Should NIST Develop an Additional Version of GCM? July 26, 2007 Morris Dworkin, Mathematician Security Technology Group

Slides:

Advertisements

Similar presentations

2 © 2004, Cisco Systems, Inc. All rights reserved. Scalable, Efficient Cryptography for Multiple Security Services David A. McGrew Cisco Systems, Inc.

Advertisements

Block Cipher Modes of Operation and Stream Ciphers

Cryptography and Network Security Chapter 12

“Advanced Encryption Standard” & “Modes of Operation”

Encipherment Using Modern Symmetric-Key Ciphers. 8.2 Objectives ❏ To show how modern standard ciphers, such as DES or AES, can be used to encipher long.

CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.

Transport Layer Security (TLS) Protocol Introduction to networks and communications(CS555) Prof : Dr Kurt maly Student:Abhinav y.

1`` ```` ```` ```` ```` ```` ```` ```` ```` ```` `` AEGIS A Fast Authenticated Encryption Algorithm Hongjun Wu Bart Preneel Nanyang Technological University.

IP Security IPSec 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.

Submission doc.: IEEE 11-12/1253r1 November 2012 Dan Harkins, Aruba NetworksSlide 1 Why Use SIV for 11ai? Date: Authors:

Cryptography and Network Security Chapter 6. Chapter 6 – Block Cipher Operation Many savages at the present day regard their names as vital parts of themselves,

Cryptography1 CPSC 3730 Cryptography Chapter 6 Triple DES, Block Cipher Modes of Operation.

Exploring timing based side channel attacks against i CCMP Suman Jana, Sneha K. Kasera University of Utah Introduction

1 The AES block cipher Niels Ferguson. 2 What is it? Block cipher: encrypts fixed-size blocks. Design by two Belgians. Chosen from 15 entries in a competition.

#1 EAX A two-pass authenticated encryption mode Mihir BellarePhillip RogawayDavid Wagner U.C. San Diego U.C. Davis and U.C. Berkeley Chiang Mai University.

EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 5 Wenbing Zhao Department of Electrical and Computer Engineering.

Lecture 23 Symmetric Encryption

Cryptography1 CPSC 3730 Cryptography Chapter 11, 12 Message Authentication and Hash Functions.

Chapter 8.  Cryptography is the science of keeping information secure in terms of confidentiality and integrity.  Cryptography is also referred to as.

Lecture 2: Message Authentication Anish Arora CSE5473 Introduction to Network Security.

Cryptography and Network Security

Lecture 3: Cryptographic Tools modified from slides of Lawrie Brown.

Block Cipher Transmission Modes CSCI 5857: Encoding and Encryption.

© Neeraj Suri EU-NSF ICT March 2006 DEWSNet Dependable Embedded Wired/Wireless Networks MUET Jamshoro Computer Security: Principles and Practice Slides.

Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 21 “Public-Key Cryptography.

Acknowledgements: William Stallings.William Stallings All rights Reserved Session 4 Public Key Cryptography (Part 2) Network Security Essentials Application.

Modes of Operation. Topics  Overview of Modes of Operation  EBC, CBC, CFB, OFB, CTR  Notes and Remarks on each modes.

Message Authentication Requirements Disclosure Release of message contents to any person or process not possessing the appropriate cryptographic key Traffic.

Hash Functions A hash function H accepts a variable-length block of data M as input and produces a fixed-size hash value h = H(M) Principal object is.

Key Management Workshop November 1-2, Cryptographic Algorithms, Keys, and other Keying Material  Approved cryptographic algorithms  Security.

Chapter 20 Symmetric Encryption and Message Confidentiality.

Chapter 20 Symmetric Encryption and Message Confidentiality.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 2 – Cryptographic.

3DES and Block Cipher Modes of Operation CSE 651: Introduction to Network Security.

Understanding Cryptography – A Textbook for Students and Practitioners by Christof Paar and Jan Pelzl Chapter 5 – More About Block.

Shambhu Upadhyaya Security – AES-CCMP Shambhu Upadhyaya Wireless Network Security CSE 566 (Lecture 13)

Two New Online Ciphers Mridul Nandi National Institute of Standards and Technology, Gaithersburg, MD Indocrypt 2008, Kharagpur.

IPsec Introduction 18.2 Security associations 18.3 Internet Security Association and Key Management Protocol (ISAKMP) 18.4 Internet Key Exchange.

Doc.: IEEE r0 Submission July 2011 Dan Harkins, Aruba NetworksSlide 1 Prohibiting Technology Date: Authors:

Lecture 23 Symmetric Encryption

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

Hashes Lesson Introduction ●The birthday paradox and length of hash ●Secure hash function ●HMAC.

Giuseppe Bianchi Warm-up example WEP. Giuseppe Bianchi WEP lessons  Good cipher is far from being enough  You must make good USAGE of cipher.

RSA-AES-SIV TLS Ciphersuites Dan Harkins. RSA-AES-SIV Ciphersuites What is being proposed? –New ciphersuites for TLS using SIV mode of authenticated encryption.

Wired Equivalent Privacy (WEP) Chris Overcash. Contents What is WEP? What is WEP? How is it implemented? How is it implemented? Why is it insecure? Why.

Block Ciphers and the Data Encryption Standard. Modern Block Ciphers  One of the most widely used types of cryptographic algorithms  Used in symmetric.

IT 221: Introduction to Information Security Principles Lecture 5: Message Authentications, Hash Functions and Hash/Mac Algorithms For Educational Purposes.

CS555Spring 2012/Topic 151 Cryptography CS 555 Topic 15: HMAC, Combining Encryption & Authentication.

Doc.: IEEE /634r1 Submission November 2001 Ferguson, Housley, WhitingSlide 1 AES Mode Choices OCB vs. Counter Mode with CBC-MAC Niels Ferguson,

@Yuan Xue 285: Network Security CS 285 Network Security Message Authentication Code Data integrity + Source authentication.

Block Cipher Modes Last Updated: Aug 25, ECB Mode Electronic Code Book Divide the plaintext into fixed-size blocks Encrypt/Decrypt each block independently.

Message Authentication Code

November 14, 2016 Secure MAC algorithms for use with NTP draft-aanchal4-ntp-mac-03 CFRG: IETF97 Aanchal Malhotra Sharon Goldberg.

Cryptography and Network Security Chapter 12 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Sixth Edition by William Stallings.

Block Cipher Modes CS 465 Make a chart for the mode comparisons

MAC: Message Authentication Code

AES Mode Choices OCB vs. Counter Mode with CBC-MAC

Block vs Stream Ciphers

Block Ciphers (Crypto 2)

Cryptography Lecture 11.

July 15, 2019 doc.: IEEE r0 May, 2002 Project: IEEE P Working Group for Wireless Personal Area Networks (WPANs) Submission Title: [AES.

Counter With Cipher Block Chaining-MAC

Counter Mode, Output Feedback Mode

Elect. Codebook, Cipher Block Chaining

Secret-Key Encryption

Presentation transcript:

Should NIST Develop an Additional Version of GCM? July 26, 2007 Morris Dworkin, Mathematician Security Technology Group

Some of the Submissions to NIST for Authenticated Encryption Patented, One-Pass, Parallelizable Modes —XECB, etc.Gligor, Donescu —IAPMJutla —OCBRogaway Other Parallelizable Modes, One-Pass + Universal Hash —GCMMcGrew, Viega —CWCKohno, Viega, Whiting Two-Pass Modes —CCMHousley, Whiting, Ferguson —EAXBellare, Rogaway, Wagner

Galois/Counter Mode (GCM) Designed, analyzed, submitted by McGrew & Viega Authenticated encryption with associated data (AEAD) —Counter mode encryption using approved block cipher —Authentication using universal hash function in Galois field —Requires 96-bit initialization vectors (IVs) that do not repeat for the life of the key Performance —High-speed (10Gbit/sec) hardware implementation —Good in software, given table lookups

GCM Authenticated Encryption P C A GHASH H 0v0v 0u0u [len(A)] 64 [len(C)] 64 IV inc CIPH K T GCTR K MSB t H J0J

GCM Authenticated Decryption P CA GHASH H 0v0v 0u0u [len(A)] 64 [len(C)] 64 IV inc CIPH K GCTR K MSB t H J0J0 T T if  FAIL

GCM GCTR Function

GHASH Function (NIST version, w/o length encodings) In effect, the GHASH function calculates X 1  H m  X 2  H m-1 ...  X m-1  H 2  X m  H.

Summary of the Development of NIST Special Publication D Announcement of selection of GCM over CWC (2005) First draft SP D (spring of 2006) —Restricts range of tag lengths to bytes Joux’s public comment (June, 2006) —Practical attack if initialization vector (IV) is repeated for a key —Suggests design modifications Second draft SP D (July, 2007) —Elaborates on IV requirements —Removes support for variable-length IVs

Joux’s Attack on Repeating IVs Assumes IVs are repeated for distinct encryption inputs —Violation of GCM requirements (implementation error) —Adversary needs only a couple of pairs of IV-sharing ciphertexts Adversary can probably derive authentication subkey If so, authentication assurance is essentially lost —Valid tags can be found for arbitrary ciphertext, reusing old IV —Counter mode “malleability” can be exploited Given one known plaintext-ciphertext pair, and reusing its IV, adversary can choose any bits to “flip” Confidentiality apparently not affected

Elaboration on IV Requirements in Second Draft NIST SP D Two IV constructions —Deterministic assurance of uniqueness —Random bit generator, up to threshold of over life of key Implementation considerations for designer and implementer —E.g., recovery from power loss For validation against FIPS —IV generation must be within cryptographic boundary of module —IV is a critical security parameter until invoked (for encryption) —Documentation requirements

Develop a “Misuse Resistant” Variant? Joux suggests modifications NIST would like feedback on whether to develop a variant of GCM that resists Joux’s attack Pros —Allow relaxation of IV validation —Increase general purpose usability Cons —Reduce performance, especially in hardware —Algorithm proliferation NIST intends to finalize the original spec independently

P C A GHASH 0v0v 0u0u [len(A)] 64 [len(C)] 64 IV inc T GCTR MSB t J0J0 Joux’s Suggested Modifications to GCM Authenticated Encryption GCTR CIPH K H Strong KDF K K1K1K2K2K3K3K4K4 K3K3 K2K2K1K1 K4K4 CIPH

Hardware Performance (bits/cycle) Assuming Single AES Pipeline Bytes GCM CWC OCB Bytes IPI GCM CWC OCB

Internet Performance Index (IPI) Table taken from “The Security and Performance of the Galois/Counter Mode (GCM) of Operation (Full Version)” Packet distribution f(s)=the expected fraction of bytes that are carried in packets of size s. Using data from paper of Claffy, Miller Thompson (1998): f(1500)=0.6, f(576)=0.2, f(552)=0.15, f(44)=0.05 IPI=the expected number of bits processed per clock cycle for this packet distribution. “Useful indicator of the performance of a crypto module that protects IP traffic using e.g. ESP in tunnel mode…”

GCM in Hardware: No Stalls in the AES Pipeline …P4P3P2P1T TP2P1 R1R2R3R4R5R6R7R8R9R10 The grey message has three counter blocks to encrypt: two for its plaintext blocks, and one for the output of the GHASH function. The counter blocks for the one-block yellow message and the multi-block blue message follow directly in the pipeline.

Software Performance Comparison (Mbps on 1 GHz processor) Bytes GCM 64K GCM 4K GCM 256 OCBCWCEAXCCM CBC- HMAC IPI

Comments ?