Secret key
Header Payload
KeyAEAD
Encryption
Associated Data Plaintext
Nonce
Header Payload
Key
Nonce
AEADEncryption
Associated Data Plaintext
Each encryption operation MUST have a distinct nonce
(Authenticated) Ciphertext
Header Payload
Key
Nonce
AEADEncryption
Associated Data Plaintext
Ciphertext
Using AEAD
Header Payload
Key
Nonce
AEADEncryption
Associated Data Plaintext
Ciphertext
Header Protected PayloadNonce
Example: ESP
P = RestOfPayloadData || TFCpadding || Padding || PadLength ||
NextHeader
N = Salt || IV
A = SPI || SequenceNumber
ESP = SPI || SequenceNumber || IV || C
AEAD Benefits
• Interface hides algorithm details from application
• Application designer relieved of crypto issues
• Promotes algorithm agility
• Admits crypto optimizations
• Simplifies analysis and testing
RFC 5116 Uses
• ESP– Backwards compatible with RFC 4106
• TLS– ecc-new-mac, rsa-aes-gcm
• IKE– draft-black-ikev2-aead-modes
• SRTP, SSH work underway• 802.1AE
AEAD Algorithms
• AES Galois/Counter Mode (GCM)
• AES Counter & CBC-MAC (CCM)– AEAD_AES_128_CCM_SHORT
• AES Synthetic IV (SIV)– draft-harkins-tls-rsa-aes-siv-00
• AES CBC, HMAC-SHA1– draft-mcgrew-aead-aes-cbc-hmac-sha-00
Issues & Future Work
• Nonces aren’t user friendly– Security and usability
• No nonceless algorithms in registry yet
Acknowledgements
• Thanks are due to: Hal Finney, Greg Rose, Russ Housley, Alfred Hines, John Wilkinson, Jack Lloyd, Scott Fluhrer, David Wagner, Ken Raeburn, Wei Dai, Aaron Christensen, Phil Rogaway, and Dan Harkins
• IRTF CFRG participants