Thread Links Date Links
Thread Prev Thread Next Thread Index Date Prev Date Next Date Index

[STDS-802-11-TGAI] (on nonce reuse with AEAD modes in TGai key confirmation) (was: Fwd: Re: [STDS-802-11-TGAI] Weekly call reminder for 30th Oct)



Hi David:

I was hoping to just discuss outstanding technical security topics during the TGai conf call of next Tue, October 30, 2012 and leave esoteric beauty contest details for what they are right now.

Nevertheless, I feel it is my duty to put some cryptographic clarity in this seemingly confusing topic.

I would like to put TGai-related arguments re authenticated encryption modes into proper perspective.

Scope of discussion:
This note only discusses the properties of the authenticated encryption mode used with the key confirmation step of the key agreement schemes (three TGai proposals discussed in Palm Springs).

Properties of modes of operation (also known as "AEAD" modes):
1) With most modern authenticated encryption modes of operation (including GCM, CTR, SIV, OCB, etc.), nonce reuse that occurs *with different ("fresh") keys only* is perfectly okay.
2) With some modern authenticated encryption modes of operation, nonce reuse with *the same key* may present a security problem.

Context of use of mode of operation within current TGai discussion:
Key confirmation (and "piggy-backing" of additional information) uses a *fresh* key at each instantiation of the key agreement scheme.

Conclusion:
Nonce reuse from one AEAD invocation is a non-problem in this context.

QED

A final note:
Of course, there may be other aspects where various authenticated encryption modes of operation set themselves apart. However, in the context of use with key confirmation wiht TGai, nonce reuse (or, in cryptographic literature terms, "nonce misuse resilience") is not one of them.

Best regards, Rene

-------- Original Message --------
Subject: Re: [STDS-802-11-TGAI] Weekly call reminder for 30th Oct
Date: Thu, 25 Oct 2012 16:04:46 -0400
From: Rene Struik <rstruik.ext@xxxxxxxxx>
To: Gabor.Bajko@xxxxxxxxx
CC: dharkins@xxxxxxxxxxxxxxxxx, gcherian@xxxxxxxxxxxx, jouni@xxxxxxxxxxxxxxxx


Hi all:

Please be aware this is not the only technical topic that was mentioned in Palm Springs (e.g., we also need to elaborate more on certificates). As already said, I will make a few slides to introduce the topic areas, and explain potential approaches (doc number will be 12/1243). More on the call on Tuesday...

11-12-1243-00-00ai-Discussion-of-Outstanding-TGai-Security-Topics


-------- Original Message --------
Subject: Re: [STDS-802-11-TGAI] Weekly call reminder for 30th Oct
Date: Thu, 25 Oct 2012 23:17:25 +0000
From: David Goodall <daveg@xxxxxxxxxxxx>
Reply-To: David Goodall <daveg@xxxxxxxxxxxx>
To: STDS-802-11-TGAI@xxxxxxxxxxxxxxxxx


Dan,

I have comments and questions.

In the meeting there was a discussion that SIV was not a mode of AES currently approved by NIST and that it would be preferable to use a NIST recommended mode. There was a comment that SIV could become approved later if submitted in some way. People then discussed using CCM or GCM rather than SIV. 

I've been told subsequently that SIV is not as efficient as CCM or GCM, but I don't have numbers for that.

So one general question is: Since GCM is NIST approved and may be more efficient would not that be a better choice? 

But you may have some specific design reason for selecting SIV.

Another question was on the use of a 16 byte nonce rather than a 32 byte nonce. The discussion that followed assumed that this was done because 32 bytes is not really required. Is that the case?

- Dave


-----Original Message-----
From: *** 802.11 TGai - Fast Initial Link Set-Up *** [mailto:STDS-802-11-TGAI@xxxxxxxx] On Behalf Of Dan Harkins
Sent: Friday, 26 October 2012 3:53 AM
To: STDS-802-11-TGAI@xxxxxxxxxxxxxxxxx
Subject: Re: [STDS-802-11-TGAI] Weekly call reminder for 30th Oct


  Hello,

  I was unable to attend the Palm Springs meeting but I did hear that there
was some opposition to SIV. I noticed this in the 12-1202r0 (session
minutes)
under the "Security Ad-hoc" on Monday evening:

3.1.2. Clause 11.9a.2.4
3.1.2.1. SIV or CCM?
3.1.2.2. Continue discussion in Tue. PM1.
3.1.2.3. Anyone who has objection, please comment with location and suggest
         alternative text by reflector. (Hiroshi Mano)


From the minutes it looks like it was not discussed again Tue. PM1 and I
have yet to see any comments on the reflector about why someone has
objections
to SIV.

  So, please comment and suggest alternative text by reflector if you
object to SIV.

  Dan.

On 10/25/12 9:29 AM, "Gabor Bajko" <Gabor.Bajko@xxxxxxxxx> wrote:

>I have not officially received yet any request for presentation for our
>telco on the 30th.
>Therefore, if you'd like to present, please upload your presentation to
>mentor and send a note to the list.
>At minimum, I'd expect an update of the security submission we discussed
>in Palm Springs, addressing the concerns sent to the list.
>
>- Gabor
>
>-----Original Message-----
>From: *** 802.11 TGai - Fast Initial Link Set-Up ***
>[mailto:STDS-802-11-TGAI@xxxxxxxx] On Behalf Of ext Lei Wang
>Sent: Saturday, October 20, 2012 10:32 PM
>To: STDS-802-11-TGAI@xxxxxxxxxxxxxxxxx
>Subject: Re: [STDS-802-11-TGAI] Weekly call reminder for 23rd Oct
>
>Thanks, Mano-San, for the info.
>
>Got a question to you about the Oct-30th's security discussion: are there
>any documents for the discussion?
>
>Hope to hear from you soon. Thanks.
>
>Lei
>
>-----Original Message-----
>From: *** 802.11 TGai - Fast Initial Link Set-Up ***
>[mailto:STDS-802-11-TGAI@xxxxxxxx] On Behalf Of Hiroshi Mano
>Sent: Saturday, October 20, 2012 8:29 PM
>To: STDS-802-11-TGAI@xxxxxxxxxxxxxxxxx
>Subject: [STDS-802-11-TGAI] Weekly call reminder for 23rd Oct
>
>Hi All
>
>I would like to remind you about our weekly call.
>
>I am expecting to have status report of our draft on the next call on
>23rd Oct.
>
>And due to the vice chair's schedule we will have security discussion on
>30th Oct.
>
>
>
>
>
>
>
>Topic: 802ai
>Date: Every Tuesday, from Tuesday, October 2, 2012 to Tuesday, November
>20, 2012
>Time: 9:00 am, Eastern Daylight Time (New York, GMT-04:00) Meeting
>Number: 831 847 838 Meeting Password: 11Fils
>
>
>-------------------------------------------------------
>To join the online meeting (Now from mobile devices!)
>-------------------------------------------------------
>1. Go to
>https://mano.webex.com/mano-en/j.php?ED=17545948&UID=0&PW=NOTNhY2UwMGU4&RT
>=M
>iMxMQ%3D%3D
>2. If requested, enter your name and email address.
>3. If a password is required, enter the meeting password: 11Fils 4. Click
>"Join".
>
>To view in other time zones or languages, please click the link:
>https://mano.webex.com/mano-en/j.php?ED=17545948&UID=0&PW=NOTNhY2UwMGU4&OR
>T=
>MiMxMQ%3D%3D
>
>-------------------------------------------------------
>To join the audio conference only
>-------------------------------------------------------
>To receive a call back, provide your phone number when you join the
>meeting, or call the number below and enter the access code.
>Call-in toll number (US/Canada): 1-650-479-3207
>
>Access code:831 847 838
>
>-------------------------------------------------------
>For assistance
>-------------------------------------------------------
>1. Go to https://mano.webex.com/mano-en/mc 2. On the left navigation bar,
>click "Support".
>
>You can contact me at:
>mano@xxxxxxxxxxxx
>
>
>To update this meeting to your calendar program (for example Microsoft
>Outlook), click this link:
>https://mano.webex.com/mano-en/j.php?ED=17545948&UID=0&ICS=MRS1&LD=1&RD=2&
>ST
>=1&SHA2=AAAAAjI4QtV/hDXgE9dG73kXQBnkdVZ8yF4MsCg57nHz/ez8&RT=MiMxMQ%3D%3D
>
>
>WebEx will automatically setup Meeting Manager for Windows the first time
>you join a meeting. To save time, you can setup prior to the meeting by
>clicking this link:
>https://mano.webex.com/mano-en/meetingcenter/mcsetup.php
>
>
>The playback of UCF (Universal Communications Format) rich media files
>requires appropriate players. To view this type of rich media files in
>the meeting, please check whether you have the players installed on your
>computer by going to https://mano.webex.com/mano-en/systemdiagnosis.php.
>
>Sign up for a free trial of WebEx
>http://www.webex.com/go/mcemfreetrial
>
>http://www.webex.com
>
>CCP:+16504793207x831847838#
>
>IMPORTANT NOTICE: This WebEx service includes a feature that allows audio
>and any documents and other materials exchanged or viewed during the
>session to be recorded. By joining this session, you automatically
>consent to such recordings. If you do not consent to the recording,
>discuss your concerns with the meeting host prior to the start of the
>recording or do not join the session. Please note that any such
>recordings may be subject to discovery in the event of litigation.
>Hiroshi Mano / (ATRD) TGai chair
>
>__________________________________________________________________________
>__
>___
>
>IF YOU WISH to be Removed from this reflector, PLEASE DO NOT send your
>request to this CLOSED reflector. We use this valuable tool to
>communicate on the issues at hand.
>
>SELF SERVICE OPTION:
>Point your Browser to -
>http://listserv.ieee.org/cgi-bin/wa?SUBED1=STDS-802-11-FIA and then amend
>your subscription on the form provided.  If you require removal from the
>reflector press the LEAVE button.
>
>Further information can be found at:
>http://www.ieee802.org/11/Email_Subscribe.html
>__________________________________________________________________________
>__
>___
>
>__________________________________________________________________________
>_____
>
>IF YOU WISH to be Removed from this reflector, PLEASE DO NOT send your
>request to this CLOSED reflector. We use this valuable tool to
>communicate on the issues at hand.
>
>SELF SERVICE OPTION:
>Point your Browser to -
>http://listserv.ieee.org/cgi-bin/wa?SUBED1=STDS-802-11-FIA and then amend
>your subscription on the form provided.  If you require removal from the
>reflector press the LEAVE button.
>
>Further information can be found at:
>http://www.ieee802.org/11/Email_Subscribe.html
>__________________________________________________________________________
>_____
>
>__________________________________________________________________________
>_____
>
>IF YOU WISH to be Removed from this reflector, PLEASE DO NOT send your
>request to this
>CLOSED reflector. We use this valuable tool to communicate on the issues
>at hand.
>
>SELF SERVICE OPTION:
>Point your Browser to -
>http://listserv.ieee.org/cgi-bin/wa?SUBED1=STDS-802-11-FIA and
>then amend your subscription on the form provided.  If you require
>removal from the reflector
>press the LEAVE button.
>
>Further information can be found at:
>http://www.ieee802.org/11/Email_Subscribe.html
>__________________________________________________________________________
>_____


_______________________________________________________________________________

IF YOU WISH to be Removed from this reflector, PLEASE DO NOT send your request to this
CLOSED reflector. We use this valuable tool to communicate on the issues at hand.

SELF SERVICE OPTION:
Point your Browser to - http://listserv.ieee.org/cgi-bin/wa?SUBED1=STDS-802-11-FIA and
then amend your subscription on the form provided.  If you require removal from the reflector
press the LEAVE button.

Further information can be found at: http://www.ieee802.org/11/Email_Subscribe.html
_______________________________________________________________________________

_______________________________________________________________________________

IF YOU WISH to be Removed from this reflector, PLEASE DO NOT send your request to this
CLOSED reflector. We use this valuable tool to communicate on the issues at hand.

SELF SERVICE OPTION:
Point your Browser to - http://listserv.ieee.org/cgi-bin/wa?SUBED1=STDS-802-11-FIA and
then amend your subscription on the form provided.  If you require removal from the reflector
press the LEAVE button.

Further information can be found at: http://www.ieee802.org/11/Email_Subscribe.html
_______________________________________________________________________________



_______________________________________________________________________________

IF YOU WISH to be Removed from this reflector, PLEASE DO NOT send your request to this CLOSED reflector. We use this valuable tool to communicate on the issues at hand.

SELF SERVICE OPTION: Point your Browser to - http://listserv.ieee.org/cgi-bin/wa?SUBED1=STDS-802-11-FIA and then amend your subscription on the form provided. If you require removal from the reflector press the LEAVE button.

Further information can be found at: http://www.ieee802.org/11/Email_Subscribe.html _______________________________________________________________________________