2 © 2004, Cisco Systems, Inc. All rights reserved. Scalable, Efficient Cryptography for Multiple Security Services David A. McGrew Cisco Systems, Inc.
33 © 2004, Cisco Systems, Inc. All rights reserved. 3 GCM Overview Block cipher mode of operation Provides both confidentiality and authentication Provides high speed, low latency at low cost Best mode of operation for packet networks Usability features Proposed to NIST and other standards areas Joint work with John Viega of Secure Software
44 © 2004, Cisco Systems, Inc. All rights reserved. 4 Block Cipher Inputs K - key P - plaintext (128 bits) Output C - ciphertext (128 bits)
55 © 2004, Cisco Systems, Inc. All rights reserved. 5 Authenticated Encryption Operation Inputs K - key (same length as block cipher key) IV - unique value (length between 1 and 2 64 bits) P - plaintext (length between 0 and 2 39 bits) A - additional authenticated data (1 to 2 64 bits) Outputs C - ciphertext (same length as P ) T - authentication tag (length between 0 and 128 bits)
66 © 2004, Cisco Systems, Inc. All rights reserved. 6 Example: GCM Frame Encryption
77 © 2004, Cisco Systems, Inc. All rights reserved. 7 AE Mode Requirements Line rate (10+ Gbps) in hardware Parallelizable, pipelineable Low implementation cost Low (packet) latency Good software performance Provably secure Unencumbered by intellectual property Promotes standardization
88 © 2004, Cisco Systems, Inc. All rights reserved. 8 GCM Uses IEEE Link Security (802.1AE) GCM is mandatory cryptoalgorithm in draft IPsec ESP Draft based on ESP-AES-CCM, ESP-AES-CTR Fibre Channel Security Future fast wireless LAN
99 © 2004, Cisco Systems, Inc. All rights reserved. 9 GCM Internals Counter Mode encryption Based on IPsec CTR specification Efficient, compact MAC is encrypted hash Polynomial hash over GF(2 128 ) Multiply and accumulate MAC key H = E K (0 128 )
10 © 2004, Cisco Systems, Inc. All rights reserved. 10 Counter Mode Encryption
11 © 2004, Cisco Systems, Inc. All rights reserved. 11 Universal Hash-based MACs P[GHASH(M) GHASH(M) = a] ~ len(M)/2^128
12 © 2004, Cisco Systems, Inc. All rights reserved. 12 GHASH Input consists of C, A, length(A) | length(C)
13 © 2004, Cisco Systems, Inc. All rights reserved. 13 The Field GF(2 128 ) Addition, multiplication, … Polynomial basis Field element 128 term binary polynomial Addition is just exclusive-or Multiplication ~ = 2 16 bit operations Well-suited for hardware implementations
14 © 2004, Cisco Systems, Inc. All rights reserved. 14 Software Counter mode is simple Software can avoid first AES round - 10% gain GF(2 128 ) multiply Lookup tables - computed per key 256 bytes to 64 kilobytes Fastest mode on packets up to 576 bytes
15 © 2004, Cisco Systems, Inc. All rights reserved. 15 Software Performance (cycles/byte)
16 © 2004, Cisco Systems, Inc. All rights reserved. 16 GCM Benefits Can act as stand-alone MAC Could be used in IPsec AH or ESP with NULL encryption Can act as incremental MAC Can accept IVs of arbitrary length
17 © 2004, Cisco Systems, Inc. All rights reserved. 17 Arbitrary Length IVs Optimized for 96-bit IV Preserves performance, maintains security Promotes usability Can use natural nonces - filenames, network addresses, … Obviates need to derive secondary keys
18 © 2004, Cisco Systems, Inc. All rights reserved. 18 Arbitrary Length IV: File Encryption IV = seq_num | filename 0000 | /etc/passwd 0001 | /etc/passwd … Authentication tag T appended to file
19 © 2004, Cisco Systems, Inc. All rights reserved. 19 Incremental MAC Given (MSG, MAC), can compute MAC for MSG efficiently Useful for remote authentication Secure storage networking Network filesystems (e.g. CFS)
20 © 2004, Cisco Systems, Inc. All rights reserved. 20 Incremental MAC: Remote Storage A = B[0] | B[1] | … | B[N-1] P = {} IV = version number (plus other info) When B[i] is changed to B[i], compute New T = Old T AES(Old IV) AES(New IV) HASH(H, B[i]) HASH(H, B[i])
21 © 2004, Cisco Systems, Inc. All rights reserved. 21 Security Counter mode well understood AES GCM secure up to ~ 2^68 bytes MAC based on XOR-universal hash Well understood theory Good security properties
22 © 2004, Cisco Systems, Inc. All rights reserved. 22 Security Considerations IV reuse in encryption can expose H But reuse in decryption does not Given one forged message, can produce many more easily But does not change likelihood of zero forgeries All-zero counter value is highly unlikely and undetectable
23 © 2004, Cisco Systems, Inc. All rights reserved. 23 References (1 of 2) GCM and OCB csrc.nist.gov/CryptoToolkit/modes/proposedmodes/ IEEE Link Security Fibre Channel IPsec draft-ietf-ipsec-ciph-aes-gcm-00.txt
24 © 2004, Cisco Systems, Inc. All rights reserved. 24 References (2 of 2) Counter mode Diffie and Hellman. Privacy and Authentication: An Introduction to Cryptography. Proceedings of the IEEE, Volume 67, Number 3, March, Bellare, Desai, Jokkipi, and Rogaway. A concrete security treatment of symmetric encryption, Proceedings of 38th Annual Symposium on Foundations of Computer Science, IEEE, Universal hashing and MACs Wegman and Carter. New hash functions and their use in authentication and set equality. Journal of Computer and System Sciences. Vol. 22, , Krawczyk. LFSR-based hashing and authentication. Proceedings of CRYPTO '94. Lecture Notes in Computer Science No. 839,
25 Presentation_ID © 2001, Cisco Systems, Inc. All rights reserved.
26 © 2004, Cisco Systems, Inc. All rights reserved. 26 Comparison to OCB GCM has slightly higher per-block cost GF(2 128 ) multiply OCB has extra per-packet AES invocation Adds AES latency to packet encryption latency Software: GCM faster on short packets Hardware: GCM slightly higher cost, 1/2 latency GCM may need additional key store GCM has additional benefits
27 © 2004, Cisco Systems, Inc. All rights reserved. 27 Security Model (1 of 2) Block cipher is secure if indistinguishable from a random permutation GCM secure if Ciphertext indistinguishable from random, and Forgery unlikely to succeed
28 © 2004, Cisco Systems, Inc. All rights reserved. 28 Security Model (2 of 2)