Thread Links			Date Links
Thread Prev	Thread Next	Thread Index	Date Prev	Date Next	Date Index

RE: [LinkSec] Preliminary view of header format

To: "Leech, Marcus (EXCHANGE:FITZ:8M86)" <mleech@NORTELNETWORKS.COM>, <stds-802-linksec@ieee.org>
Subject: RE: [LinkSec] Preliminary view of header format
From: "Johnston, Dj" <dj.johnston@intel.com>
Date: Wed, 3 Sep 2003 11:49:34 -0700
Sender: owner-stds-802-linksec@majordomo.ieee.org
Thread-Index: AcNxjV/gX3uGEiTnS9Clp3KoZBwmVwAusaYg
Thread-Topic: [LinkSec] Preliminary view of header format


Marcus,

The birthday limit is not a problem with CCM. The MIC is encrypted, so
passive collision farming is prevented.

An active attacker is forced to guess MICs and try them, so they don't
have the advantage of the birthday paradox, they need to try 2^64
attempts to expect a packet to be received with a valid MIC, but the
attacker would have no control over the contents and the victim might be
expected to notice 2^64 MIC violations coming in and rekey ahead of
time.

This is why the PN/IV length can be greater than n/2 bits where the MIC
length is n bits.

I haven't looked at the details but the same argument seems to apply to
OCB.

And yes, I did ask a cryptographer before sending this.

DJ

David Johnston
Intel Corporation
Chair, IEEE 802 Handoff ECSG

Email : dj.johnston@intel.com
Tel   : 503 380 5578 (Mobile)
Tel   : 503 264 3855 (Office)

> -----Original Message-----
> From: Leech, Marcus (EXCHANGE:FITZ:8M86) 
> [mailto:mleech@NORTELNETWORKS.COM] 
> Sent: Tuesday, September 02, 2003 12:38 PM
> To: stds-802-linksec@ieee.org
> Subject: [LinkSec] Preliminary view of header format
> 
> 
> 
> Here's a preliminary view:
> 
> SAID|IV|PAYLOAD|MIC
> 
> SAID = 4 bytes  Security Association Identifier
> IV = Initialization Vector, 4-16 bytes, depending on ciphersuite
> PAYLOAD = variable length
> MIC = Message Integrity Code, 8-16 bytes, depending on ciphersuite
> 
> 
> The SAID could be compressed to a single octet if there is 
> other implicit context
>   "lying around" that can uniquely identify this security 
> association.  It's not
>   clear to me that is possible across all technologies we're 
> talking about here,
>   so making it 4 bytes (32-bits) would be consistent with 
> 802.10, and IPSec.
> 
> Given the birthday paradox, I'm inclined to conservatism, and 
> perhaps that
>   8-16 bytes for MIC should be 10-16 bytes.  It would 
> probably be prudent
>   to make a statement in each ciphersuite that negotiation of new keys
>   (and consequent SAID) should begin when 2**((N/2)-1) 
> messages have been
>   transmitted under the current key, where N is the MIC size in bits.
> 
> -- 
> ----------------------------------------------------------------------
> Marcus Leech                             Mail:
> Advisor                                  Phone: (ESN) 
> 393-9145  +1 613 763 9145
> Security Architecture and Planning       Fax:   (ESN) 
> 393-2754  +1 613 763 2754
> Nortel Networks                          mleech@nortelnetworks.com
> -----------------Expressed opinions are my own, not my 
> employer's------
>

Follow-Ups:
- [LinkSec] algorithm choices - criteria
  - From: Rene Struik <RStruik@certicom.com>

Prev by Date: Re: [LinkSec] Factoid: MIC size
Next by Date: [LinkSec] Interim meeting venue details
Prev by thread: RE: [LinkSec] Preliminary view of header format
Next by thread: [LinkSec] algorithm choices - criteria
Index(es):
- Date
- Thread