Presentation is loading. Please wait.

Presentation is loading. Please wait.

Doc.: IEEE 802.11-01/634r1 Submission November 2001 Ferguson, Housley, WhitingSlide 1 AES Mode Choices OCB vs. Counter Mode with CBC-MAC Niels Ferguson,

Published byLucy Joseph Modified over 8 years ago

Similar presentations

Presentation on theme: "Doc.: IEEE 802.11-01/634r1 Submission November 2001 Ferguson, Housley, WhitingSlide 1 AES Mode Choices OCB vs. Counter Mode with CBC-MAC Niels Ferguson,"— Presentation transcript:

1 doc.: IEEE 802.11-01/634r1 Submission November 2001 Ferguson, Housley, WhitingSlide 1 AES Mode Choices OCB vs. Counter Mode with CBC-MAC Niels Ferguson, MacFergus BV Russ Housley, RSA Labs Doug Whiting, HiFn

2 doc.: IEEE 802.11-01/634r1 Submission November 2001 Ferguson, Housley, WhitingSlide 2 Introduction 802.11i currently specifies AES-OCB for confidentiality and integrity Have concerns with this choice Highlight issues by comparing to AES Counter (CTR) mode with AES-CBC-MAC

3 doc.: IEEE 802.11-01/634r1 Submission November 2001 Ferguson, Housley, WhitingSlide 3 AES CTR with CBC-MAC CBC-MAC –Over: Length || SA || DA || … || Payload –Truncate to 64 bits and append to payload –CBC-MAC key derived from encryption key, only single-key required (may be pre- computed or computed on-the-fly) Encrypt using AES CTR, using IV to ensure unique counter values

4 doc.: IEEE 802.11-01/634r1 Submission November 2001 Ferguson, Housley, WhitingSlide 4 AES CTR with CBC-MAC: Details

5 doc.: IEEE 802.11-01/634r1 Submission November 2001 Ferguson, Housley, WhitingSlide 5 Dimensions of Comparison Patent Status Size of Implementation Power Consumption Speed Cleartext Integrity Coverage Simplicity of Key Management Packet Overhead Crypto Confidence

6 doc.: IEEE 802.11-01/634r1 Submission November 2001 Ferguson, Housley, WhitingSlide 6 Patent Status IEEE 802 has long history with patents –Bottom line: Avoid patents when there are viable unencumbered alternatives No patents on CTR or CBC-MAC Three independent IP claimants on OCB –All three emphatically believe that their yet-to-be-issued patent(s) cover OCB mode Virgil Gligor, Charanjit Jutla (IBM), and Phil Rogaway Fair, non-discriminatory, and non-onerous are subjective (especially after standard is done)

7 doc.: IEEE 802.11-01/634r1 Submission November 2001 Ferguson, Housley, WhitingSlide 7 Size of Implementation Unlike OCB, AES CTR and CBC-MAC require only encryption operations, not decryption Software: CTR with CBC-MAC is smaller –Cut table size in half (4K bytes vs. 8K bytes) –Cut round key table size in half (save 160 bytes) –Cut code size in half (roughly) Hardware: CTR with CBC-MAC is SMALLER than AES-OCB –Silicon area roughly 1.5x to 2x smaller than performing both encrypt and decrypt operations –Less than 20K gates for encryption only (fraction of overall ASIC?)

8 doc.: IEEE 802.11-01/634r1 Submission November 2001 Ferguson, Housley, WhitingSlide 8 Power Consumption (in Hardware) OCB performs roughly half the number of crypto operations as CTR with CBC-MAC “Duty cycle” of encryption logic activity @ 40 MHz (assuming gated clocks) – ~3% for 802.11b (CTR with CBC-MAC) –~15% for 802.11a (CTR with CBC-MAC) Small fraction of gates, small duty cycle, digital vs. analog  power for encryption is “in the noise” (< 1%)

9 doc.: IEEE 802.11-01/634r1 Submission November 2001 Ferguson, Housley, WhitingSlide 9 [Power Duty CycleComputations] Assumptions: –10 clocks per 128-bit AES block –40 MHz clock (i.e., 4M AES blocks/sec) AES throughput = 512 Mbps 802.11b  6.5 Mbps (max), x2 (for CTR with CBC-MAC)  13 Mbps Duty cycle  13/512 < 3%

10 doc.: IEEE 802.11-01/634r1 Submission November 2001 Ferguson, Housley, WhitingSlide 10 Speed Most 802.11 implementations of AES will be in hardware Hardware: 55 Mbps (or twice that) is very slow for AES, as shown by the duty cycle in previous slide Software: OCB is twice the speed of CTR with CBC-MAC –OCB “wins” if 1x is fast enough, but 2x is too slow

11 doc.: IEEE 802.11-01/634r1 Submission November 2001 Ferguson, Housley, WhitingSlide 11 Cleartext Integrity Coverage OCB “nonce stealing” allows integrity protection outside the payload –IV plus header fields <= 128 bits –Current proposal has reduced IV to 27 bits because of this OCB limitation –How would we protect another MAC address? CBC-MAC can cover an arbitrary amount of cleartext in addition to the payload

12 doc.: IEEE 802.11-01/634r1 Submission November 2001 Ferguson, Housley, WhitingSlide 12 Simplicity of Key Management OCB uses two keys internally on decrypt –Pre-computed or computed on-the-fly CTR with CBC-MAC uses two keys –Derive CBC-MAC key from CTR key with one encrypt operation (counter = zero) –Pre-computed or computed on-the-fly

13 doc.: IEEE 802.11-01/634r1 Submission November 2001 Ferguson, Housley, WhitingSlide 13 Packet Overhead OCB –IV –Check value CTR with CBC-MAC –IV –Check value Same overhead for same security

14 doc.: IEEE 802.11-01/634r1 Submission November 2001 Ferguson, Housley, WhitingSlide 14 Crypto Confidence OCB is new –In crypto, new is dangerous –Some provably secure systems have been broken Proofs can contain subtle errors Proofs are always based on assumptions and a restricted model CTR and CBC-MAC are 20+ years old –Well studied, no surprises OCB and CTR both require care with IVs

15 doc.: IEEE 802.11-01/634r1 Submission November 2001 Ferguson, Housley, WhitingSlide 15 Conclusion No compelling advantage to OCB Please consider unencumbered alternatives

Download ppt "Doc.: IEEE 802.11-01/634r1 Submission November 2001 Ferguson, Housley, WhitingSlide 1 AES Mode Choices OCB vs. Counter Mode with CBC-MAC Niels Ferguson,"

Similar presentations

Submission Title: [AES Modes] Date Submitted: [May 10, 2002]

Submission Title: [AES Modes] Date Submitted: [May 10, 2002]
2 © 2004, Cisco Systems, Inc. All rights reserved. Scalable, Efficient Cryptography for Multiple Security Services David A. McGrew Cisco Systems, Inc.

2 © 2004, Cisco Systems, Inc. All rights reserved. Scalable, Efficient Cryptography for Multiple Security Services David A. McGrew Cisco Systems, Inc.
ECE454/CS594 Computer and Network Security

ECE454/CS594 Computer and Network Security
“Advanced Encryption Standard” & “Modes of Operation”

“Advanced Encryption Standard” & “Modes of Operation”
Encipherment Using Modern Symmetric-Key Ciphers. 8.2 Objectives ❏ To show how modern standard ciphers, such as DES or AES, can be used to encipher long.

Encipherment Using Modern Symmetric-Key Ciphers. 8.2 Objectives ❏ To show how modern standard ciphers, such as DES or AES, can be used to encipher long.
CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.

CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.
May 2002 Dave Smith – The New Hewlett PackardSlide 1 doc.: IEEE 802.11-02/319r0 Submission AES Modes Dave Smith The New Hewlett Packard Company 8000 Foothills.

May 2002 Dave Smith – The New Hewlett PackardSlide 1 doc.: IEEE /319r0 Submission AES Modes Dave Smith The New Hewlett Packard Company 8000 Foothills.
P1451.5 Security Survey and Recommendations By: Ryon Coleman October 16, 2003.

P Security Survey and Recommendations By: Ryon Coleman October 16, 2003.
Doc.: IEEE 802.11-09/770r0 Submission July 2009 Slide 1 TGs Authenticated Encryption Function Date: 2009-07 Authors: Russ Housley (Vigil Security), et.

Doc.: IEEE /770r0 Submission July 2009 Slide 1 TGs Authenticated Encryption Function Date: Authors: Russ Housley (Vigil Security), et.
Security Implementation Proposal for OpenWSN

Security Implementation Proposal for OpenWSN
IP Security IPSec 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.

IP Security IPSec 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.
Submission May, 2000 Doc: IEEE802.11-00 / 086 Steven Gray, Nokia Slide Brief Overview of Information Theory and Channel Coding Steven D. Gray 1.

Submission May, 2000 Doc: IEEE / 086 Steven Gray, Nokia Slide Brief Overview of Information Theory and Channel Coding Steven D. Gray 1.
Submission doc.: IEEE 11-12/1253r1 November 2012 Dan Harkins, Aruba NetworksSlide 1 Why Use SIV for 11ai? Date: 2012-10-30 Authors:

Submission doc.: IEEE 11-12/1253r1 November 2012 Dan Harkins, Aruba NetworksSlide 1 Why Use SIV for 11ai? Date: Authors:
Zheming CSCE715.  A wireless sensor network (WSN) ◦ Spatially distributed sensors to monitor physical or environmental conditions, and to cooperatively.

Zheming CSCE715.  A wireless sensor network (WSN) ◦ Spatially distributed sensors to monitor physical or environmental conditions, and to cooperatively.
Exploring timing based side channel attacks against 802.11i CCMP Suman Jana, Sneha K. Kasera University of Utah Introduction

Exploring timing based side channel attacks against i CCMP Suman Jana, Sneha K. Kasera University of Utah Introduction
OpenSig 2003: Panel Discussion on the Differences and Similarities of Wired vs. Wireless Security Russ Housley 9 October 2003.

OpenSig 2003: Panel Discussion on the Differences and Similarities of Wired vs. Wireless Security Russ Housley 9 October 2003.
1 Enhancing Wireless Security with WPA CS-265 Project Section: 2 (11:30 – 12:20) Shefali Jariwala Student ID 001790660.

1 Enhancing Wireless Security with WPA CS-265 Project Section: 2 (11:30 – 12:20) Shefali Jariwala Student ID
1 CS 577 “TinySec: A Link Layer Security Architecture for Wireless Sensor Networks” Chris Karlof, Naveen Sastry, David Wagner UC Berkeley Summary presented.

1 CS 577 “TinySec: A Link Layer Security Architecture for Wireless Sensor Networks” Chris Karlof, Naveen Sastry, David Wagner UC Berkeley Summary presented.
#1 EAX A two-pass authenticated encryption mode Mihir BellarePhillip RogawayDavid Wagner U.C. San Diego U.C. Davis and U.C. Berkeley Chiang Mai University.

#1 EAX A two-pass authenticated encryption mode Mihir BellarePhillip RogawayDavid Wagner U.C. San Diego U.C. Davis and U.C. Berkeley Chiang Mai University.
Encapsulation Security Payload Protocol Lan Vu. OUTLINE 1.Introduction and terms 2.ESP Overview 3.ESP Packet Format 4.ESP Fields 5.ESP Modes 6.ESP packet.

Encapsulation Security Payload Protocol Lan Vu. OUTLINE 1.Introduction and terms 2.ESP Overview 3.ESP Packet Format 4.ESP Fields 5.ESP Modes 6.ESP packet.

Similar presentations

Ads by Google