1. 1 AERO Algorithm Overview 28-29 October 2013 San Antonio, Texas USA Howard Weiss NASA/JPL/PARSONS* Identity crisis: Formerly SPARTA Formerly Cobham Formerly SPARTA

2. 2 AGENDA Provide introduction and overview of: – Authenticated Encryption with Replay prOtection (AERO) All information obtained from IETF Internet Draft

3. 3 USAGE and APPLICABILITY Provides confidentiality, authentication, and replay protection Especially well suited for bandwidth constrained environments – Minimal data expansion – Avoids managing implicit state, – Provides strong misuse resistance Well suited for use when multiple senders & receivers share crypto keys

4. 4 AERO Introduction Internet Engineering Task Force (IETF) Internet Draft – Authenticated Encryption with Replay prOtection (AERO); draft-mcgrew-aero-00.txt; D. McGrew (Cisco) and J. Foley (Cisco) Authenticated Encryption with replay protection – Stateful & self-synchronizing encryption – Replay protection – Authentication » Replay & authentication provided via single mechanism – Makes use of underlying stateless encryption (AES) Uses AES in eXtended Code Book (XCB) mode – AERO_AES_128_XCB – AERO_AES_192_XCB – AERO_AES_256_XCB

5. 5 AERO Overview Minimization of overhead – Combines authentication & replay protection » Eliminates replay overhead and need for implicit state information » Sequence number is encrypted with plaintext Sender maintains a sequence number which is xmitted to the receiver Receiver verifies received sequence number – No nonce or initialization vector (IV) used » Reduces overhead » No need to coordinate nonces among multiple receivers » Eliminates problems with nonce misuse as is the case with AES/GCM

6. 6 AERO Encryption Process A = associated data P = plaintext S = sequence number Padding = 128-bit block I2S = integer-to-string K = key C = ciphertext Length (C) == Length (P)

7. 7 AERO Decryption Steps 4.5. Decryption To decrypt an encrypted message (A, C), 1. The stateless decryption algorithm is applied to A and C, using the secret key K in the context, returning a candidate sequence number Z, which is a T-bit unsigned integer, and a plaintext Q, which is an octet string. 2. If PMIN * 8 > T, then padding is removed from Q as follows. B is set to the value of the last octet of Q, converted to an 8-bit unsigned integer. If B > (128 - T)/8, then the FAIL symbol is returned, and processing halts. Otherwise, the octet string P is set to all but the final B + 1 octets of Q. 3. Z is converted from an octet string to an unsigned integer using the S2I routine defined in Section 1.3. 4. Z is processed as follows; see Figure 3 for an illustration. 1. If Z is between 0 and S-W, inclusive, then Z is rejected. 2. If Z is between S-W+1 and S, inclusive, then the bitmask M is checked. If M[S-Z] = 0, then Z is accepted, M[S-Z] is set to 1, and P is returned as the plaintext. If M[S-Z] = 1, then Z is rejected. 3. If Z is between S+1 and S+W, inclusive, then Z is accepted, S is set to Z, and P is returned as the plaintext. The bitmask is shifted by Z-S (in the direction of higher indicies). 4. If Z is between S+W+1 and R, inclusive, then Z is rejected and R is set to Z. 5. If Z is between R+1 and R+V, inclusive, then Z is accepted, S is set to Z, the bitmask M is set to the all-zero value, and P is returned as the plaintext. 6. If Z is between R+V+1 and 2^T+1, inclusive, then Z is rejected and R is set to Z. 5. When Z is rejected, then AERO decryption MUST return the FAIL symbol, which indicates that either the message was a replay or a forgery attempt.

8. 8 AERO Decryption Process

9. 9 AERO Rationale & Summary Padding is an unfortunate requirement – AES is block oriented – Pad stripping incorporates an authentication check Incorporation of the sequence number inside AERO – Brings security-critical function inside the cryptographic boundary Use of XBC is computationally expensive Does not support pipelined implementation using XBC – XBC is an off-line algorithm that requires plaintext to be fully buffered – Could employ Online Pseudo-Random Permutation (OPRP)