Presentation is loading. Please wait.

Presentation is loading. Please wait.

Authenticated Encryption with Replay prOtection (AERO)

Similar presentations


Presentation on theme: "Authenticated Encryption with Replay prOtection (AERO)"— Presentation transcript:

1 Authenticated Encryption with Replay prOtection (AERO)

2 AERO Authenticated Encryption algorithm Stateful and self-synchronizing Easy to use Robust against nonce misuse and decryption misuse Saves bandwidth No nonce, no sequence number New standards contributions and research

3 Communication Security Goals Unreliable transport Message loss Message reorder Multiple senders, multiple receivers Adaptive chosen plaintext, chosen ciphertext attacks Security against forgery Plaintext indistinguishable from random

4 Conventional Encryption + Authentication Ciphertext Header SEQ IV Tag Message AES-CBC Encryption HMAC Sequence Number Sequence Number

5 Conventional A+E with Extended SEQ Ciphertext SEQ IV Tag Message AES-CBC Encryption HMAC SEQ LO SEQ LO SEQ HI SEQ HI Header

6 Conventional Decryption Ciphertext Header SEQ IV Tag Message AES-CBC Decryption HMAC Sequence Number Check Sequence Number Check SEQ HI SEQ HI

7 Authenticated Encryption with Associated Data (AEAD) Ciphertext SEQ IV Tag Message AES-GCM Encryption SEQ LO SEQ LO SEQ HI SEQ HI Header

8 Authenticated Encryption with Associated Data (AEAD) Ciphertext SEQ IV Tag Message AES-GCM Encryption SEQ LO SEQ LO SEQ HI SEQ HI Bandwidth: SEQ, IV, Tag Header

9 Authenticated Encryption with Associated Data (AEAD) Ciphertext SEQ IV Tag Message AES-GCM Encryption SEQ LO SEQ LO SEQ HI SEQ HI Multiple receivers awkward Bandwidth: SEQ, IV, Tag Header

10 Authenticated Encryption with Associated Data (AEAD) Ciphertext SEQ IV Tag Message AES-GCM Encryption SEQ LO SEQ LO SEQ HI SEQ HI IV hard to manage Multiple senders INSECURE if mismanaged Multiple receivers awkward Bandwidth: SEQ, IV, Tag Header

11 Authenticated Encryption with Associated Data (AEAD) Ciphertext SEQ IV Tag Message AES-GCM Encryption SEQ LO SEQ LO SEQ HI SEQ HI Complex to use IV hard to manage Multiple senders INSECURE if mismanaged Multiple receivers awkward Bandwidth: SEQ, IV, Tag

12 Header Authenticated Encryption with Associated Data (AEAD) Ciphertext SEQ IV Tag Message AES-GCM Encryption SEQ LO SEQ LO SEQ HI SEQ HI Complex to use IV hard to manage Multiple senders INSECURE if mismanaged Multiple receivers awkward Bandwidth: SEQ, IV, Tag Decryption Misuse

13 AERO Ciphertext Header Message AERO Encryption Easy to use No IV to manage Multiple senders Secure if misused Multiple receivers easy Minimal overhead Robust against decryption misuse

14 AERO Encryption Wide Pseudo Random Permutation (WPRP) Encryption Ciphertext Sequence Number Plaintext || Header

15 Wide Pseudo Random Permutation (WPRP) WPRP Encryption 562a666ab08dae419b3 0818a309a064f40a9b2

16 Wide Pseudo Random Permutation (WPRP) WPRP Encryption 562a666ab08dae419b3 0818a309a064f40a9b2 WPRP Encryption 562a666ab18dae419bf e295e324f8a7181ad927

17 Wide Pseudo Random Permutation (WPRP) WPRP Decryption 562a666ab08dae419b3 0818a309a064f40a9b2 WPRP Decryption 562a666ab18dae419bf e295e324f8a7181ad927 AES Extended Codebook (XCB) Mode of Operation

18 AERO Decryption Wide Pseudo Random Permutation (WPRP) Decryption Ciphertext Candidate Seq Num Candidate Seq Num Plaintext || Header Check Return Plaintext, Update s Return Plaintext, Update s Return FAIL Plaintext FAIL (or) s, r

19 Candidate Sequence Number Checking sr 0 2 t -1 Largest sequence number accepted so far Last rejected candidate sequence number CSN

20 Likely next candidates sr 0 2 t -1 Largest sequence number accepted so far Last rejected candidate sequence number CSN s+1 s+2

21 Candidate Sequence Number Checking ww sr 0 v Largest sequence number accepted so far Last rejected candidate sequence number CSN 2 t -1

22 (Re)synchronization sr 0 2 t -1 Largest sequence number accepted so far Last rejected candidate sequence number CSN Actual Sequence Number Actual Sequence Number

23 (Re)synchronization sr 0 2 t -1 Largest sequence number accepted so far Last rejected candidate sequence number CSN Actual Sequence Number Actual Sequence Number Actual Sequence Number +1 Actual Sequence Number +1

24 Candidate Sequence Number Checking ww 0 v set s accept check bitmask accept update s update bitmask accept set r to s reject CSN sr 2 t -1

25 Security of Authentication 0 2w+v ~ 72 out of 2 t accepted CSN sr Probability of successful forgery = 2t2t 72 ~ 2 -t+7 2 t -1

26 IPSec Ciphertext SPI SEQ IV Tag 4 bytes 8 bytes 12 bytes Ciphertext SPI 4 bytes plaintext length + 12 bytes ESP AES-GCM, AES-CCM, or AES-CTR plus HMAC-SHA1 ESP AERO 24+ bytes overhead per packet 12 bytes overhead per packet no misuse resistance misuse resistance length of plaintext + pad

27 Performance WPRP CPB ~ 1.5 x GCM CPB Inefficient on long messages Higher latency Larger memory requirements … but this is true of all AEAD methods … More efficient on short messages Short frames (about 100 bytes for ) Four bytes less overhead means: ~ 4% less power used in transmission ~ 4% less power used in reception ~ 4% lower probability that retransmission is needed

28 Status Research Formalization of security models and goals WPRP encryption alternatives IETF draft-mcgrew-aero-00.txt draft-mcgrew-srtp-aero-01.txt draft-mcgrew-dtls-aero-00.txt CAESAR Does not work with conventional AEAD API


Download ppt "Authenticated Encryption with Replay prOtection (AERO)"

Similar presentations


Ads by Google