Presentation is loading. Please wait.

Presentation is loading. Please wait.

Doc.: IEEE 802.11-01/223 Submission May 2001 Nancy Cam-Winget, Atheros et alSlide 1 An Analysis of AES in OCB Mode Nancy Cam-Winget, Atheros Communications.

Similar presentations


Presentation on theme: "Doc.: IEEE 802.11-01/223 Submission May 2001 Nancy Cam-Winget, Atheros et alSlide 1 An Analysis of AES in OCB Mode Nancy Cam-Winget, Atheros Communications."— Presentation transcript:

1 doc.: IEEE /223 Submission May 2001 Nancy Cam-Winget, Atheros et alSlide 1 An Analysis of AES in OCB Mode Nancy Cam-Winget, Atheros Communications Jesse Walker, Intel Corporation

2 doc.: IEEE /223 Submission May 2001 Nancy Cam-Winget, Atheros et alSlide 2 Acknowledgements Bill Arbaugh – U of Maryland Greg Chesson – Atheros Communications Phil Rogaway – UC Davis Aman Singla – Atheros Communications

3 doc.: IEEE /223 Submission May 2001 Nancy Cam-Winget, Atheros et alSlide 3 Agenda Background Discussion of AES OCB mode Security Considerations Acceptance Considerations Performance Considerations True Integrity:Using OCB to fix a bug in the Draft Summary

4 doc.: IEEE /223 Submission May 2001 Nancy Cam-Winget, Atheros et alSlide 4 Review of WEP WEP attacks –IV can NEVER safely be reused with same key –RC4 unsuitable for datagrams –CRC can be used to speed up dictionary attack The use of RC4 requires the key schedule to be reinitialized for every packet –Hurts performance –This property is what got WEP in trouble in the first place –RC4 is a fine cipher, but inappropriate as a bulk crypto mechanism in a datagram environment

5 doc.: IEEE /223 Submission May 2001 Nancy Cam-Winget, Atheros et alSlide 5 Concepts Data privacy –Protection of data. Prevent unauthorized viewing of the data Data integrity –Prevent modification, insertion or deletion of data (collectively known as “forgery”) –Validation of data: MIC Data authenticity –Synonym for data integrity

6 doc.: IEEE /223 Submission May 2001 Nancy Cam-Winget, Atheros et alSlide 6 Data (true) Integrity Beyond data integrity (no change in plaintext) it also means ensuring received data was actually sent by genuine peer on an established link –The link is immune from forgery This is a necessary attribute of any scheme seeking to control access

7 doc.: IEEE /223 Submission May 2001 Nancy Cam-Winget, Atheros et alSlide 7 Security Framework Requirements defined in /231 Clause 4 Extensibility, Compatibility, and Interoperability includes support for: –Authentication algorithm –Privacy algorithm –Data integrity algorithm

8 doc.: IEEE /223 Submission May 2001 Nancy Cam-Winget, Atheros et alSlide 8 Why Per-Packet Data Integrity? Requirements say so –Ref: doc IEEE /231 clause More important, security seeks to provide meaningful access control –Not feasible to control access unless all packets on authenticated association are also validated –If no per-packet data integrity check, then association authentication meaningless, i.e., forgery is always possible to an attacker

9 doc.: IEEE /223 Submission May 2001 Nancy Cam-Winget, Atheros et alSlide 9 Security Requirements Discussion Data privacy –Goal: prevent inadvertent unauthorized disclosure due to message transfer –Mechanism to achieve goal: encryption Data integrity –Goal: prevent data forgery, replay –Mechanism to achieve goal: Message Integrity Code + sequence number + link protection

10 doc.: IEEE /223 Submission May 2001 Nancy Cam-Winget, Atheros et alSlide 10 Security Mechanism Goals Meet security requirements Work with 802 authentication/key management infrastructure Implementation ease (and payload overhead) Good performance

11 doc.: IEEE /223 Submission May 2001 Nancy Cam-Winget, Atheros et alSlide 11 Agenda Background Discussion of AES OCB mode Security Considerations Acceptance Considerations Performance Considerations True Integrity:Using OCB to fix a bug in the Draft Summary

12 doc.: IEEE /223 Submission May 2001 Nancy Cam-Winget, Atheros et alSlide 12 AES Cipher NIST selection criteria is similar to ’s: –Security –Performance in both software and hardware –Efficiency –Ease of implementation NIST selection process took 4 years! –Initiated Jan 1997, decision finalized Feb 2001

13 doc.: IEEE /223 Submission May 2001 Nancy Cam-Winget, Atheros et alSlide 13 AES properties Symmetric 128bit block cipher –NIST allows 128-, 192- and 256bit keys blocks – proposes using 128-bit keys Low memory requirements Good performance across all known hardware and software platforms –Highly parallelizable –Compact source code –~ 285 cycles/block on a Pentium Pro

14 doc.: IEEE /223 Submission May 2001 Nancy Cam-Winget, Atheros et alSlide 14 AES Strengths (1) Exhaustive key search best known attack against AES—and large key size makes exhaustive search computationally infeasible –Key recovery operations O(2 127 ) AES operations on average 128-bit block size makes it orders of magnitude more secure than same algorithm with a 64-bit block size

15 doc.: IEEE /223 Submission May 2001 Nancy Cam-Winget, Atheros et alSlide 15 AES Strengths (2) Performance –Highly parallelizable –Compact implementations –Efficient key schedule computation Platform neutrality –Efficient implementation possible on all platforms Critical path instructions: 8-bit  8-bit S-box, XOR6, XOR5, XOR2, MUX2 –Endian-neutrality

16 doc.: IEEE /223 Submission May 2001 Nancy Cam-Winget, Atheros et alSlide 16 Agenda Background Discussion of AES OCB mode Security Considerations Acceptance Considerations Performance Considerations True Integrity:Using OCB to fix a bug in the Draft Summary

17 doc.: IEEE /223 Submission May 2001 Nancy Cam-Winget, Atheros et alSlide 17 OCB mode of operation OCB mode is a block cipher mode of operation OCB provides authenticated-encryption: provides both privacy and authenticity –i.e. provides data authenticity at almost no extra cost over the cost of encryption

18 doc.: IEEE /223 Submission May 2001 Nancy Cam-Winget, Atheros et alSlide 18 Why Use a Mode of Operation? AES is a block cipher Networking produces arbitrary length messages to encipher/decipher Naïve use of any block cipher for arbitrary length messages (called Electronic Codebook, or ECB mode) is insecure

19 doc.: IEEE /223 Submission May 2001 Nancy Cam-Winget, Atheros et alSlide 19 Example Modes of Operation Partition message M into blocks M = M 1 M 2 … M m ECB Mode: C i  E K (M i ) (insecure if m > 1) Counter Mode: C i  E K (counter)  M i, counter  counter + 1 (secure if counter is never reused with same key K) CBC Mode: C i  E K (C i-1  M i ), C 0  E K (IV  M 0 ) (secure if IV is random and never reused with same key K)

20 doc.: IEEE /223 Submission May 2001 Nancy Cam-Winget, Atheros et alSlide 20 Comparison of Modes ModePrivacyIntegrityComments ECBSometimesNoVulnerable to attack. Must choose a MIC CounterYesNoVulnerable if counter is ever reused. Must choose a MIC CBCYesNoSound encryption. Must choose a MIC CBC-MACNoYesRecent attack on forgery (An, Bellare 1999) OCBYes one key and one pass over data gives both privacy and integrity

21 doc.: IEEE /223 Submission May 2001 Nancy Cam-Winget, Atheros et alSlide 21 OCB Properties Uses nearly the theoretical minimal number of block cipher calls required to accomplish both privacy and integrity: number of blocks + 1 Smaller IV is sufficient Single key used for both encryption and MIC Key setup is minimal Session state is minimized

22 doc.: IEEE /223 Submission May 2001 Nancy Cam-Winget, Atheros et alSlide 22 Agenda Background Discussion of AES OCB mode Security Considerations Acceptance Considerations Performance Considerations True Integrity:Using OCB to fix a bug in the Draft Summary

23 doc.: IEEE /223 Submission May 2001 Nancy Cam-Winget, Atheros et alSlide 23 OCB Security Strength Proven privacy and proven integrity –encryption strength stronger than CBC mode –data integrity strength at least as good as CBC-MAC Just like security proofs for CBC and Counter mode and for CBC-MAC, OCB security proof is a reduction: –If a computationally cheap algorithm exists to break OCB, then same algorithm can be used to cheaply break the underlying block cipher –This means: If you believe block cipher x is secure, you believe x-OCB is also secure

24 doc.: IEEE /223 Submission May 2001 Nancy Cam-Winget, Atheros et alSlide 24 Agenda Background Discussion of AES OCB mode Security Considerations Acceptance Considerations Performance Considerations True Integrity:Using OCB to fix a bug in the Draft Summary

25 doc.: IEEE /223 Submission May 2001 Nancy Cam-Winget, Atheros et alSlide 25 Why not separate encryption and integrity algorithms? Requires more customer sophistication –Must know when to enable one or both –Opens the door to unsound practice of encryption without data authentication Requires more resources –Sender, receiver need state for 2 keys –Encapsulation/decapsulation require two passes over packet

26 doc.: IEEE /223 Submission May 2001 Nancy Cam-Winget, Atheros et alSlide 26 Won’t IP issues make OCB harder to implement? Rogaway has filed patent on OCB OCB based on IAPM, and IBM has filed patent on IAPM Rogaway has non-discriminatory licensing statement for OCB ( ) IBM has non-discriminatory license statement for IAPM ( ) Gligor’s (XCBC) work similar to Jutla’s; VDG has filed patent VDG has issued non-discriminatory license statement (http://csrc.nist.gov/encryption/modes/proposedmodes/xcbc/xcbc-doc.pdf)http://csrc.nist.gov/encryption/modes/proposedmodes/xcbc/xcbc-doc.pdf

27 doc.: IEEE /223 Submission May 2001 Nancy Cam-Winget, Atheros et alSlide 27 Won’t OCB Change? If it does, so what? We will use the OCB version dated April 1, 2001 –A full proof of security available –A final specification available Rogaway considers OCB definition final ( )

28 doc.: IEEE /223 Submission May 2001 Nancy Cam-Winget, Atheros et alSlide 28 Agenda Background Discussion of AES OCB mode Security Considerations Acceptance Considerations Performance Considerations True Integrity:Using OCB to fix a bug in the Draft Summary

29 doc.: IEEE /223 Submission May 2001 Nancy Cam-Winget, Atheros et alSlide 29 Some Raw Performance* Selected MICs: –HMAC-MD535.9 cycles/byte –HMAC-SHA158.6 cycles/byte –DES-CBC-MAC48.1 cycles/byte –AES-CBC-MAC18.1 cycles/byte Selected Ciphers: –RC4**12 cycles/byte –3DES144.8 cycles/byte –AES-CBC18.1 cycles/byte –AES-OCB22.7 cycles/byte *On a Pentium Pro 200 with NT 4.0. HMAC, MD5, SHA-1, DES taken from OpenSSL 0.9.6; AES/OCB from the reference code ** Does not account for resetting or key schedule that is a per packet overhead

30 doc.: IEEE /223 Submission May 2001 Nancy Cam-Winget, Atheros et alSlide 30 Line Rate Cycles in Software 2 = HMAC-MD5 3 = HMAC-SHA1 4 = DES-CBC-MAC 5 = AES-CBC-MAC 6 = RC4 7 = 3DES 8 = AES-CBC 9 = AES-OCB

31 doc.: IEEE /223 Submission May 2001 Nancy Cam-Winget, Atheros et alSlide 31 Performance Considerations Separate privacy and integrity algorithms require –Two passes over packet data e.g. AES-CBC + AES-CBC-MAC ~ 36 cycles/byte –Two keys per half-duplex association –Implementation of separate algorithms e.g., 3DES-CBC + HMAC-SHA-1 OCB –Uses one pass over packet data –1 key per half-duplex association –Implementation of 1 algorithm only – less code/gates

32 doc.: IEEE /223 Submission May 2001 Nancy Cam-Winget, Atheros et alSlide 32 Agenda Background Discussion of AES OCB mode Security Considerations Implementation Considerations Performance Considerations True Integrity:Using OCB to fix a bug in the Draft Summary

33 doc.: IEEE /223 Submission May 2001 Nancy Cam-Winget, Atheros et alSlide 33 Another type of attack STA 1 STA 2 AP Attacker Change pkt DA to be Attacker An authenticated attacker can easily modify the destination’s address from any packet and get a decrypted packet by simply modifying the contents of the Address 3 field!

34 doc.: IEEE /223 Submission May 2001 Nancy Cam-Winget, Atheros et alSlide 34 Address is always Addr 3 ToDSFromDSAddr 3 Comments 00BSSIDCommon key is used; attack is moot 10SADA is qualifier sending to SA 01DASA is qualifier sending to DA 11DARA is qualifier sending to DA

35 doc.: IEEE /223 Submission May 2001 Nancy Cam-Winget, Atheros et alSlide 35 OCB can provide true Integrity AES can easily protect addresses by inclusion in the IV: IV = 0 2bytes || Addr 3 (6bytes) || Replay Seq (8bytes)

36 doc.: IEEE /223 Submission May 2001 Nancy Cam-Winget, Atheros et alSlide 36 Agenda Background Discussion of AES OCB mode Security Considerations Implementation Considerations Performance Considerations Summary

37 doc.: IEEE /223 Submission May 2001 Nancy Cam-Winget, Atheros et alSlide 37 Summary OCB mode security is proven –Its proof says any weakness can only be in underlying cipher –its mandatory use of data integrity increases chance correct use AES-OCB maximizes performance on the widest variety of platforms Licensing –Rogaway, IBM and VDG all have non-discriminatory license statements Opportunity to lead –NIST plans to replace DES with AES as the standard cipher this year

38 doc.: IEEE /223 Submission May 2001 Nancy Cam-Winget, Atheros et alSlide 38 Feedback?

39 doc.: IEEE /223 Submission May 2001 Nancy Cam-Winget, Atheros et alSlide 39 Backup

40 doc.: IEEE /223 Submission May 2001 Nancy Cam-Winget, Atheros et alSlide 40 Comparison Security Goals WEPWEP2AES/OCB privacyRequires rapid key exchange (~10min) Vulnerable to weak keys Key strength: O(2 127 ) AES ops to recover key integrityVulnerable to probabilistic chosen-plaintext attacks Probability of forgery is 2 -MIC_bit_length authenticityNot addressed Easily addressed

41 doc.: IEEE /223 Submission May 2001 Nancy Cam-Winget, Atheros et alSlide 41 Export Considerations NIST has taken (worldwide) commercial considerations. Collaborative efforts with Canadian Government (http://csrc.nist.gov/encryption/aes/aesfact.html)http://csrc.nist.gov/encryption/aes/aesfact.html


Download ppt "Doc.: IEEE 802.11-01/223 Submission May 2001 Nancy Cam-Winget, Atheros et alSlide 1 An Analysis of AES in OCB Mode Nancy Cam-Winget, Atheros Communications."

Similar presentations


Ads by Google