Re: [STDS-802-11-TGAI] Weekly call reminder for 30th Oct
Hi Dave,
On 10/25/12 4:17 PM, "David Goodall" <daveg@xxxxxxxxxxxx> wrote:
>Dan,
>
>I have comments and questions.
>
>In the meeting there was a discussion that SIV was not a mode of AES
>currently approved by NIST and that it would be preferable to use a NIST
>recommended mode. There was a comment that SIV could become approved
>later if submitted in some way. People then discussed using CCM or GCM
>rather than SIV.
This poses something of a catch-22 in that NIST doesn't just approve
modes
that people ask for, they approve modes that people use in cryptographic
protocols. But there is (obviously, here) resistance to using a mode in a
protocol that has not been already approved. See how this works? You can't
use it until it's approved and it won't be approved until you use it.
GCM wasn't approved by NIST until it was already proposed for use, so had
this kind of "it's not NIST approved so we can't use it" opposition been
made
elsewhere we would not have a NIST-approved GCM mode (ditto for CCM). I'm
not sure where this "can't be used until approved by NIST" idea came from
but thankfully other groups have not had such an opposition.
That being said, SIV has been submitted to NIST:
http://csrc.nist.gov/groups/ST/toolkit/BCM/modes_development.html
because it's already been proposed for use in IEEE 802.11-2012.
>I've been told subsequently that SIV is not as efficient as CCM or GCM,
>but I don't have numbers for that.
GCM is a parallelizable one-pass cipher mode, SIV and CCM are not. So
SIV is
less efficient then GCM but as efficient as CCM. Arguably SIV is slightly
more
efficient than CCM because it doesn't have the same strict formatting rules
that must be adhered to for CCM.
One of the advantages of SIV, though, is that it does not require a
unique
counter or nonce across every invocation. You don't even need to pass a
counter
or nonce like you do with CCM and GCM, but if you do choose to you don't
have
to worry about it being unique across every invocation.
>So one general question is: Since GCM is NIST approved and may be more
>efficient would not that be a better choice?
GCM would be a fine choice. But GCM has strict requirements on the
construction
and the size of the nonce. We would have to pass more data in the message
to include the counter/nonce and we would have to remember what
counters/nonces
have been used when we do rekeying with EAPOL-Key frames. None of that is
necessary with SIV.
The less security critical information an implementor has to worry about
the
more likely a secure implementation will result. And the less security
critical
information that must be retained, managed and processed, the easier it is
to implement.
>But you may have some specific design reason for selecting SIV.
Well yes. It seemed to be the right tool for the right job, because:
- Since it's not being used for bulk data protection the efficiency
benefit
of GCM should not really be an issue. The amount of data that's going
to
be protected is minute compared to what's being sent over the air in
data frames.
- SIV is "misuse resistant" so we don't have to worry about remembering
counters/nonces. We can just encrypt-and-authenticate the data and not
worry about anything else. There is less overhead to worry about and
less possibility of a security critical mistake.
- There is no opportunity to reuse CCM because that is in the hardware
and is specifically designed to create a CCMP frame out of a frame in
an output queue buffer. And the format of an Association frame that has
a partial body protected with CCM would differ than the format of a
data
frame entirely protected with CCM.
- Unnecessary data (counters/nonces) are not sent over the air, we don't
need to define more new fields for Association frames.
- It's provably secure.
- And there's this:
http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/proposedmodes/siv/ip.p
df
Certainly, I don't see any technical reason to oppose SIV and I see some
technical benefits to its use. One may argue over how critical these
benefits
are but not that they are benefits.
>Another question was on the use of a 16 byte nonce rather than a 32 byte
>nonce. The discussion that followed assumed that this was done because 32
>bytes is not really required. Is that the case?
They are being concatenated as a source of randomness to the KDF. The
concatenated nonces will be 256-bits long. We can pass 32 byte nonces and
send 512-bits of randomness to the KDF but I don't think that's really
necessary. It is, of course, the call of the group though.
regards,
Dan.
>
>- Dave
>
>
>-----Original Message-----
>From: *** 802.11 TGai - Fast Initial Link Set-Up ***
>[mailto:STDS-802-11-TGAI@xxxxxxxx] On Behalf Of Dan Harkins
>Sent: Friday, 26 October 2012 3:53 AM
>To: STDS-802-11-TGAI@xxxxxxxxxxxxxxxxx
>Subject: Re: [STDS-802-11-TGAI] Weekly call reminder for 30th Oct
>
>
> Hello,
>
> I was unable to attend the Palm Springs meeting but I did hear that
>there
>was some opposition to SIV. I noticed this in the 12-1202r0 (session
>minutes)
>under the "Security Ad-hoc" on Monday evening:
>
>3.1.2. Clause 11.9a.2.4
>3.1.2.1. SIV or CCM?
>3.1.2.2. Continue discussion in Tue. PM1.
>3.1.2.3. Anyone who has objection, please comment with location and
>suggest
> alternative text by reflector. (Hiroshi Mano)
>
>
>From the minutes it looks like it was not discussed again Tue. PM1 and I
>have yet to see any comments on the reflector about why someone has
>objections
>to SIV.
>
> So, please comment and suggest alternative text by reflector if you
>object to SIV.
>
> Dan.
>
>On 10/25/12 9:29 AM, "Gabor Bajko" <Gabor.Bajko@xxxxxxxxx> wrote:
>
>>I have not officially received yet any request for presentation for our
>>telco on the 30th.
>>Therefore, if you'd like to present, please upload your presentation to
>>mentor and send a note to the list.
>>At minimum, I'd expect an update of the security submission we discussed
>>in Palm Springs, addressing the concerns sent to the list.
>>
>>- Gabor
>>
>>-----Original Message-----
>>From: *** 802.11 TGai - Fast Initial Link Set-Up ***
>>[mailto:STDS-802-11-TGAI@xxxxxxxx] On Behalf Of ext Lei Wang
>>Sent: Saturday, October 20, 2012 10:32 PM
>>To: STDS-802-11-TGAI@xxxxxxxxxxxxxxxxx
>>Subject: Re: [STDS-802-11-TGAI] Weekly call reminder for 23rd Oct
>>
>>Thanks, Mano-San, for the info.
>>
>>Got a question to you about the Oct-30th's security discussion: are there
>>any documents for the discussion?
>>
>>Hope to hear from you soon. Thanks.
>>
>>Lei
>>
>>-----Original Message-----
>>From: *** 802.11 TGai - Fast Initial Link Set-Up ***
>>[mailto:STDS-802-11-TGAI@xxxxxxxx] On Behalf Of Hiroshi Mano
>>Sent: Saturday, October 20, 2012 8:29 PM
>>To: STDS-802-11-TGAI@xxxxxxxxxxxxxxxxx
>>Subject: [STDS-802-11-TGAI] Weekly call reminder for 23rd Oct
>>
>>Hi All
>>
>>I would like to remind you about our weekly call.
>>
>>I am expecting to have status report of our draft on the next call on
>>23rd Oct.
>>
>>And due to the vice chair's schedule we will have security discussion on
>>30th Oct.
>>
>>
>>
>>
>>
>>
>>
>>Topic: 802ai
>>Date: Every Tuesday, from Tuesday, October 2, 2012 to Tuesday, November
>>20, 2012
>>Time: 9:00 am, Eastern Daylight Time (New York, GMT-04:00) Meeting
>>Number: 831 847 838 Meeting Password: 11Fils
>>
>>
>>-------------------------------------------------------
>>To join the online meeting (Now from mobile devices!)
>>-------------------------------------------------------
>>1. Go to
>>https://mano.webex.com/mano-en/j.php?ED=17545948&UID=0&PW=NOTNhY2UwMGU4&R
>>T
>>=M
>>iMxMQ%3D%3D
>>2. If requested, enter your name and email address.
>>3. If a password is required, enter the meeting password: 11Fils 4. Click
>>"Join".
>>
>>To view in other time zones or languages, please click the link:
>>https://mano.webex.com/mano-en/j.php?ED=17545948&UID=0&PW=NOTNhY2UwMGU4&O
>>R
>>T=
>>MiMxMQ%3D%3D
>>
>>-------------------------------------------------------
>>To join the audio conference only
>>-------------------------------------------------------
>>To receive a call back, provide your phone number when you join the
>>meeting, or call the number below and enter the access code.
>>Call-in toll number (US/Canada): 1-650-479-3207
>>
>>Access code:831 847 838
>>
>>-------------------------------------------------------
>>For assistance
>>-------------------------------------------------------
>>1. Go to https://mano.webex.com/mano-en/mc 2. On the left navigation bar,
>>click "Support".
>>
>>You can contact me at:
>>mano@xxxxxxxxxxxx
>>
>>
>>To update this meeting to your calendar program (for example Microsoft
>>Outlook), click this link:
>>https://mano.webex.com/mano-en/j.php?ED=17545948&UID=0&ICS=MRS1&LD=1&RD=2
>>&
>>ST
>>=1&SHA2=AAAAAjI4QtV/hDXgE9dG73kXQBnkdVZ8yF4MsCg57nHz/ez8&RT=MiMxMQ%3D%3D
>>
>>
>>WebEx will automatically setup Meeting Manager for Windows the first time
>>you join a meeting. To save time, you can setup prior to the meeting by
>>clicking this link:
>>https://mano.webex.com/mano-en/meetingcenter/mcsetup.php
>>
>>
>>The playback of UCF (Universal Communications Format) rich media files
>>requires appropriate players. To view this type of rich media files in
>>the meeting, please check whether you have the players installed on your
>>computer by going to https://mano.webex.com/mano-en/systemdiagnosis.php.
>>
>>Sign up for a free trial of WebEx
>>http://www.webex.com/go/mcemfreetrial
>>
>>http://www.webex.com
>>
>>CCP:+16504793207x831847838#
>>
>>IMPORTANT NOTICE: This WebEx service includes a feature that allows audio
>>and any documents and other materials exchanged or viewed during the
>>session to be recorded. By joining this session, you automatically
>>consent to such recordings. If you do not consent to the recording,
>>discuss your concerns with the meeting host prior to the start of the
>>recording or do not join the session. Please note that any such
>>recordings may be subject to discovery in the event of litigation.
>>Hiroshi Mano / (ATRD) TGai chair
>>
>>_________________________________________________________________________
>>_
>>__
>>___
>>
>>IF YOU WISH to be Removed from this reflector, PLEASE DO NOT send your
>>request to this CLOSED reflector. We use this valuable tool to
>>communicate on the issues at hand.
>>
>>SELF SERVICE OPTION:
>>Point your Browser to -
>>http://listserv.ieee.org/cgi-bin/wa?SUBED1=STDS-802-11-FIA and then amend
>>your subscription on the form provided. If you require removal from the
>>reflector press the LEAVE button.
>>
>>Further information can be found at:
>>http://www.ieee802.org/11/Email_Subscribe.html
>>_________________________________________________________________________
>>_
>>__
>>___
>>
>>_________________________________________________________________________
>>_
>>_____
>>
>>IF YOU WISH to be Removed from this reflector, PLEASE DO NOT send your
>>request to this CLOSED reflector. We use this valuable tool to
>>communicate on the issues at hand.
>>
>>SELF SERVICE OPTION:
>>Point your Browser to -
>>http://listserv.ieee.org/cgi-bin/wa?SUBED1=STDS-802-11-FIA and then amend
>>your subscription on the form provided. If you require removal from the
>>reflector press the LEAVE button.
>>
>>Further information can be found at:
>>http://www.ieee802.org/11/Email_Subscribe.html
>>_________________________________________________________________________
>>_
>>_____
>>
>>_________________________________________________________________________
>>_
>>_____
>>
>>IF YOU WISH to be Removed from this reflector, PLEASE DO NOT send your
>>request to this
>>CLOSED reflector. We use this valuable tool to communicate on the issues
>>at hand.
>>
>>SELF SERVICE OPTION:
>>Point your Browser to -
>>http://listserv.ieee.org/cgi-bin/wa?SUBED1=STDS-802-11-FIA and
>>then amend your subscription on the form provided. If you require
>>removal from the reflector
>>press the LEAVE button.
>>
>>Further information can be found at:
>>http://www.ieee802.org/11/Email_Subscribe.html
>>_________________________________________________________________________
>>_
>>_____
>
>
>__________________________________________________________________________
>_____
>
>IF YOU WISH to be Removed from this reflector, PLEASE DO NOT send your
>request to this
>CLOSED reflector. We use this valuable tool to communicate on the issues
>at hand.
>
>SELF SERVICE OPTION:
>Point your Browser to -
>http://listserv.ieee.org/cgi-bin/wa?SUBED1=STDS-802-11-FIA and
>then amend your subscription on the form provided. If you require
>removal from the reflector
>press the LEAVE button.
>
>Further information can be found at:
>http://www.ieee802.org/11/Email_Subscribe.html
>__________________________________________________________________________
>_____
>
_______________________________________________________________________________
IF YOU WISH to be Removed from this reflector, PLEASE DO NOT send your request to this
CLOSED reflector. We use this valuable tool to communicate on the issues at hand.
SELF SERVICE OPTION:
Point your Browser to - http://listserv.ieee.org/cgi-bin/wa?SUBED1=STDS-802-11-FIA and
then amend your subscription on the form provided. If you require removal from the reflector
press the LEAVE button.
Further information can be found at: http://www.ieee802.org/11/Email_Subscribe.html
_______________________________________________________________________________