Re: [IPsec] Two questions about draft-ietf-ipsecme-chacha20-poly1305-00
Yoav Nir wrote: > Second issue is about UI advice. Some implementations (yes, mine is > included) allow the user to configure encryption algorithm, MAC > algorithm, and D-H group. There is no setting for PRF since such UIs > date back to IKEv1. The PRF is usually just taken from the setting for > MAC algorithm. This works fine as long as all supported MAC algorithms > are HMAC, XCBC, and CMAC. AES-GCM would have the same issue, but RFC > 5282 makes no mention of this issue. I’m wondering if we should > recommend to pair this algorithm in IKE with PRF_HMAC_SHA2_256. So, in this case, if you wanted to not change your UI, maybe you would tell the user to configure encryption-algorithm=Chacha20-Poly1305 MAC=HMAC-SHA2 DH=whatever the MAC would not apply to IPsec at all? I guess if we are deploying this algorithm with the concern that HMAC-SHA2/AES might become weak, that it would seem odd to depend upon SHA2 as the PRF. At least, users might not understand. (noting that SHA2 != HMAC-SHA2, and also that the inputs to the PRF as not very easily manipulated...) -- Michael Richardson , Sandelman Software Works -= IPv6 IoT consulting =- signature.asc Description: PGP signature ___ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
Re: [IPsec] Two questions about draft-ietf-ipsecme-chacha20-poly1305-00
Here's the reason that we do use the 32-bit salt value for GCM - to prevent
batching attacks.
Consider the case that an attacker is able to collect packets from a billion
(2^30) sessions; each such session contains a packet with the same IV (say,
IV=0), and contains a packet with the same known plaintext (or, at least,
plaintext that satisfies the same known linear equations). Then, what an
attacker can do is check a key to see if any of the IV=0 packets used that key,
in constant time. The reduces the effort for an attacker to find the n bit key
for some session from 2^n to 2^{n-30}. What the salt does is multiply the
effort involved in this specific attack by a factor of 2^32 (because the
attacker needs to guess the key and the salt); that way, the attacker needs to
collect 4 billion sessions before this attack starts to have any advantage over
a simpler attack that just attacks a single packet (which the salt doesn’t
protect against).
Now, of course, chacha20 has 256 bit keys; hence even if we decided not to
apply the same protection, someone with a collection of a billion sessions
might be able to use this to reduce the effort to 2^226.
I'll let you decide whether this is a compelling argument or not…
I think that for 256-bit keys it’s not that compelling. So the question is
which is simpler: to do as AES-GCM does, or to set the salt to zero?
It seems to me like a "truth in advertising" kind of thing: if we use a
256-bit cipher then people using it expect 256-bit strength, rather than
2^226. So I would be happy if we can get the salt without having to pay
in packet length.
Thanks,
Yaron
___
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec
Re: [IPsec] Two questions about draft-ietf-ipsecme-chacha20-poly1305-00
> On Mar 30, 2015, at 8:42 PM, Scott Fluhrer (sfluhrer)
> wrote:
>
>
> -Original Message-
> From: IPsec [mailto:ipsec-boun...@ietf.org] On Behalf Of Yoav Nir
> Sent: Monday, March 30, 2015 10:40 AM
> To: internet-dra...@ietf.org
> Cc: ipsec@ietf.org; i-d-annou...@ietf.org
> Subject: [IPsec] Two questions about draft-ietf-ipsecme-chacha20-poly1305-00
>
>> Hi,
>>
>> There is two questions I would like guidance from the group about.
>>
>> First is the nonce/IV question: In the current draft, there is a 64-bit IV
>> with guidance not to repeat them (so use a counter or LFSR). The function
>> itself accepts a 96-bit input nonce, so the nonce is constructed from the
>> 64-bit IV and 32 zero bits. The reason for doing this is so the algorithm
>> could be used in a multi-sender case such as GDOI, where the 32-bit zero can
>> be replaced by a sender ID.
>
> This idea about the multi-sender case works only if the there's a sender id
> somewhere in the encrypted packet.
You’re right. For some reason I thought that the SID in GDOI was implied rather
than transmitted on the wire. Oh, well…
>> Alternatively, we could generate a 32-bit salt value from the key material,
>> but I don’t see a reason why we’d want that.
>
> Here's the reason that we do use the 32-bit salt value for GCM - to prevent
> batching attacks.
>
> Consider the case that an attacker is able to collect packets from a billion
> (2^30) sessions; each such session contains a packet with the same IV (say,
> IV=0), and contains a packet with the same known plaintext (or, at least,
> plaintext that satisfies the same known linear equations). Then, what an
> attacker can do is check a key to see if any of the IV=0 packets used that
> key, in constant time. The reduces the effort for an attacker to find the n
> bit key for some session from 2^n to 2^{n-30}. What the salt does is
> multiply the effort involved in this specific attack by a factor of 2^32
> (because the attacker needs to guess the key and the salt); that way, the
> attacker needs to collect 4 billion sessions before this attack starts to
> have any advantage over a simpler attack that just attacks a single packet
> (which the salt doesn’t protect against).
>
> Now, of course, chacha20 has 256 bit keys; hence even if we decided not to
> apply the same protection, someone with a collection of a billion sessions
> might be able to use this to reduce the effort to 2^226.
>
> I'll let you decide whether this is a compelling argument or not…
I think that for 256-bit keys it’s not that compelling. So the question is
which is simpler: to do as AES-GCM does, or to set the salt to zero?
Yoav
___
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec
Re: [IPsec] Two questions about draft-ietf-ipsecme-chacha20-poly1305-00
> On Mar 31, 2015, at 1:49 PM, Tero Kivinen wrote: > > Yoav Nir writes: >> First is the nonce/IV question: In the current draft, there is a >> 64-bit IV with guidance not to repeat them (so use a counter or >> LFSR). The function itself accepts a 96-bit input nonce, so the >> nonce is constructed from the 64-bit IV and 32 zero bits. The reason >> for doing this is so the algorithm could be used in a multi-sender >> case such as GDOI, where the 32-bit zero can be replaced by a sender >> ID. Alternatively, we could generate a 32-bit salt value from the >> key material, but I don’t see a reason why we’d want that. > > Reserving that 32-bits as sender-ID is fine... > >> Another thing we could do is what some people are advocating for >> TLS: Since a counter is a fine IV (no need for secrecy), we don’t >> need a 64-bit IV that has the exact same value as the replay >> counter. We might as well save 8 bytes per packet and just feed the >> replay counter to the function. The argument against this is that >> some crypto modules may have the API set up in such a way that the >> IVs are generated within the module and could be something other >> than a counter (like an LFSR). The proposal will break such APIs. > > As Kent explained in the meeting, if you move the IV generation out > from the crypto operation, then that also moves the FIPS boundary, > i.e. if the uniqueness of the IV generation (counter) is inside the > IPsec module, not in the ChaCha20 module, then you need to FIPS > certify whole thing. > > On the other hand with IPsec I think you mostly need to FIPS certify > quite a lot of stuff anyways... > > On the other hand, I think it would be possible to do things other way > around, i.e. make cipher to internally generate IV, but define that IV > MUST be running counter starting from 0, and use that counter as > sequence number in the ESP and compress sequence number out from the > packet. I.e. we would still have IV (coming form inside the crypto > boundary), but we compress the sequence number away, as it would > always be the same as IV... > > Currently we cannot do that, as we do not define how the IVs are > generated, thus the IPsec part cannot know for sure that IVs are > generated in such way. > > On the other hand if we define this cipher in such way that IV MUST be > generated such way, then we could make sequence number compression > option in the future, which would compress sequence number away from > the actual packet... I.e. gain the same effect, but not compressing > the IV, but compressing the sequence number... > > This would save 32-bits from the packet, as only 32-bits of the > sequence number is transmitted, not the full 64-bits, but that would > still be something, and if even more IV compression is needed, there > would be ways to only transmit smaller part of the IV and then > reconstruct it before decryption and verification. > > These compression extensions could happen after ESP encryption and > before ESP decryption, so the actual ESP packets seen by the engine > would be exactly same, only difference would be that they would need > to maintain strict requirement that SEQ matches IV… Such a compression extension would work fine for both ChaCha20-Poly1305 and AES-GCM at least. Probably the other currently-defined AEAD mode. OK, for now I’ll leave the TBD in, but I won’t change the text. >> Second issue is about UI advice. Some implementations (yes, mine is >> included) allow the user to configure encryption algorithm, MAC >> algorithm, and D-H group. There is no setting for PRF since such UIs >> date back to IKEv1. The PRF is usually just taken from the setting >> for MAC algorithm. This works fine as long as all supported MAC >> algorithms are HMAC, XCBC, and CMAC. AES-GCM would have the same >> issue, but RFC 5282 makes no mention of this issue. I’m wondering if >> we should recommend to pair this algorithm in IKE with >> PRF_HMAC_SHA2_256. > > There is no need in IKEv2 to tie the PRF to other algorithms, so I see > no reason to do so in this draft. > > On the other hand the other draft making the UI suite for this will of > course need to select suitable PRF, but that draft might want to wait > for new EC curves, so we could have complete DJB suite... > > Btw, in the draft introduction you have text which says: > > weakness in AES, VPN users will be in an unenviable position. With > the only other widely supported cipher being the much slower 3DES, it > is not feasible to re-configure IPsec installations to use 3DES. > [standby-cipher] describes this issue and the need for a standby > cipher in greater detail. > > I do not think the problem with 3DES is the speed, I think the bigger > problem is the way too short block length of it. As RFC7321 says: > > The Triple Data Encryption Standard (TDES) is obsolete because of its > small block size; as with all 64-bit block ciphers, it SHOULD NOT be > used to encrypt more than one gigabyte of dat
[IPsec] Two questions about draft-ietf-ipsecme-chacha20-poly1305-00
Yoav Nir writes: > First is the nonce/IV question: In the current draft, there is a > 64-bit IV with guidance not to repeat them (so use a counter or > LFSR). The function itself accepts a 96-bit input nonce, so the > nonce is constructed from the 64-bit IV and 32 zero bits. The reason > for doing this is so the algorithm could be used in a multi-sender > case such as GDOI, where the 32-bit zero can be replaced by a sender > ID. Alternatively, we could generate a 32-bit salt value from the > key material, but I don’t see a reason why we’d want that. Reserving that 32-bits as sender-ID is fine... > Another thing we could do is what some people are advocating for > TLS: Since a counter is a fine IV (no need for secrecy), we don’t > need a 64-bit IV that has the exact same value as the replay > counter. We might as well save 8 bytes per packet and just feed the > replay counter to the function. The argument against this is that > some crypto modules may have the API set up in such a way that the > IVs are generated within the module and could be something other > than a counter (like an LFSR). The proposal will break such APIs. As Kent explained in the meeting, if you move the IV generation out from the crypto operation, then that also moves the FIPS boundary, i.e. if the uniqueness of the IV generation (counter) is inside the IPsec module, not in the ChaCha20 module, then you need to FIPS certify whole thing. On the other hand with IPsec I think you mostly need to FIPS certify quite a lot of stuff anyways... On the other hand, I think it would be possible to do things other way around, i.e. make cipher to internally generate IV, but define that IV MUST be running counter starting from 0, and use that counter as sequence number in the ESP and compress sequence number out from the packet. I.e. we would still have IV (coming form inside the crypto boundary), but we compress the sequence number away, as it would always be the same as IV... Currently we cannot do that, as we do not define how the IVs are generated, thus the IPsec part cannot know for sure that IVs are generated in such way. On the other hand if we define this cipher in such way that IV MUST be generated such way, then we could make sequence number compression option in the future, which would compress sequence number away from the actual packet... I.e. gain the same effect, but not compressing the IV, but compressing the sequence number... This would save 32-bits from the packet, as only 32-bits of the sequence number is transmitted, not the full 64-bits, but that would still be something, and if even more IV compression is needed, there would be ways to only transmit smaller part of the IV and then reconstruct it before decryption and verification. These compression extensions could happen after ESP encryption and before ESP decryption, so the actual ESP packets seen by the engine would be exactly same, only difference would be that they would need to maintain strict requirement that SEQ matches IV... > Second issue is about UI advice. Some implementations (yes, mine is > included) allow the user to configure encryption algorithm, MAC > algorithm, and D-H group. There is no setting for PRF since such UIs > date back to IKEv1. The PRF is usually just taken from the setting > for MAC algorithm. This works fine as long as all supported MAC > algorithms are HMAC, XCBC, and CMAC. AES-GCM would have the same > issue, but RFC 5282 makes no mention of this issue. I’m wondering if > we should recommend to pair this algorithm in IKE with > PRF_HMAC_SHA2_256. There is no need in IKEv2 to tie the PRF to other algorithms, so I see no reason to do so in this draft. On the other hand the other draft making the UI suite for this will of course need to select suitable PRF, but that draft might want to wait for new EC curves, so we could have complete DJB suite... Btw, in the draft introduction you have text which says: weakness in AES, VPN users will be in an unenviable position. With the only other widely supported cipher being the much slower 3DES, it is not feasible to re-configure IPsec installations to use 3DES. [standby-cipher] describes this issue and the need for a standby cipher in greater detail. I do not think the problem with 3DES is the speed, I think the bigger problem is the way too short block length of it. As RFC7321 says: The Triple Data Encryption Standard (TDES) is obsolete because of its small block size; as with all 64-bit block ciphers, it SHOULD NOT be used to encrypt more than one gigabyte of data with a single key [M13]. Its key size is smaller than that of the Advanced Encryption Standard (AES), while at the same time its performance and efficiency are worse. Thus, its use in new implementations is discouraged. With gigabit links that would mean rekeying every ten seconds or so... -- kivi...@iki.fi ___ IPsec mailing list IPsec@ietf.org
Re: [IPsec] Two questions about draft-ietf-ipsecme-chacha20-poly1305-00
-Original Message-
From: IPsec [mailto:ipsec-boun...@ietf.org] On Behalf Of Yoav Nir
Sent: Monday, March 30, 2015 10:40 AM
To: internet-dra...@ietf.org
Cc: ipsec@ietf.org; i-d-annou...@ietf.org
Subject: [IPsec] Two questions about draft-ietf-ipsecme-chacha20-poly1305-00
> Hi,
>
> There is two questions I would like guidance from the group about.
>
> First is the nonce/IV question: In the current draft, there is a 64-bit IV
> with guidance not to repeat them (so use a counter or LFSR). The function
> itself accepts a 96-bit input nonce, so the nonce is constructed from the
> 64-bit IV and 32 zero bits. The reason for doing this is so the algorithm
> could be used in a multi-sender case such as GDOI, where the 32-bit zero can
> be replaced by a sender ID.
This idea about the multi-sender case works only if the there's a sender id
somewhere in the encrypted packet.
> Alternatively, we could generate a 32-bit salt value from the key material,
> but I don’t see a reason why we’d want that.
Here's the reason that we do use the 32-bit salt value for GCM - to prevent
batching attacks.
Consider the case that an attacker is able to collect packets from a billion
(2^30) sessions; each such session contains a packet with the same IV (say,
IV=0), and contains a packet with the same known plaintext (or, at least,
plaintext that satisfies the same known linear equations). Then, what an
attacker can do is check a key to see if any of the IV=0 packets used that key,
in constant time. The reduces the effort for an attacker to find the n bit key
for some session from 2^n to 2^{n-30}. What the salt does is multiply the
effort involved in this specific attack by a factor of 2^32 (because the
attacker needs to guess the key and the salt); that way, the attacker needs to
collect 4 billion sessions before this attack starts to have any advantage over
a simpler attack that just attacks a single packet (which the salt doesn’t
protect against).
Now, of course, chacha20 has 256 bit keys; hence even if we decided not to
apply the same protection, someone with a collection of a billion sessions
might be able to use this to reduce the effort to 2^226.
I'll let you decide whether this is a compelling argument or not...
___
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec
Re: [IPsec] Two questions about draft-ietf-ipsecme-chacha20-poly1305-00
Arrgh. Please don’t reply-all to my previous message, because it was mistakenly directed to I-D announce… > On Mar 30, 2015, at 5:39 PM, Yoav Nir wrote: > > Hi, > > There is two questions I would like guidance from the group about. > > First is the nonce/IV question: In the current draft, there is a 64-bit IV > with guidance not to repeat them (so use a counter or LFSR). The function > itself accepts a 96-bit input nonce, so the nonce is constructed from the > 64-bit IV and 32 zero bits. The reason for doing this is so the algorithm > could be used in a multi-sender case such as GDOI, where the 32-bit zero can > be replaced by a sender ID. Alternatively, we could generate a 32-bit salt > value from the key material, but I don’t see a reason why we’d want that. > Another thing we could do is what some people are advocating for TLS: Since a > counter is a fine IV (no need for secrecy), we don’t need a 64-bit IV that > has the exact same value as the replay counter. We might as well save 8 bytes > per packet and just feed the replay counter to the function. The argument > against this is that some crypto modules may have the API set up in such a > way that the IVs are generated within the module and could be something other > than a counter (like an LFSR). The proposal will break such APIs. > > > Second issue is about UI advice. Some implementations (yes, mine is included) > allow the user to configure encryption algorithm, MAC algorithm, and D-H > group. There is no setting for PRF since such UIs date back to IKEv1. The PRF > is usually just taken from the setting for MAC algorithm. This works fine as > long as all supported MAC algorithms are HMAC, XCBC, and CMAC. AES-GCM would > have the same issue, but RFC 5282 makes no mention of this issue. I’m > wondering if we should recommend to pair this algorithm in IKE with > PRF_HMAC_SHA2_256. > > Thanks > > Yoav ___ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
[IPsec] Two questions about draft-ietf-ipsecme-chacha20-poly1305-00
Hi, There is two questions I would like guidance from the group about. First is the nonce/IV question: In the current draft, there is a 64-bit IV with guidance not to repeat them (so use a counter or LFSR). The function itself accepts a 96-bit input nonce, so the nonce is constructed from the 64-bit IV and 32 zero bits. The reason for doing this is so the algorithm could be used in a multi-sender case such as GDOI, where the 32-bit zero can be replaced by a sender ID. Alternatively, we could generate a 32-bit salt value from the key material, but I don’t see a reason why we’d want that. Another thing we could do is what some people are advocating for TLS: Since a counter is a fine IV (no need for secrecy), we don’t need a 64-bit IV that has the exact same value as the replay counter. We might as well save 8 bytes per packet and just feed the replay counter to the function. The argument against this is that some crypto modules may have the API set up in such a way that the IVs are generated within the module and could be something other than a counter (like an LFSR). The proposal will break such APIs. Second issue is about UI advice. Some implementations (yes, mine is included) allow the user to configure encryption algorithm, MAC algorithm, and D-H group. There is no setting for PRF since such UIs date back to IKEv1. The PRF is usually just taken from the setting for MAC algorithm. This works fine as long as all supported MAC algorithms are HMAC, XCBC, and CMAC. AES-GCM would have the same issue, but RFC 5282 makes no mention of this issue. I’m wondering if we should recommend to pair this algorithm in IKE with PRF_HMAC_SHA2_256. Thanks Yoav ___ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
