Submission doc.: IEEE 11-12/1253r1 November 2012 Dan Harkins, Aruba NetworksSlide 1 Why Use SIV for 11ai? Date: 2012-10-30 Authors:

Slides:



Advertisements
Similar presentations
Doc.: IEEE /0413r0 Submission March 2009 Dan Harkins, Aruba NetworksSlide 1 A Study Group for Enhanced Security Date: Authors:
Advertisements

Doc.: IEEE /1012r0 Submission September 2009 Dan Harkins, Aruba NetworksSlide 1 Suite-B Compliance for a Mesh Network Date: Authors:
Doc.: IEEE /0836r2 Submission July 2008 Dan Harkins, Aruba NetworksSlide 1 Changes to SAE State Machine Date: Authors:
Doc.: IEEE /0283r0 Submission March 2009 Dan Harkins, Aruba NetworksSlide 1 Suggested Changes to the Abbreviated Handshake Date: Authors:
“Advanced Encryption Standard” & “Modes of Operation”
CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.
IEEE i IT443 Broadband Communications Philip MacCabe October 5, 2005
P Security Survey and Recommendations By: Ryon Coleman October 16, 2003.
1`` ```` ```` ```` ```` ```` ```` ```` ```` ```` `` AEGIS A Fast Authenticated Encryption Algorithm Hongjun Wu Bart Preneel Nanyang Technological University.
Doc.: IEEE /770r0 Submission July 2009 Slide 1 TGs Authenticated Encryption Function Date: Authors: Russ Housley (Vigil Security), et.
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
#1 EAX A two-pass authenticated encryption mode Mihir BellarePhillip RogawayDavid Wagner U.C. San Diego U.C. Davis and U.C. Berkeley Chiang Mai University.
Doc.: IEEE /0946r3 Submission August 2012 A proposal for next generation security in built on changes in ac 23 August 2012 Slide.
Lecture 3: Cryptographic Tools modified from slides of Lawrie Brown.
© Neeraj Suri EU-NSF ICT March 2006 DEWSNet Dependable Embedded Wired/Wireless Networks MUET Jamshoro Computer Security: Principles and Practice Slides.
Michal Rapco 05, 2005 Security issues in Wireless LANs.
Modes of Operation. Topics  Overview of Modes of Operation  EBC, CBC, CFB, OFB, CTR  Notes and Remarks on each modes.
Message Authentication Requirements Disclosure Release of message contents to any person or process not possessing the appropriate cryptographic key Traffic.
Key Management Workshop November 1-2, Cryptographic Algorithms, Keys, and other Keying Material  Approved cryptographic algorithms  Security.
Cryptography Wei Wu. Internet Threat Model Client Network Not trusted!!
CS555Spring 2012/Topic 111 Cryptography CS 555 Topic 11: Encryption Modes and CCA Security.
Doc.: IEEE /1429r2 Submission January 2012 Dan Harkins, Aruba NetworksSlide 1 A Protocol for FILS Authentication Date: Authors:
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 2 – Cryptographic.
Shambhu Upadhyaya Security – AES-CCMP Shambhu Upadhyaya Wireless Network Security CSE 566 (Lecture 13)
Doc.: IEEE /0056r0 Submission January 2010 Dan Harkins, Aruba NetworksSlide 1 Security Review of WAI Date: Authors:
Lecture 2: Introduction to Cryptography
Doc.: IEEE /1077r0 Submission September 2010 Dan Harkins, Aruba NetworksSlide 1 Galois/Counter Mode (GCM) Date: Authors:
Class 3 Cryptography Refresher II CIS 755: Advanced Computer Security Spring 2014 Eugene Vasserman
Doc.: IEEE /0123r0 Submission January 2009 Dan Harkins, Aruba NetworksSlide 1 Secure Authentication Using Only A Password Date:
Symmetric Encryption Lesson Introduction ●Block cipher primitives ●DES ●AES ●Encrypting large message ●Message integrity.
Doc.: IEEE /0315r4 Submission July 2009 Dan Harkins, Aruba NetworksSlide 1 Enhanced Security Date: Authors:
Presentation Road Map 1 Authenticated Encryption 2 Message Authentication Code (MAC) 3 Authencryption and its Application Objective Modes of Operation.
Doc.: IEEE /0133r3 Submission NameAffiliationsAddressPhone Hitoshi MORIOKAAllied Telesis R&D Center Tenjin, Chuo-ku, Fukuoka
Doc.: IEEE /0485r0 Submission May 2004 Jesse Walker and Emily Qi, Intel CorporationSlide 1 Management Protection Jesse Walker and Emily Qi Intel.
RSA-AES-SIV TLS Ciphersuites Dan Harkins. RSA-AES-SIV Ciphersuites What is being proposed? –New ciphersuites for TLS using SIV mode of authenticated encryption.
Should NIST Develop an Additional Version of GCM? July 26, 2007 Morris Dworkin, Mathematician Security Technology Group
Dan Boneh Authenticated Encryption CBC paddings attacks Online Cryptography Course Dan Boneh.
2010 CCSDS Spring Meeting, 5 May 2010 Portsmouth, VA, USA Encrypted Authentication ISO/IEC I. Aguilar – ESA/ESTEC.
1 HBS: A Single-Key Mode of Operation for Deterministic Authenticated Encryption Tetsu Iwata (Nagoya University, Japan) Kan Yasuda (NTT Corporation, Japan)
Doc.: IEEE /0899r2 Submission July2010 Dan Harkins, Aruba NetworksSlide 1 Secure PSK Authentication Date: Authors:
Submission doc.: IEEE r1 March 2012 Dan Harkins, Aruba NetworksSlide 1 The Pitfalls of Hacking and Grafting Date: Authors:
@Yuan Xue 285: Network Security CS 285 Network Security Message Authentication Code Data integrity + Source authentication.
Message Authentication Code
November 14, 2016 Secure MAC algorithms for use with NTP draft-aanchal4-ntp-mac-03 CFRG: IETF97 Aanchal Malhotra Sharon Goldberg.
Enhanced Security Date: Authors: May 2009 May 2009
Secure PSK Authentication
Authentication and Upper-Layer Messaging
Security Enhancement to FTM
Enhanced Security Features for
November 2017 Project: IEEE P Working Group for Wireless Personal Area Networks (WPANs) Submission Title: [AES-256 for ] Date Submitted:
Enhanced Security Features for
Block Cipher Modes CS 465 Make a chart for the mode comparisons
Secure PSK Authentication
Cryptography Lecture 12.
Key Descriptor Version in EAPOL Key Frames
March 2018 Project: IEEE P Working Group for Wireless Personal Area Networks (WPANs) Submission Title: [SG SECN Call for Proposals] Date Submitted:
CSE 484 Midterm Review “1st half of the quarter in 5 slides”
July 2010 doc.: IEEE /0903r0 A proposal for next generation security in built on changes in ac 23 August 2012 Authors: Name Company.
January 2016 Project: IEEE P Working Group for Wireless Personal Area Networks (WPANs) Submission Title: [Security for HRCP] Date Submitted: [18.
Security Properties Straw Polls
Changes to SAE State Machine
Security of Wireless Sensor Networks
Topic 13: Message Authentication Code
PHY-Level Security Protection
Cryptography Lecture 11.
July 15, 2019 doc.: IEEE r0 May, 2002 Project: IEEE P Working Group for Wireless Personal Area Networks (WPANs) Submission Title: [AES.
A Better Way to Protect APE Messages
Counter With Cipher Block Chaining-MAC
Counter Mode, Output Feedback Mode
Secret-Key Encryption
Presentation transcript:

Submission doc.: IEEE 11-12/1253r1 November 2012 Dan Harkins, Aruba NetworksSlide 1 Why Use SIV for 11ai? Date: Authors:

Submission doc.: IEEE 11-12/1253r1 November 2012 Dan Harkins, Aruba NetworksSlide 2 Abstract This presentation suggests the best solution to a problem that TGai has

Submission doc.: IEEE 11-12/1253r1November 2012 Dan Harkins, Aruba NetworksSlide 3 What’s the Problem that Needs Solving? The Association Request/Response is used for key confirmation– to prove possession of the key that results from exchanging Authentication frames Some parts need authentication and encryption KDEs containing keys Potentially DHCP Some parts need authentication but no encryption The session IE Other stuff? We need some way to do this is an authenticated encryption that takes additional associated data– an AEAD mode

Submission doc.: IEEE 11-12/1253r1 AEAD Cipher Modes There are quite a few AEAD modes that encrypt and authenticate a plaintext and authenticate associated data GCM, CCM, SIV, CWC, OCB, … Similar interface: Input: key, plaintext, nonce/IV/counter, AAD Output: ciphertext (including a MIC/tag) Key is used to encrypt and authenticate the plaintext and AAD. The nonce/IV/counter is to make the mode probabilistic and is critical for security (for all but one mode) Slide 4Dan Harkins, Aruba Networks November 2012

Submission doc.: IEEE 11-12/1253r1 Nonce Construction for AEAD Schemes Nonce must be unique for all calls to encryption API, otherwise (according to RFC 5116, for GCM): a loss of confidentiality ensues because an attacker can reconstruct the bitwise exclusive-or of the two plaintext values a loss of integrity ensues because the attacker will be able to recover the internal hash key used to provide data integrity A loss of confidentiality and integrity for a scheme that is supposed to provide confidentiality and integrity means it’s security is completely voided! Nonce hygiene must be strictly enforced! Unless… Slide 5Dan Harkins, Aruba Networks November 2012

Submission doc.: IEEE 11-12/1253r1 Misuse-Resistant AEAD SIV does not require a nonce and does not lose all security if one is used and it is repeated If two identical messages, and identical AAD, get enciphered using the same key (and same nonce) then: No loss of integrity Loss of privacy in the sense that adversary knows two identical messages (with identical AAD) were protected with the same key Using SIV means we don’t need to worry about the nonce! It does not need to be passed in the message It does not need to be reconstructed on both sides It does not need to be managed to ensure uniqueness Slide 6Dan Harkins, Aruba Networks November 2012

Submission doc.: IEEE 11-12/1253r1 Opposition to Using SIV? It’s not a NIST-approved mode of operation. True but… NIST does not approve modes prior to use GCM was proposed for use by IPsec before NIST approved it CCM was proposed for use by before NIST approved it When did prior NIST approved become a requirement? Never. SIV is a secure composition of two NIST-approved modes: CTR and CMAC! It’s not as efficient as GCM. True but… Very few encryptions mean efficiency advantage is negligible The small gain in efficiency must be weighed against the increased cost of nonce maintenance and hygiene Easiest way to manage nonce uniqueness (random bit string) would make GCM less efficient Slide 7Dan Harkins, Aruba Networks November 2012

Submission doc.: IEEE 11-12/1253r1 A Misunderstanding about Proposal Not proposing to protect the whole Association frame! Not doing 11w-style management frame protection! Slide 8Dan Harkins, Aruba Networks November 2012 MAC HeaderSIV Header Data (PDU) MICFCS encrypted authenticated (some fields masked to zero) NO!!! Apologies to Figure from

Submission doc.: IEEE 11-12/1253r1 A Misunderstanding about Proposal Just want to protect the sequence of IEs in the data Does not require hardware changes! SIV is NOT intended for the radio chipset We don’t want to plumb an unconfirmed key to hardware anyway Software solution by same module that does 1x/EAP/FILS Slide 9Dan Harkins, Aruba Networks November 2012 MAC Header sequence of IEs and fields defining the Association frame FCS encrypted authenticated

Submission doc.: IEEE 11-12/1253r1November 2012 Dan Harkins, Aruba NetworksSlide 10 Why Use SIV for ai? It has properties that are very attractive Provably secure Can’t talk about patents but it does not have the cost impact to an implementation that other schemes have Robust and misuse resistant It’s the right tool for the right job Performs authenticated encryption with associated data No need to worry about what we don’t have to worry about It’s already defined for use in Standardized in RFC 5297

Submission doc.: IEEE 11-12/1253r1November 2012 Dan Harkins, Aruba NetworksSlide 11 References Rogaway, P. and T. Shrimpton, “Deterministic Authenticated Encryption, A Provable-Security Treatment of the Key-Wrap Problem”, Advances in Cryptology – EUROCRYPT '06 St. Petersburg, Russia, McGrew, D., “An Interface and Algorithms for Authenticated Encryption”, RFC 5116, January 2008 Harkins, D, “Synthetic Initialization Vector (SIV) Authenticated Encryption Using the Advanced Encryption Standard (AES)”, RFC 5297, October 2008.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.