1 / 11

Why Use SIV for 11ai?

Why Use SIV for 11ai?. Authors:. Date: 2012-10-30. Abstract. This presentation suggests the best solution to a problem that TGai has . What’s the Problem that Needs Solving?.

mandar
Télécharger la présentation

Why Use SIV for 11ai?

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Why Use SIV for 11ai? Authors: • Date:2012-10-30 Dan Harkins, Aruba Networks

  2. Abstract • This presentation suggests the best solution to a problem that TGai has Dan Harkins, Aruba Networks

  3. What’s the Problem that Needs Solving? • The Association Request/Response is used for key confirmation– to prove possession of the key that results from exchanging Authentication frames • Some parts need authentication and encryption • KDEs containing keys • Potentially DHCP • Some parts need authentication but no encryption • The session IE • Other stuff? • We need some way to do this is an authenticated encryption that takes additional associated data– an AEAD mode Dan Harkins, Aruba Networks

  4. AEAD Cipher Modes • There are quite a few AEAD modes that encrypt and authenticate a plaintext and authenticate associated data • GCM, CCM, SIV, CWC, OCB, … • Similar interface: • Input: key, plaintext, nonce/IV/counter, AAD • Output: ciphertext (including a MIC/tag) • Key is used to encrypt and authenticate the plaintext and AAD. • The nonce/IV/counter is to make the mode probabilistic and is critical for security (for all but one mode) Dan Harkins, Aruba Networks

  5. Nonce Construction for AEAD Schemes • Nonce must be unique for all calls to encryption API, otherwise (according to RFC 5116, for GCM): • a loss of confidentialityensues because an attacker can reconstruct the bitwise exclusive-or of the two plaintext values • a loss of integrity ensues because the attacker will be able to recover the internal hash key used to provide data integrity • A loss of confidentiality and integrity for a scheme that is supposed to provide confidentiality and integrity means it’s security is completely voided! • Nonce hygiene must be strictly enforced! Unless… Dan Harkins, Aruba Networks

  6. Misuse-Resistant AEAD • SIV does not require a nonce and does not lose all security if one is used and it is repeated • If two identical messages, and identical AAD, get enciphered using the same key (and same nonce) then: • No loss of integrity • Loss of privacy in the sense that adversary knows two identical messages (with identical AAD) were protected with the same key • Using SIV means we don’t need to worry about the nonce! • It does not need to be passed in the message • It does not need to be reconstructed on both sides • It does not need to be managed to ensure uniqueness Dan Harkins, Aruba Networks

  7. Opposition to Using SIV? • It’s not a NIST-approved mode of operation. True but… • NIST does not approve modes prior to use • GCM was proposed for use by IPsec before NIST approved it • CCM was proposed for use by 802.11 before NIST approved it • When did prior NIST approved become a requirement? Never. • SIV is a secure composition of two NIST-approved modes: CTR and CMAC! • It’s not as efficient as GCM. True but… • Very few encryptions mean efficiency advantage is negligible • The small gain in efficiency must be weighed against the increased cost of nonce maintenance and hygiene • Easiest way to manage nonce uniqueness (random bit string) would make GCM less efficient Dan Harkins, Aruba Networks

  8. A Misunderstanding about Proposal • Not proposing to protect the whole Association frame! • Not doing 11w-style management frame protection! NO!!! authenticated (some fields masked to zero) encrypted MAC Header SIV Header MIC FCS Data (PDU) Apologies to Figure 11-16 from 802.11-2012 Dan Harkins, Aruba Networks

  9. A Misunderstanding about Proposal • Just want to protect the sequence of IEs in the data • Does not require hardware changes! • SIV is NOT intended for the radio chipset • We don’t want to plumb an unconfirmed key to hardware anyway • Software solution by same module that does 1x/EAP/FILS authenticated encrypted MAC Header FCS sequence of IEs and fields defining the Association frame Dan Harkins, Aruba Networks

  10. Why Use SIV for 802.11ai? • It has properties that are very attractive • Provably secure • Can’t talk about patents but it does not have the cost impact to an implementation that other schemes have • Robust and misuse resistant • It’s the right tool for the right job • Performs authenticated encryption with associated data • No need to worry about what we don’t have to worry about • It’s already defined for use in 802.11 • Standardizedin RFC 5297 Dan Harkins, Aruba Networks

  11. References • Rogaway, P. and T. Shrimpton, “Deterministic Authenticated Encryption, A Provable-Security Treatment of the Key-Wrap Problem”, Advances in Cryptology –EUROCRYPT '06 St. Petersburg, Russia, 2006. • McGrew, D., “An Interface and Algorithms for Authenticated Encryption”, RFC 5116, January 2008 • Harkins, D, “Synthetic Initialization Vector (SIV) Authenticated EncryptionUsing the Advanced Encryption Standard (AES)”, RFC 5297, October 2008. Dan Harkins, Aruba Networks

More Related