Authenticated Encryption with Replay prOtection (AERO)

Slides:



Advertisements
Similar presentations
Block Cipher Modes of Operation and Stream Ciphers
Advertisements

“Advanced Encryption Standard” & “Modes of Operation”
CS470, A.SelcukIPsec – AH & ESP1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
CMSC 414 Computer and Network Security Lecture 4 Jonathan Katz.
CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.
Computer Science CSC 474Dr. Peng Ning1 CSC 474 Information Systems Security Topic 2.2 Secret Key Cryptography.
CMSC 414 Computer and Network Security Lecture 26 Jonathan Katz.
1`` ```` ```` ```` ```` ```` ```` ```` ```` ```` `` AEGIS A Fast Authenticated Encryption Algorithm Hongjun Wu Bart Preneel Nanyang Technological University.
CSCE 715: Network Systems Security
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Network Security Essentials Chapter 8 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.
Impacts of Security Protocols on Real- time Multimedia Communications Kihun Hong 1, Souhwan Jung 1, Luigi Lo Iacono 2, Christoph.
1 Lecture 15: IPsec AH and ESP IPsec introduction: uses and modes IPsec concepts –security association –security policy database IPsec headers –authentication.
IP Security IPSec 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Submission doc.: IEEE 11-12/1253r1 November 2012 Dan Harkins, Aruba NetworksSlide 1 Why Use SIV for 11ai? Date: Authors:
CSCE 790: Computer Network Security Chin-Tser Huang University of South Carolina.
CMSC 414 Computer and Network Security Lecture 4 Jonathan Katz.
Wired Equivalent Privacy (WEP)
CMSC 414 Computer and Network Security Lecture 5 Jonathan Katz.
Temporal Key Integrity Protocol (TKIP) Presented By: Laxmi Nissanka Rao Kim Sang Soo.
Cryptography (continued). Enabling Alice and Bob to Communicate Securely m m m Alice Eve Bob m.
TCP/IP Protocol Suite 1 Chapter 28 Upon completion you will be able to: Security Differentiate between two categories of cryptography schemes Understand.
Encapsulation Security Payload Protocol Lan Vu. OUTLINE 1.Introduction and terms 2.ESP Overview 3.ESP Packet Format 4.ESP Fields 5.ESP Modes 6.ESP packet.
1 Pertemuan 11 IPSec dan SSL Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.
THE USE OF IP ESP TO PROVIDE A MIX OF SECURITY SERVICES IN IP DATAGRAM SREEJITH SREEDHARAN CS843 PROJECT PRESENTATION 04/28/03.
15 November Wireless Security Issues Cheyenne Hollow Horn SFS Presentation 2004.
Lecture 23 Symmetric Encryption
Chapter 8.  Cryptography is the science of keeping information secure in terms of confidentiality and integrity.  Cryptography is also referred to as.
Message Authentication Requirements Disclosure Release of message contents to any person or process not possessing the appropriate cryptographic key Traffic.
Air-Interface Application Layer Security: A follow up to C Source: Lucent Technologies, Inc. S.Patel, G.Sundaram, R.Rance, S.Mizikovsky,
One-Time Pad Or Vernam Cipher Sayed Mahdi Mohammad Hasanzadeh Spring 2004.
IEEE MEDIA INDEPENDENT HANDOVER DCN: Title: On padding method of AES-CBC Date Submitted: January, 17th, 2013 Presented at IEEE.
CSCE 715: Network Systems Security
CMSC 414 Computer and Network Security Lecture 5 Jonathan Katz.
3DES and Block Cipher Modes of Operation CSE 651: Introduction to Network Security.
Chapter 9: Algorithms Types and Modes Dulal C. Kar Based on Schneier.
IPsec IPsec (IP security) Security for transmission over IP networks –The Internet –Internal corporate IP networks –IP packets sent over public switched.
Dr. Reuven Aviv, Nov 2008 Conventional Encryption 1 Conventional Encryption & Message Confidentiality Acknowledgements for slides Henric Johnson Blekinge.
Swankoski MAPLD 2005 / B103 1 Dynamic High-Performance Multi-Mode Architectures for AES Encryption Eric Swankoski Naval Research Lab Vijay Narayanan Penn.
IPsec Introduction 18.2 Security associations 18.3 Internet Security Association and Key Management Protocol (ISAKMP) 18.4 Internet Key Exchange.
SSL/TLS How to send your credit card number securely over the internet.
1 AERO Algorithm Overview October 2013 San Antonio, Texas USA Howard Weiss NASA/JPL/PARSONS* Identity crisis: Formerly SPARTA Formerly Cobham Formerly.
TinySec : Link Layer Security Architecture for Wireless Sensor Networks Chris Karlof :: Naveen Sastry :: David Wagner Presented by Anil Karamchandani 10/01/2007.
Lecture 23 Symmetric Encryption
Symmetric Encryption Lesson Introduction ●Block cipher primitives ●DES ●AES ●Encrypting large message ●Message integrity.
PGP & IP Security  Pretty Good Privacy – PGP Pretty Good Privacy  IP Security. IP Security.
Template vertLeftWhite2 Authenticated Encryption Attacking non-atomic decryption Online Cryptography Course Dan Boneh.
Encapsulated Security Payload Header ● RFC 2406 ● Services – Confidentiality ● Plus – Connectionless integrity – Data origin authentication – Replay protection.
Should NIST Develop an Additional Version of GCM? July 26, 2007 Morris Dworkin, Mathematician Security Technology Group
MiniSec: A Secure Sensor Network Communication Architecture Carnegie Mellon UniversityUniversity of Maryland at College Park Mark Luk, Ghita Mezzour, Adrian.
Dan Boneh Authenticated Encryption Constructions from ciphers and MACs Online Cryptography Course Dan Boneh.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
IP Security (IPSec) Encapsulating Security Payload (ESP) Dr Milan Marković.
หัวข้อบรรยาย Stream cipher RC4 WEP (in)security LFSR CSS (in)security.
Message Authentication Code
November 14, 2016 Secure MAC algorithms for use with NTP draft-aanchal4-ntp-mac-03 CFRG: IETF97 Aanchal Malhotra Sharon Goldberg.
Authenticated encryption
Block Cipher Modes CS 465 Make a chart for the mode comparisons
Cryptography Lecture 12.
Cryptography Lecture 10.
Block cipher and modes of encryptions
Dynamic High-Performance Multi-Mode Architectures for AES Encryption
Security of Wireless Sensor Networks
Cryptography Lecture 10.
Cryptography Lecture 9.
Cryptography Lecture 11.
Counter With Cipher Block Chaining-MAC
Counter Mode, Output Feedback Mode
Presentation transcript:

Authenticated Encryption with Replay prOtection (AERO)

AERO Authenticated Encryption algorithm Stateful and self-synchronizing Easy to use Robust against nonce misuse and decryption misuse Saves bandwidth No nonce, no sequence number New standards contributions and research

Communication Security Goals Unreliable transport Message loss Message reorder Multiple senders, multiple receivers Adaptive chosen plaintext, chosen ciphertext attacks Security against forgery Plaintext indistinguishable from random

Conventional Encryption + Authentication Ciphertext Header SEQ IV Tag Message AES-CBC Encryption HMAC Sequence Number Sequence Number

Conventional A+E with Extended SEQ Ciphertext SEQ IV Tag Message AES-CBC Encryption HMAC SEQ LO SEQ LO SEQ HI SEQ HI Header

Conventional Decryption Ciphertext Header SEQ IV Tag Message AES-CBC Decryption HMAC Sequence Number Check Sequence Number Check SEQ HI SEQ HI

Authenticated Encryption with Associated Data (AEAD) Ciphertext SEQ IV Tag Message AES-GCM Encryption SEQ LO SEQ LO SEQ HI SEQ HI Header

Authenticated Encryption with Associated Data (AEAD) Ciphertext SEQ IV Tag Message AES-GCM Encryption SEQ LO SEQ LO SEQ HI SEQ HI Bandwidth: SEQ, IV, Tag Header

Authenticated Encryption with Associated Data (AEAD) Ciphertext SEQ IV Tag Message AES-GCM Encryption SEQ LO SEQ LO SEQ HI SEQ HI Multiple receivers awkward Bandwidth: SEQ, IV, Tag Header

Authenticated Encryption with Associated Data (AEAD) Ciphertext SEQ IV Tag Message AES-GCM Encryption SEQ LO SEQ LO SEQ HI SEQ HI IV hard to manage Multiple senders INSECURE if mismanaged Multiple receivers awkward Bandwidth: SEQ, IV, Tag Header

Authenticated Encryption with Associated Data (AEAD) Ciphertext SEQ IV Tag Message AES-GCM Encryption SEQ LO SEQ LO SEQ HI SEQ HI Complex to use IV hard to manage Multiple senders INSECURE if mismanaged Multiple receivers awkward Bandwidth: SEQ, IV, Tag

Header Authenticated Encryption with Associated Data (AEAD) Ciphertext SEQ IV Tag Message AES-GCM Encryption SEQ LO SEQ LO SEQ HI SEQ HI Complex to use IV hard to manage Multiple senders INSECURE if mismanaged Multiple receivers awkward Bandwidth: SEQ, IV, Tag Decryption Misuse

AERO Ciphertext Header Message AERO Encryption Easy to use No IV to manage Multiple senders Secure if misused Multiple receivers easy Minimal overhead Robust against decryption misuse

AERO Encryption Wide Pseudo Random Permutation (WPRP) Encryption Ciphertext Sequence Number Plaintext || Header

Wide Pseudo Random Permutation (WPRP) WPRP Encryption 562a666ab08dae419b3 0818a309a064f40a9b2

Wide Pseudo Random Permutation (WPRP) WPRP Encryption 562a666ab08dae419b3 0818a309a064f40a9b2 WPRP Encryption 562a666ab18dae419bf e295e324f8a7181ad927

Wide Pseudo Random Permutation (WPRP) WPRP Decryption 562a666ab08dae419b3 0818a309a064f40a9b2 WPRP Decryption 562a666ab18dae419bf e295e324f8a7181ad927 AES Extended Codebook (XCB) Mode of Operation

AERO Decryption Wide Pseudo Random Permutation (WPRP) Decryption Ciphertext Candidate Seq Num Candidate Seq Num Plaintext || Header Check Return Plaintext, Update s Return Plaintext, Update s Return FAIL Plaintext FAIL (or) s, r

Candidate Sequence Number Checking sr 0 2 t -1 Largest sequence number accepted so far Last rejected candidate sequence number CSN

Likely next candidates sr 0 2 t -1 Largest sequence number accepted so far Last rejected candidate sequence number CSN s+1 s+2

Candidate Sequence Number Checking ww sr 0 v Largest sequence number accepted so far Last rejected candidate sequence number CSN 2 t -1

(Re)synchronization sr 0 2 t -1 Largest sequence number accepted so far Last rejected candidate sequence number CSN Actual Sequence Number Actual Sequence Number

(Re)synchronization sr 0 2 t -1 Largest sequence number accepted so far Last rejected candidate sequence number CSN Actual Sequence Number Actual Sequence Number Actual Sequence Number +1 Actual Sequence Number +1

Candidate Sequence Number Checking ww 0 v set s accept check bitmask accept update s update bitmask accept set r to s reject CSN sr 2 t -1

Security of Authentication 0 2w+v ~ 72 out of 2 t accepted CSN sr Probability of successful forgery = 2t2t 72 ~ 2 -t+7 2 t -1

IPSec Ciphertext SPI SEQ IV Tag 4 bytes 8 bytes 12 bytes Ciphertext SPI 4 bytes plaintext length + 12 bytes ESP AES-GCM, AES-CCM, or AES-CTR plus HMAC-SHA1 ESP AERO 24+ bytes overhead per packet 12 bytes overhead per packet no misuse resistance misuse resistance length of plaintext + pad

Performance WPRP CPB ~ 1.5 x GCM CPB Inefficient on long messages Higher latency Larger memory requirements … but this is true of all AEAD methods … More efficient on short messages Short frames (about 100 bytes for ) Four bytes less overhead means: ~ 4% less power used in transmission ~ 4% less power used in reception ~ 4% lower probability that retransmission is needed

Status Research Formalization of security models and goals WPRP encryption alternatives IETF draft-mcgrew-aero-00.txt draft-mcgrew-srtp-aero-01.txt draft-mcgrew-dtls-aero-00.txt CAESAR Does not work with conventional AEAD API

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.