1. Submission doc.: IEEE 11-12/1253r1 November 2012 Dan Harkins, Aruba NetworksSlide 1 Why Use SIV for 11ai? Date: 2012-10-30 Authors:

2. Submission doc.: IEEE 11-12/1253r1 November 2012 Dan Harkins, Aruba NetworksSlide 2 Abstract This presentation suggests the best solution to a problem that TGai has

3. Submission doc.: IEEE 11-12/1253r1November 2012 Dan Harkins, Aruba NetworksSlide 3 What’s the Problem that Needs Solving? The Association Request/Response is used for key confirmation– to prove possession of the key that results from exchanging Authentication frames Some parts need authentication and encryption KDEs containing keys Potentially DHCP Some parts need authentication but no encryption The session IE Other stuff? We need some way to do this is an authenticated encryption that takes additional associated data– an AEAD mode

4. Submission doc.: IEEE 11-12/1253r1 AEAD Cipher Modes There are quite a few AEAD modes that encrypt and authenticate a plaintext and authenticate associated data GCM, CCM, SIV, CWC, OCB, … Similar interface: Input: key, plaintext, nonce/IV/counter, AAD Output: ciphertext (including a MIC/tag) Key is used to encrypt and authenticate the plaintext and AAD. The nonce/IV/counter is to make the mode probabilistic and is critical for security (for all but one mode) Slide 4Dan Harkins, Aruba Networks November 2012

5. Submission doc.: IEEE 11-12/1253r1 Nonce Construction for AEAD Schemes Nonce must be unique for all calls to encryption API, otherwise (according to RFC 5116, for GCM): a loss of confidentiality ensues because an attacker can reconstruct the bitwise exclusive-or of the two plaintext values a loss of integrity ensues because the attacker will be able to recover the internal hash key used to provide data integrity A loss of confidentiality and integrity for a scheme that is supposed to provide confidentiality and integrity means it’s security is completely voided! Nonce hygiene must be strictly enforced! Unless… Slide 5Dan Harkins, Aruba Networks November 2012

6. Submission doc.: IEEE 11-12/1253r1 Misuse-Resistant AEAD SIV does not require a nonce and does not lose all security if one is used and it is repeated If two identical messages, and identical AAD, get enciphered using the same key (and same nonce) then: No loss of integrity Loss of privacy in the sense that adversary knows two identical messages (with identical AAD) were protected with the same key Using SIV means we don’t need to worry about the nonce! It does not need to be passed in the message It does not need to be reconstructed on both sides It does not need to be managed to ensure uniqueness Slide 6Dan Harkins, Aruba Networks November 2012

7. Submission doc.: IEEE 11-12/1253r1 Opposition to Using SIV? It’s not a NIST-approved mode of operation. True but… NIST does not approve modes prior to use GCM was proposed for use by IPsec before NIST approved it CCM was proposed for use by 802.11 before NIST approved it When did prior NIST approved become a requirement? Never. SIV is a secure composition of two NIST-approved modes: CTR and CMAC! It’s not as efficient as GCM. True but… Very few encryptions mean efficiency advantage is negligible The small gain in efficiency must be weighed against the increased cost of nonce maintenance and hygiene Easiest way to manage nonce uniqueness (random bit string) would make GCM less efficient Slide 7Dan Harkins, Aruba Networks November 2012

8. Submission doc.: IEEE 11-12/1253r1 A Misunderstanding about Proposal Not proposing to protect the whole Association frame! Not doing 11w-style management frame protection! Slide 8Dan Harkins, Aruba Networks November 2012 MAC HeaderSIV Header Data (PDU) MICFCS encrypted authenticated (some fields masked to zero) NO!!! Apologies to Figure 11-16 from 802.11-2012

9. Submission doc.: IEEE 11-12/1253r1 A Misunderstanding about Proposal Just want to protect the sequence of IEs in the data Does not require hardware changes! SIV is NOT intended for the radio chipset We don’t want to plumb an unconfirmed key to hardware anyway Software solution by same module that does 1x/EAP/FILS Slide 9Dan Harkins, Aruba Networks November 2012 MAC Header sequence of IEs and fields defining the Association frame FCS encrypted authenticated

10. Submission doc.: IEEE 11-12/1253r1November 2012 Dan Harkins, Aruba NetworksSlide 10 Why Use SIV for 802.11ai? It has properties that are very attractive Provably secure Can’t talk about patents but it does not have the cost impact to an implementation that other schemes have Robust and misuse resistant It’s the right tool for the right job Performs authenticated encryption with associated data No need to worry about what we don’t have to worry about It’s already defined for use in 802.11 Standardized in RFC 5297

11. Submission doc.: IEEE 11-12/1253r1November 2012 Dan Harkins, Aruba NetworksSlide 11 References Rogaway, P. and T. Shrimpton, “Deterministic Authenticated Encryption, A Provable-Security Treatment of the Key-Wrap Problem”, Advances in Cryptology – EUROCRYPT '06 St. Petersburg, Russia, 2006. McGrew, D., “An Interface and Algorithms for Authenticated Encryption”, RFC 5116, January 2008 Harkins, D, “Synthetic Initialization Vector (SIV) Authenticated Encryption Using the Advanced Encryption Standard (AES)”, RFC 5297, October 2008.