Thread Links Date Links
Thread Prev Thread Next Thread Index Date Prev Date Next Date Index

Re: [STDS-802-11-TGAI] (on nonce reuse with AEAD modes in TGai key confirmation) (was: Fwd: Re: [STDS-802-11-TGAI] Weekly call reminder for 30th Oct)



On 10/25/12 8:00 PM, "Rene Struik" <rstruik.ext@xxxxxxxxx> wrote:

>
>Hi David:
>
>I was hoping to just discuss outstanding technical security topics during
>the TGai conf call of next Tue, October 30, 2012 and leave esoteric
>beauty contest details for what they are right now.
>
>Nevertheless, I feel it is my duty to put some cryptographic clarity in
>this seemingly confusing topic.
>
>I would like to put TGai-related arguments re authenticated encryption
>modes into proper perspective.
>
>Scope of discussion:
>This note only discusses the properties of the authenticated encryption
>mode used with the key confirmation step of the key agreement schemes
>(three TGai proposals discussed in Palm Springs).
>
>Properties of modes of operation (also known as "AEAD" modes):
>1) With most modern authenticated encryption modes of operation
>(including GCM, CTR, SIV, OCB, etc.), nonce reuse that occurs *with
>different ("fresh") keys only* is perfectly okay.

  I don't believe anyone has ever asserted otherwise. The problem is when a
given nonce is used more than once with the same key. And CTR is not an
authenticated encryption mode of operation.

>2) With some modern authenticated encryption modes of operation, nonce
>reuse with *the same key* may present a security problem.

  The security problem is that all security is _completely lost_. And it's
not
a "may" either. The suggestion was to use GCM (or CCM). With both of those
there is absolutely a complete loss of security when the nonce is reused.

>Context of use of mode of operation within current TGai discussion:
>Key confirmation (and "piggy-backing" of additional information) uses a
>*fresh* key at each instantiation of the key agreement scheme.

  You forget that each side will invoke the AEAD scheme once with the same
key for each FILS handshake. And you also forget about rekey.

>Conclusion: 
>Nonce reuse from one AEAD invocation is a non-problem in this context.

  Well you can't reuse anything from one invocation so that's something of
a non-statement. Since we're not making one AEAD invocation nonce reuse is
something that we have to take into account if we decide to use a cipher
mode
that loses all security when nonces are reused.

  Which isn't to say that we can't manage it, we can; it's just that such
definition and management and concern is unnecessary because there's a
completely satisfactory cipher mode that has no technical problems which
is already proposed for use.

  And I think it's disingenuous to soft peddle the problem with nonce
reuse.
If we decide to go with an AEAD scheme that loses all security when the
nonce is reused we will have to be very careful about how we construct
the message and how we manage state to ensure we retain security. Like I
said, it's do-able; it's just unnecessary.

>QED

  Well, not really.

>A final note:
>Of course, there may be other aspects where various authenticated
>encryption modes of operation set themselves apart. However, in the
>context of use with key confirmation wiht TGai, nonce reuse (or, in
>cryptographic literature terms, "nonce misuse resilience")
> is not one of them.

  It is because there will be more than one invocation of the AEAD scheme
with the same key.

  Dan.

>Best regards, Rene
>
>-------- Original Message --------
>Subject: Re: [STDS-802-11-TGAI] Weekly call reminder for 30th OctDate:
>Thu, 25 Oct 2012 16:04:46 -0400From: Rene Struik
><rstruik.ext@xxxxxxxxx> <mailto:rstruik.ext@xxxxxxxxx>To:
>Gabor.Bajko@nokia.comCC: dharkins@xxxxxxxxxxxxxxxxx,
>gcherian@xxxxxxxxxxxx,
>jouni@xxxxxxxxxxxxxxxx
>
>Hi all:
>
>Please be aware this is not the only technical topic that was mentioned
>in Palm Springs (e.g., we also need to elaborate more on certificates).
>As already said, I will make a few slides to introduce the topic areas,
>and explain potential approaches (doc number
> will be 12/1243). More on the call on Tuesday...
>
>11-12-1243-00-00ai-Discussion-of-Outstanding-TGai-Security-Topics
>
>
>
>-------- Original Message --------
>Subject: Re: [STDS-802-11-TGAI] Weekly call reminder for 30th OctDate:
>Thu, 25 Oct 2012 23:17:25 +0000From: David Goodall
><daveg@xxxxxxxxxxxx> <mailto:daveg@xxxxxxxxxxxx>Reply-To: David Goodall
><daveg@xxxxxxxxxxxx> <mailto:daveg@xxxxxxxxxxxx>To:
>STDS-802-11-TGAI@xxxxxxxxxxxxxxxxx
>
>Dan,
>
>I have comments and questions.
>
>In the meeting there was a discussion that SIV was not a mode of AES
>currently approved by NIST and that it would be preferable to use a NIST
>recommended mode. There was a comment that SIV could become approved
>later if submitted in some way. People then discussed using CCM or GCM
>rather than SIV. 
>
>I've been told subsequently that SIV is not as efficient as CCM or GCM,
>but I don't have numbers for that.
>
>So one general question is: Since GCM is NIST approved and may be more
>efficient would not that be a better choice?
>
>But you may have some specific design reason for selecting SIV.
>
>Another question was on the use of a 16 byte nonce rather than a 32 byte
>nonce. The discussion that followed assumed that this was done because 32
>bytes is not really required. Is that the case?
>
>- Dave
>
>
>-----Original Message-----
>From: *** 802.11 TGai - Fast Initial Link Set-Up ***
>[mailto:STDS-802-11-TGAI@xxxxxxxx] On Behalf Of Dan Harkins
>Sent: Friday, 26 October 2012 3:53 AM
>To: STDS-802-11-TGAI@xxxxxxxxxxxxxxxxx
>Subject: Re: [STDS-802-11-TGAI] Weekly call reminder for 30th Oct
>
>
>  Hello,
>
>  I was unable to attend the Palm Springs meeting but I did hear that
>there
>was some opposition to SIV. I noticed this in the 12-1202r0 (session
>minutes)
>under the "Security Ad-hoc" on Monday evening:
>
>3.1.2. Clause 11.9a.2.4
>3.1.2.1. SIV or CCM?
>3.1.2.2. Continue discussion in Tue. PM1.
>3.1.2.3. Anyone who has objection, please comment with location and
>suggest
>         alternative text by reflector. (Hiroshi Mano)
>
>
>From the minutes it looks like it was not discussed again Tue. PM1 and I
>have yet to see any comments on the reflector about why someone has
>objections
>to SIV.
>
>  So, please comment and suggest alternative text by reflector if you
>object to SIV.
>
>  Dan.
>
>On 10/25/12 9:29 AM, "Gabor Bajko" <Gabor.Bajko@xxxxxxxxx>
><mailto:Gabor.Bajko@xxxxxxxxx> wrote:
>
>>I have not officially received yet any request for presentation for our
>>telco on the 30th.
>>Therefore, if you'd like to present, please upload your presentation to
>>mentor and send a note to the list.
>>At minimum, I'd expect an update of the security submission we discussed
>>in Palm Springs, addressing the concerns sent to the list.
>>
>>- Gabor
>>
>>-----Original Message-----
>>From: *** 802.11 TGai - Fast Initial Link Set-Up ***
>>[mailto:STDS-802-11-TGAI@xxxxxxxx] On Behalf Of ext Lei Wang
>>Sent: Saturday, October 20, 2012 10:32 PM
>>To: STDS-802-11-TGAI@xxxxxxxxxxxxxxxxx
>>Subject: Re: [STDS-802-11-TGAI] Weekly call reminder for 23rd Oct
>>
>>Thanks, Mano-San, for the info.
>>
>>Got a question to you about the Oct-30th's security discussion: are there
>>any documents for the discussion?
>>
>>Hope to hear from you soon. Thanks.
>>
>>Lei
>>
>>-----Original Message-----
>>From: *** 802.11 TGai - Fast Initial Link Set-Up ***
>>[mailto:STDS-802-11-TGAI@xxxxxxxx] On Behalf Of Hiroshi Mano
>>Sent: Saturday, October 20, 2012 8:29 PM
>>To: STDS-802-11-TGAI@xxxxxxxxxxxxxxxxx
>>Subject: [STDS-802-11-TGAI] Weekly call reminder for 23rd Oct
>>
>>Hi All
>>
>>I would like to remind you about our weekly call.
>>
>>I am expecting to have status report of our draft on the next call on
>>23rd Oct.
>>
>>And due to the vice chair's schedule we will have security discussion on
>>30th Oct.
>>
>>
>>
>>
>>
>>
>>
>>Topic: 802ai
>>Date: Every Tuesday, from Tuesday, October 2, 2012 to Tuesday, November
>>20, 2012
>>Time: 9:00 am, Eastern Daylight Time (New York, GMT-04:00) Meeting
>>Number: 831 847 838 Meeting Password: 11Fils
>>
>>
>>-------------------------------------------------------
>>To join the online meeting (Now from mobile devices!)
>>-------------------------------------------------------
>>1. Go to
>>https://mano.webex.com/mano-en/j.php?ED=17545948&UID=0&PW=NOTNhY2UwMGU4&R
>>T
>>=M
>>iMxMQ%3D%3D
>>2. If requested, enter your name and email address.
>>3. If a password is required, enter the meeting password: 11Fils 4. Click
>>"Join".
>>
>>To view in other time zones or languages, please click the link:
>>https://mano.webex.com/mano-en/j.php?ED=17545948&UID=0&PW=NOTNhY2UwMGU4&O
>>R
>>T=
>>MiMxMQ%3D%3D
>>
>>-------------------------------------------------------
>>To join the audio conference only
>>-------------------------------------------------------
>>To receive a call back, provide your phone number when you join the
>>meeting, or call the number below and enter the access code.
>>Call-in toll number (US/Canada): 1-650-479-3207
>>
>>Access code:831 847 838
>>
>>-------------------------------------------------------
>>For assistance
>>-------------------------------------------------------
>>1. Go to https://mano.webex.com/mano-en/mc 2. On the left navigation bar,
>>click "Support".
>>
>>You can contact me at:
>>mano@xxxxxxxxxxxx
>>
>>
>>To update this meeting to your calendar program (for example Microsoft
>>Outlook), click this link:
>>https://mano.webex.com/mano-en/j.php?ED=17545948&UID=0&ICS=MRS1&LD=1&RD=2
>>&
>>ST
>>=1&SHA2=AAAAAjI4QtV/hDXgE9dG73kXQBnkdVZ8yF4MsCg57nHz/ez8&RT=MiMxMQ%3D%3D
>>
>>
>>WebEx will automatically setup Meeting Manager for Windows the first time
>>you join a meeting. To save time, you can setup prior to the meeting by
>>clicking this link:
>>https://mano.webex.com/mano-en/meetingcenter/mcsetup.php
>>
>>
>>The playback of UCF (Universal Communications Format) rich media files
>>requires appropriate players. To view this type of rich media files in
>>the meeting, please check whether you have the players installed on your
>>computer by going to https://mano.webex.com/mano-en/systemdiagnosis.php.
>>
>>Sign up for a free trial of WebEx
>>http://www.webex.com/go/mcemfreetrial
>>
>>http://www.webex.com
>>
>>CCP:+16504793207x831847838#
>>
>>IMPORTANT NOTICE: This WebEx service includes a feature that allows audio
>>and any documents and other materials exchanged or viewed during the
>>session to be recorded. By joining this session, you automatically
>>consent to such recordings. If you do not consent to the recording,
>>discuss your concerns with the meeting host prior to the start of the
>>recording or do not join the session. Please note that any such
>>recordings may be subject to discovery in the event of litigation.
>>Hiroshi Mano / (ATRD) TGai chair
>>
>>_________________________________________________________________________
>>_
>>__
>>___
>>
>>IF YOU WISH to be Removed from this reflector, PLEASE DO NOT send your
>>request to this CLOSED reflector. We use this valuable tool to
>>communicate on the issues at hand.
>>
>>SELF SERVICE OPTION:
>>Point your Browser to -
>>http://listserv.ieee.org/cgi-bin/wa?SUBED1=STDS-802-11-FIA and then amend
>>your subscription on the form provided.  If you require removal from the
>>reflector press the LEAVE button.
>>
>>Further information can be found at:
>>http://www.ieee802.org/11/Email_Subscribe.html
>>_________________________________________________________________________
>>_
>>__
>>___
>>
>>_________________________________________________________________________
>>_
>>_____
>>
>>IF YOU WISH to be Removed from this reflector, PLEASE DO NOT send your
>>request to this CLOSED reflector. We use this valuable tool to
>>communicate on the issues at hand.
>>
>>SELF SERVICE OPTION:
>>Point your Browser to -
>>http://listserv.ieee.org/cgi-bin/wa?SUBED1=STDS-802-11-FIA and then amend
>>your subscription on the form provided.  If you require removal from the
>>reflector press the LEAVE button.
>>
>>Further information can be found at:
>>http://www.ieee802.org/11/Email_Subscribe.html
>>_________________________________________________________________________
>>_
>>_____
>>
>>_________________________________________________________________________
>>_
>>_____
>>
>>IF YOU WISH to be Removed from this reflector, PLEASE DO NOT send your
>>request to this
>>CLOSED reflector. We use this valuable tool to communicate on the issues
>>at hand.
>>
>>SELF SERVICE OPTION:
>>Point your Browser to -
>>http://listserv.ieee.org/cgi-bin/wa?SUBED1=STDS-802-11-FIA and
>>then amend your subscription on the form provided.  If you require
>>removal from the reflector
>>press the LEAVE button.
>>
>>Further information can be found at:
>>http://www.ieee802.org/11/Email_Subscribe.html
>>_________________________________________________________________________
>>_
>>_____
>
>
>__________________________________________________________________________
>_____
>
>IF YOU WISH to be Removed from this reflector, PLEASE DO NOT send your
>request to this
>CLOSED reflector. We use this valuable tool to communicate on the issues
>at hand.
>
>SELF SERVICE OPTION:
>Point your Browser to -
>http://listserv.ieee.org/cgi-bin/wa?SUBED1=STDS-802-11-FIA and
>then amend your subscription on the form provided.  If you require
>removal from the reflector
>press the LEAVE button.
>
>Further information can be found at:
>http://www.ieee802.org/11/Email_Subscribe.html
>__________________________________________________________________________
>_____
>
>__________________________________________________________________________
>_____
>
>IF YOU WISH to be Removed from this reflector, PLEASE DO NOT send your
>request to this
>CLOSED reflector. We use this valuable tool to communicate on the issues
>at hand.
>
>SELF SERVICE OPTION:
>Point your Browser to -
>http://listserv.ieee.org/cgi-bin/wa?SUBED1=STDS-802-11-FIA and
>then amend your subscription on the form provided.  If you require
>removal from the reflector
>press the LEAVE button.
>
>Further information can be found at:
>http://www.ieee802.org/11/Email_Subscribe.html
>__________________________________________________________________________
>_____
>
>
>
>
>__________________________________________________________________________
>_____
>IF YOU WISH to be Removed from this reflector, PLEASE DO NOT send your
>request to this CLOSED reflector. We use this valuable tool to
>communicate on the issues at hand.
>
>SELF SERVICE OPTION: Point your Browser to -
>http://listserv.ieee.org/cgi-bin/wa?SUBED1=STDS-802-11-FIA
><http://listserv.ieee.org/cgi-bin/wa?SUBED1=STDS-802-11-FIA> and then
>amend your subscription on the form provided. If you require removal from
>the reflector press the LEAVE button.
>
>Further information can be found at:
>http://www.ieee802.org/11/Email_Subscribe.html
><http://www.ieee802.org/11/Email_Subscribe.html>
>__________________________________________________________________________
>_____
>

_______________________________________________________________________________

IF YOU WISH to be Removed from this reflector, PLEASE DO NOT send your request to this
CLOSED reflector. We use this valuable tool to communicate on the issues at hand.

SELF SERVICE OPTION:
Point your Browser to - http://listserv.ieee.org/cgi-bin/wa?SUBED1=STDS-802-11-FIA and
then amend your subscription on the form provided.  If you require removal from the reflector
press the LEAVE button.

Further information can be found at: http://www.ieee802.org/11/Email_Subscribe.html
_______________________________________________________________________________