headers
Woo-Hwan Kim | 16 Jul 2012 07:48
Picon

[AVTCORE] Comments on the draft-ietf-avtcore-srtp-aes-gcm-01

Hi.

Here are some comments on the draft-ietf-avtcore-srtp-aes-gcm-01.

1. typos and minors

p.4 DTLS -> DTLS-SRTP
p.8 ROS -> ROC
p.11 the corresponding STRCP encrypted -> the corresponding SRTCP encrypted
p.13 C_max -> C_MAX
p.18 AEAD_AES_128_CCM -> AEAD_AES_128_GCM
p.18 AEAD_AES_256_CCM -> AEAD_AES_256_GCM

2. On the CCM decryption

In this draft, there is no separation between GCM and CCM except "Tag_Size_Flag“. 
It means both modes have the same parameters (nonce length, counter block length etc.) and the same IV format (described in Sections 8.1 and 9.1). 
But that does not hold if the authors intend to apply the interfaces of CCM described in RFC 5116. 
For example, the counter block length parameter q is not 4 but 3 when the length of nonce is 12 octets. 

According to the InputFormatting Function proposed in NIST SP 800-38C (and referred by RFC 5116), 
Tag_Size_Flag recommended in this draft is derived when q=3. 
Note that such parameter is related to several AEAD parameters, and so a large portion of the draft should be revised.

3. CCM Tag Validation

Section 5.3 says
"The ciphertext MUST NOT be decrypted until the AEAD tag has been validated. The associated data
MUST NOT be released until the AEAD tag has been validated."

The above does not hold for CCM mode of operation, 
because it is required to decrypt ciphertext before confirming the validation of the AEAD tag.

4. Ciphertext length expansion for SRTP

Section 9.2 says
"Since the AEAD cipher is larger than the plaintext by exactly the length of the AEAD authentication 
tag, the corresponding STRCP encrypted packet replaces the plaintext field with a slightly larger 
field containing the cipher."

Does this sentence only hold for SRTCP?

5. Input/output data for CCM (Sections 5.2.1 and 5.2.2)

Both input and output data for CCM require Tag_Size_Flag, but that is the value which can be computed 
by three parameters (defined in NIST SP 800-38C). Because Tag_Size_Flag is not included in SRTP/SRTCP 
packets, the only way to share the same Tag_Size_Flag is to fix authentication tag length and counter 
block length in advance.

Additionally, Section 5.2.1 says the only output of "Encrypt Mode" is "Ciphertext" with bit string length = legnth length(ciphertext)-tag_length. 
What is the difference between "ciphertext" and "Ciphertext". If length of the "Ciphertext" does not consider the length of "authentication tag", 
where is authentication tag?


6. CCM tag length specification

Section 10.3

RFC5116 only defines AEAD_AES_128/256_CCM with 16 octets tag length.

Section 13.2

"Note that these SRTP Protection Profiles do not specify an auth_function, auth_key_length, or 
auth_tag_length because all of these profiles use AEAD algorithms, and thus do not use a separate auth_function, auth_key, or auth_tag."

In IANA AEAD registry, there is no entry for AEAD_AES_128/256_CCM_12. 
It means that there is no official reference for AES_CCM with 96-bit authentication tag. So it is required to define 
AEAD_AES_128/256_CCM_12 independently in this document, similar to AEAD_AES_128/256_CCM_8 defined for 
TLS usage(internet draft, AES-CCM Cipher Suites for TLS). 

For SDES, it may be necessary to add CCM-related crypto suites with 64- and 96-bit authentication tags.

Thanks.

Woo-Hwan Kim
_______________________________________________
Audio/Video Transport Core Maintenance
avt <at> ietf.org
https://www.ietf.org/mailman/listinfo/avt
Permalink | Reply |
headers
Igoe, Kevin M. | 8 Aug 2012 19:53
Picon

Re: [AVTCORE] Comments on the draft-ietf-avtcore-srtp-aes-gcm-01

I’d like to thank Woo-Hwang Kim for the effort he put into reviewing

draft-ietf-avtcore-srtp-aes-gcm-01.  He raised many valid points, and the authors

have a -02 draft nearing completion that addresses his observations.  Many thanks

to Woo-Hwan and the AVTCORE mailing list.

 

From: avt-bounces <at> ietf.org [mailto:avt-bounces <at> ietf.org] On Behalf Of Woo-Hwan Kim
Sent: Monday, July 16, 2012 1:49 AM
To: avt <at> ietf.org; draft-ietf-avtcore-srtp-aes-gcm <at> tools.ietf.org
Cc: Daesung Kwon; Je Hong Park
Subject: [AVTCORE] Comments on the draft-ietf-avtcore-srtp-aes-gcm-01

 

Hi.

 

Here are some comments on the draft-ietf-avtcore-srtp-aes-gcm-01.

 

1. typos and minors

 

p.4 DTLS -> DTLS-SRTP

p.8 ROS -> ROC

p.11 the corresponding STRCP encrypted -> the corresponding SRTCP encrypted

p.13 C_max -> C_MAX

p.18 AEAD_AES_128_CCM -> AEAD_AES_128_GCM

p.18 AEAD_AES_256_CCM -> AEAD_AES_256_GCM

 

2. On the CCM decryption

 

In this draft, there is no separation between GCM and CCM except "Tag_Size_Flag“. 

It means both modes have the same parameters (nonce length, counter block length etc.) and the same IV format (described in Sections 8.1 and 9.1). 

But that does not hold if the authors intend to apply the interfaces of CCM described in RFC 5116. 

For example, the counter block length parameter q is not 4 but 3 when the length of nonce is 12 octets. 

 

According to the InputFormatting Function proposed in NIST SP 800-38C (and referred by RFC 5116), 

Tag_Size_Flag recommended in this draft is derived when q=3. 

Note that such parameter is related to several AEAD parameters, and so a large portion of the draft should be revised.

 

3. CCM Tag Validation

 

Section 5.3 says

"The ciphertext MUST NOT be decrypted until the AEAD tag has been validated. The associated data

MUST NOT be released until the AEAD tag has been validated."

 

The above does not hold for CCM mode of operation, 

because it is required to decrypt ciphertext before confirming the validation of the AEAD tag.

 

4. Ciphertext length expansion for SRTP

 

Section 9.2 says

"Since the AEAD cipher is larger than the plaintext by exactly the length of the AEAD authentication 

tag, the corresponding STRCP encrypted packet replaces the plaintext field with a slightly larger 

field containing the cipher."

 

Does this sentence only hold for SRTCP?

 

5. Input/output data for CCM (Sections 5.2.1 and 5.2.2)

 

Both input and output data for CCM require Tag_Size_Flag, but that is the value which can be computed 

by three parameters (defined in NIST SP 800-38C). Because Tag_Size_Flag is not included in SRTP/SRTCP 

packets, the only way to share the same Tag_Size_Flag is to fix authentication tag length and counter 

block length in advance.

 

Additionally, Section 5.2.1 says the only output of "Encrypt Mode" is "Ciphertext" with bit string length = legnth length(ciphertext)-tag_length. 

What is the difference between "ciphertext" and "Ciphertext". If length of the "Ciphertext" does not consider the length of "authentication tag", 

where is authentication tag?

 

 

6. CCM tag length specification

 

Section 10.3

 

RFC5116 only defines AEAD_AES_128/256_CCM with 16 octets tag length.

 

Section 13.2

 

"Note that these SRTP Protection Profiles do not specify an auth_function, auth_key_length, or 

auth_tag_length because all of these profiles use AEAD algorithms, and thus do not use a separate auth_function, auth_key, or auth_tag."

 

In IANA AEAD registry, there is no entry for AEAD_AES_128/256_CCM_12. 

It means that there is no official reference for AES_CCM with 96-bit authentication tag. So it is required to define 

AEAD_AES_128/256_CCM_12 independently in this document, similar to AEAD_AES_128/256_CCM_8 defined for 

TLS usage(internet draft, AES-CCM Cipher Suites for TLS). 

 

For SDES, it may be necessary to add CCM-related crypto suites with 64- and 96-bit authentication tags.

 

Thanks.

 

Woo-Hwan Kim

_______________________________________________
Audio/Video Transport Core Maintenance
avt <at> ietf.org
https://www.ietf.org/mailman/listinfo/avt
Permalink | Reply |

Gmane