Doc.: IEEE 802.11-01/223 Submission May 2001 Nancy Cam-Winget, Atheros et alSlide 1 An Analysis of AES in OCB Mode Nancy Cam-Winget, Atheros Communications.

Slides:



Advertisements
Similar presentations
AP STUDY SESSION 2.
Advertisements

ISA 662 SSL Prof. Ravi Sandhu. 2 © Ravi Sandhu SECURE SOCKETS LAYER (SSL) layered on top of TCP SSL versions 1.0, 2.0, 3.0, 3.1 Netscape protocol later.
Symmetric Encryption Prof. Ravi Sandhu.
© 2008 Pearson Addison Wesley. All rights reserved Chapter Seven Costs.
Copyright © 2003 Pearson Education, Inc. Slide 1 Computer Systems Organization & Architecture Chapters 8-12 John D. Carpinelli.
Processes and Operating Systems
Copyright © 2011, Elsevier Inc. All rights reserved. Chapter 6 Author: Julia Richards and R. Scott Hawley.
Author: Julia Richards and R. Scott Hawley
1 Copyright © 2013 Elsevier Inc. All rights reserved. Chapter 3 CPUs.
Properties Use, share, or modify this drill on mathematic properties. There is too much material for a single class, so you’ll have to select for your.
Hashes and Message Digests
Submission Title: [AES Modes] Date Submitted: [May 10, 2002]
Doc.: IEEE /178 Submission July 2000 A. Prasad, A. Raji Lucent TechnologiesSlide 1 A Proposal for IEEE e Security IEEE Task Group.
Doc.: IEEE /147March 2000 TGe SecuritySlide 1 The Status of TGe S Draft Text Jesse Walker Intel Corporation (503)
UNITED NATIONS Shipment Details Report – January 2006.
1 RA I Sub-Regional Training Seminar on CLIMAT&CLIMAT TEMP Reporting Casablanca, Morocco, 20 – 22 December 2005 Status of observing programmes in RA I.
Create an Application Title 1A - Adult Chapter 3.
2 © 2004, Cisco Systems, Inc. All rights reserved. Scalable, Efficient Cryptography for Multiple Security Services David A. McGrew Cisco Systems, Inc.
Cryptography encryption authentication digital signatures
1 Pretty Good Privacy (PGP) Security for Electronic .
DES The Data Encryption Standard (DES) is a classic symmetric block cipher algorithm. DES was developed in the 1970’s as a US government standard The block.
PUBLIC KEY CRYPTOSYSTEMS Symmetric Cryptosystems 6/05/2014 | pag. 2.
Block Cipher Modes of Operation and Stream Ciphers
ECE454/CS594 Computer and Network Security
Break Time Remaining 10:00.
PP Test Review Sections 6-1 to 6-6
EIS Bridge Tool and Staging Tables September 1, 2009 Instructor: Way Poteat Slide: 1.
Chapter 10: Virtual Memory
Chapter 20 Network Layer: Internet Protocol
Copyright © 2012, Elsevier Inc. All rights Reserved. 1 Chapter 7 Modeling Structure with Blocks.
Basel-ICU-Journal Challenge18/20/ Basel-ICU-Journal Challenge8/20/2014.
1..
CONTROL VISION Set-up. Step 1 Step 2 Step 3 Step 5 Step 4.
1 © 2004, Cisco Systems, Inc. All rights reserved. CCNA 1 v3.1 Module 10 Routing Fundamentals and Subnets.
Analyzing Genes and Genomes
Rennes, 24/10/2014 Cristina Onete CIDRE/ INRIA Privacy in signatures. Hiding in rings, hiding in groups.
©Brooks/Cole, 2001 Chapter 12 Derived Types-- Enumerated, Structure and Union.
Essential Cell Biology
L8. Reviews Rocky K. C. Chang, May Foci of this course 2 Rocky K. C. Chang  Understand the 3 fundamental cryptographic functions and how they are.
PSSA Preparation.
Essential Cell Biology
Immunobiology: The Immune System in Health & Disease Sixth Edition
Energy Generation in Mitochondria and Chlorplasts
30.1 Chapter 30 Cryptography Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
Select a time to count down from the clock above
Insertion Sort Introduction to Algorithms Insertion Sort CSE 680 Prof. Roger Crawfis.
Distributed Computing 9. Sorting - a lower bound on bit complexity Shmuel Zaks ©
© Paradigm Publishing, Inc Excel 2013 Level 2 Unit 2Managing and Integrating Data and the Excel Environment Chapter 6Protecting and Sharing Workbooks.
Profile. 1.Open an Internet web browser and type into the web browser address bar. 2.You will see a web page similar to the one on.
TCP/IP Protocol Suite 1 Chapter 18 Upon completion you will be able to: Remote Login: Telnet Understand how TELNET works Understand the role of NVT in.
1 Intercepting Mobile Communications: The Insecurity of …or “Why WEP Stinks” Dustin Christmann.
“Advanced Encryption Standard” & “Modes of Operation”
Encipherment Using Modern Symmetric-Key Ciphers. 8.2 Objectives ❏ To show how modern standard ciphers, such as DES or AES, can be used to encipher long.
Wireless Security Ryan Hayles Jonathan Hawes. Introduction  WEP –Protocol Basics –Vulnerability –Attacks –Video  WPA –Overview –Key Hierarchy –Encryption/Decryption.
1 Enhancing Wireless Security with WPA CS-265 Project Section: 2 (11:30 – 12:20) Shefali Jariwala Student ID
Intercepting Mobiles Communications: The Insecurity of Danny Bickson ACNS Course, IDC Spring 2007.
Wireless Security Issues David E. Hudak, Ph.D. Senior Software Architect Karlnet, Inc.
Submission August 2001 Nancy Cam-Winget, Atheros Slide 1 Rapid Re-keying WEP a recommended practice to improve WLAN Security Nancy Cam-Winget, Atheros.
Wireless security & privacy Authors: M. Borsc and H. Shinde Source: IEEE International Conference on Personal Wireless Communications 2005 (ICPWC 2005),
Modes of Operation. Topics  Overview of Modes of Operation  EBC, CBC, CFB, OFB, CTR  Notes and Remarks on each modes.
Shambhu Upadhyaya Security – AES-CCMP Shambhu Upadhyaya Wireless Network Security CSE 566 (Lecture 13)
Doc.: IEEE /495r1 Submission July 2001 Jon Edney, NokiaSlide 1 Ad-Hoc Group Requirements Report Group met twice - total 5 hours Group size ranged.
Symmetric Encryption Lesson Introduction ●Block cipher primitives ●DES ●AES ●Encrypting large message ●Message integrity.
Wireless Security Rick Anderson Pat Demko. Wireless Medium Open medium Broadcast in every direction Anyone within range can listen in No Privacy Weak.
Doc.: IEEE /0485r0 Submission May 2004 Jesse Walker and Emily Qi, Intel CorporationSlide 1 Management Protection Jesse Walker and Emily Qi Intel.
Wired Equivalent Privacy (WEP) Chris Overcash. Contents What is WEP? What is WEP? How is it implemented? How is it implemented? Why is it insecure? Why.
AES Associated Data Optimization
July 15, 2019 doc.: IEEE r0 May, 2002 Project: IEEE P Working Group for Wireless Personal Area Networks (WPANs) Submission Title: [AES.
Presentation transcript:

doc.: IEEE /223 Submission May 2001 Nancy Cam-Winget, Atheros et alSlide 1 An Analysis of AES in OCB Mode Nancy Cam-Winget, Atheros Communications Jesse Walker, Intel Corporation

doc.: IEEE /223 Submission May 2001 Nancy Cam-Winget, Atheros et alSlide 2 Acknowledgements Bill Arbaugh – U of Maryland Greg Chesson – Atheros Communications Phil Rogaway – UC Davis Aman Singla – Atheros Communications

doc.: IEEE /223 Submission May 2001 Nancy Cam-Winget, Atheros et alSlide 3 Agenda Background Discussion of AES OCB mode Security Considerations Acceptance Considerations Performance Considerations True Integrity:Using OCB to fix a bug in the Draft Summary

doc.: IEEE /223 Submission May 2001 Nancy Cam-Winget, Atheros et alSlide 4 Review of WEP WEP attacks –IV can NEVER safely be reused with same key –RC4 unsuitable for datagrams –CRC can be used to speed up dictionary attack The use of RC4 requires the key schedule to be reinitialized for every packet –Hurts performance –This property is what got WEP in trouble in the first place –RC4 is a fine cipher, but inappropriate as a bulk crypto mechanism in a datagram environment

doc.: IEEE /223 Submission May 2001 Nancy Cam-Winget, Atheros et alSlide 5 Concepts Data privacy –Protection of data. Prevent unauthorized viewing of the data Data integrity –Prevent modification, insertion or deletion of data (collectively known as “forgery”) –Validation of data: MIC Data authenticity –Synonym for data integrity

doc.: IEEE /223 Submission May 2001 Nancy Cam-Winget, Atheros et alSlide 6 Data (true) Integrity Beyond data integrity (no change in plaintext) it also means ensuring received data was actually sent by genuine peer on an established link –The link is immune from forgery This is a necessary attribute of any scheme seeking to control access

doc.: IEEE /223 Submission May 2001 Nancy Cam-Winget, Atheros et alSlide 7 Security Framework Requirements defined in /231 Clause 4 Extensibility, Compatibility, and Interoperability includes support for: –Authentication algorithm –Privacy algorithm –Data integrity algorithm

doc.: IEEE /223 Submission May 2001 Nancy Cam-Winget, Atheros et alSlide 8 Why Per-Packet Data Integrity? Requirements say so –Ref: doc IEEE /231 clause More important, security seeks to provide meaningful access control –Not feasible to control access unless all packets on authenticated association are also validated –If no per-packet data integrity check, then association authentication meaningless, i.e., forgery is always possible to an attacker

doc.: IEEE /223 Submission May 2001 Nancy Cam-Winget, Atheros et alSlide 9 Security Requirements Discussion Data privacy –Goal: prevent inadvertent unauthorized disclosure due to message transfer –Mechanism to achieve goal: encryption Data integrity –Goal: prevent data forgery, replay –Mechanism to achieve goal: Message Integrity Code + sequence number + link protection

doc.: IEEE /223 Submission May 2001 Nancy Cam-Winget, Atheros et alSlide 10 Security Mechanism Goals Meet security requirements Work with 802 authentication/key management infrastructure Implementation ease (and payload overhead) Good performance

doc.: IEEE /223 Submission May 2001 Nancy Cam-Winget, Atheros et alSlide 11 Agenda Background Discussion of AES OCB mode Security Considerations Acceptance Considerations Performance Considerations True Integrity:Using OCB to fix a bug in the Draft Summary

doc.: IEEE /223 Submission May 2001 Nancy Cam-Winget, Atheros et alSlide 12 AES Cipher NIST selection criteria is similar to ’s: –Security –Performance in both software and hardware –Efficiency –Ease of implementation NIST selection process took 4 years! –Initiated Jan 1997, decision finalized Feb 2001

doc.: IEEE /223 Submission May 2001 Nancy Cam-Winget, Atheros et alSlide 13 AES properties Symmetric 128bit block cipher –NIST allows 128-, 192- and 256bit keys blocks – proposes using 128-bit keys Low memory requirements Good performance across all known hardware and software platforms –Highly parallelizable –Compact source code –~ 285 cycles/block on a Pentium Pro

doc.: IEEE /223 Submission May 2001 Nancy Cam-Winget, Atheros et alSlide 14 AES Strengths (1) Exhaustive key search best known attack against AES—and large key size makes exhaustive search computationally infeasible –Key recovery operations O(2 127 ) AES operations on average 128-bit block size makes it orders of magnitude more secure than same algorithm with a 64-bit block size

doc.: IEEE /223 Submission May 2001 Nancy Cam-Winget, Atheros et alSlide 15 AES Strengths (2) Performance –Highly parallelizable –Compact implementations –Efficient key schedule computation Platform neutrality –Efficient implementation possible on all platforms Critical path instructions: 8-bit  8-bit S-box, XOR6, XOR5, XOR2, MUX2 –Endian-neutrality

doc.: IEEE /223 Submission May 2001 Nancy Cam-Winget, Atheros et alSlide 16 Agenda Background Discussion of AES OCB mode Security Considerations Acceptance Considerations Performance Considerations True Integrity:Using OCB to fix a bug in the Draft Summary

doc.: IEEE /223 Submission May 2001 Nancy Cam-Winget, Atheros et alSlide 17 OCB mode of operation OCB mode is a block cipher mode of operation OCB provides authenticated-encryption: provides both privacy and authenticity –i.e. provides data authenticity at almost no extra cost over the cost of encryption

doc.: IEEE /223 Submission May 2001 Nancy Cam-Winget, Atheros et alSlide 18 Why Use a Mode of Operation? AES is a block cipher Networking produces arbitrary length messages to encipher/decipher Naïve use of any block cipher for arbitrary length messages (called Electronic Codebook, or ECB mode) is insecure

doc.: IEEE /223 Submission May 2001 Nancy Cam-Winget, Atheros et alSlide 19 Example Modes of Operation Partition message M into blocks M = M 1 M 2 … M m ECB Mode: C i  E K (M i ) (insecure if m > 1) Counter Mode: C i  E K (counter)  M i, counter  counter + 1 (secure if counter is never reused with same key K) CBC Mode: C i  E K (C i-1  M i ), C 0  E K (IV  M 0 ) (secure if IV is random and never reused with same key K)

doc.: IEEE /223 Submission May 2001 Nancy Cam-Winget, Atheros et alSlide 20 Comparison of Modes ModePrivacyIntegrityComments ECBSometimesNoVulnerable to attack. Must choose a MIC CounterYesNoVulnerable if counter is ever reused. Must choose a MIC CBCYesNoSound encryption. Must choose a MIC CBC-MACNoYesRecent attack on forgery (An, Bellare 1999) OCBYes one key and one pass over data gives both privacy and integrity

doc.: IEEE /223 Submission May 2001 Nancy Cam-Winget, Atheros et alSlide 21 OCB Properties Uses nearly the theoretical minimal number of block cipher calls required to accomplish both privacy and integrity: number of blocks + 1 Smaller IV is sufficient Single key used for both encryption and MIC Key setup is minimal Session state is minimized

doc.: IEEE /223 Submission May 2001 Nancy Cam-Winget, Atheros et alSlide 22 Agenda Background Discussion of AES OCB mode Security Considerations Acceptance Considerations Performance Considerations True Integrity:Using OCB to fix a bug in the Draft Summary

doc.: IEEE /223 Submission May 2001 Nancy Cam-Winget, Atheros et alSlide 23 OCB Security Strength Proven privacy and proven integrity –encryption strength stronger than CBC mode –data integrity strength at least as good as CBC-MAC Just like security proofs for CBC and Counter mode and for CBC-MAC, OCB security proof is a reduction: –If a computationally cheap algorithm exists to break OCB, then same algorithm can be used to cheaply break the underlying block cipher –This means: If you believe block cipher x is secure, you believe x-OCB is also secure

doc.: IEEE /223 Submission May 2001 Nancy Cam-Winget, Atheros et alSlide 24 Agenda Background Discussion of AES OCB mode Security Considerations Acceptance Considerations Performance Considerations True Integrity:Using OCB to fix a bug in the Draft Summary

doc.: IEEE /223 Submission May 2001 Nancy Cam-Winget, Atheros et alSlide 25 Why not separate encryption and integrity algorithms? Requires more customer sophistication –Must know when to enable one or both –Opens the door to unsound practice of encryption without data authentication Requires more resources –Sender, receiver need state for 2 keys –Encapsulation/decapsulation require two passes over packet

doc.: IEEE /223 Submission May 2001 Nancy Cam-Winget, Atheros et alSlide 26 Won’t IP issues make OCB harder to implement? Rogaway has filed patent on OCB OCB based on IAPM, and IBM has filed patent on IAPM Rogaway has non-discriminatory licensing statement for OCB ( ) IBM has non-discriminatory license statement for IAPM ( ) Gligor’s (XCBC) work similar to Jutla’s; VDG has filed patent VDG has issued non-discriminatory license statement (

doc.: IEEE /223 Submission May 2001 Nancy Cam-Winget, Atheros et alSlide 27 Won’t OCB Change? If it does, so what? We will use the OCB version dated April 1, 2001 –A full proof of security available –A final specification available Rogaway considers OCB definition final ( )

doc.: IEEE /223 Submission May 2001 Nancy Cam-Winget, Atheros et alSlide 28 Agenda Background Discussion of AES OCB mode Security Considerations Acceptance Considerations Performance Considerations True Integrity:Using OCB to fix a bug in the Draft Summary

doc.: IEEE /223 Submission May 2001 Nancy Cam-Winget, Atheros et alSlide 29 Some Raw Performance* Selected MICs: –HMAC-MD535.9 cycles/byte –HMAC-SHA158.6 cycles/byte –DES-CBC-MAC48.1 cycles/byte –AES-CBC-MAC18.1 cycles/byte Selected Ciphers: –RC4**12 cycles/byte –3DES144.8 cycles/byte –AES-CBC18.1 cycles/byte –AES-OCB22.7 cycles/byte *On a Pentium Pro 200 with NT 4.0. HMAC, MD5, SHA-1, DES taken from OpenSSL 0.9.6; AES/OCB from the reference code ** Does not account for resetting or key schedule that is a per packet overhead

doc.: IEEE /223 Submission May 2001 Nancy Cam-Winget, Atheros et alSlide 30 Line Rate Cycles in Software 2 = HMAC-MD5 3 = HMAC-SHA1 4 = DES-CBC-MAC 5 = AES-CBC-MAC 6 = RC4 7 = 3DES 8 = AES-CBC 9 = AES-OCB

doc.: IEEE /223 Submission May 2001 Nancy Cam-Winget, Atheros et alSlide 31 Performance Considerations Separate privacy and integrity algorithms require –Two passes over packet data e.g. AES-CBC + AES-CBC-MAC ~ 36 cycles/byte –Two keys per half-duplex association –Implementation of separate algorithms e.g., 3DES-CBC + HMAC-SHA-1 OCB –Uses one pass over packet data –1 key per half-duplex association –Implementation of 1 algorithm only – less code/gates

doc.: IEEE /223 Submission May 2001 Nancy Cam-Winget, Atheros et alSlide 32 Agenda Background Discussion of AES OCB mode Security Considerations Implementation Considerations Performance Considerations True Integrity:Using OCB to fix a bug in the Draft Summary

doc.: IEEE /223 Submission May 2001 Nancy Cam-Winget, Atheros et alSlide 33 Another type of attack STA 1 STA 2 AP Attacker Change pkt DA to be Attacker An authenticated attacker can easily modify the destination’s address from any packet and get a decrypted packet by simply modifying the contents of the Address 3 field!

doc.: IEEE /223 Submission May 2001 Nancy Cam-Winget, Atheros et alSlide 34 Address is always Addr 3 ToDSFromDSAddr 3 Comments 00BSSIDCommon key is used; attack is moot 10SADA is qualifier sending to SA 01DASA is qualifier sending to DA 11DARA is qualifier sending to DA

doc.: IEEE /223 Submission May 2001 Nancy Cam-Winget, Atheros et alSlide 35 OCB can provide true Integrity AES can easily protect addresses by inclusion in the IV: IV = 0 2bytes || Addr 3 (6bytes) || Replay Seq (8bytes)

doc.: IEEE /223 Submission May 2001 Nancy Cam-Winget, Atheros et alSlide 36 Agenda Background Discussion of AES OCB mode Security Considerations Implementation Considerations Performance Considerations Summary

doc.: IEEE /223 Submission May 2001 Nancy Cam-Winget, Atheros et alSlide 37 Summary OCB mode security is proven –Its proof says any weakness can only be in underlying cipher –its mandatory use of data integrity increases chance correct use AES-OCB maximizes performance on the widest variety of platforms Licensing –Rogaway, IBM and VDG all have non-discriminatory license statements Opportunity to lead –NIST plans to replace DES with AES as the standard cipher this year

doc.: IEEE /223 Submission May 2001 Nancy Cam-Winget, Atheros et alSlide 38 Feedback?

doc.: IEEE /223 Submission May 2001 Nancy Cam-Winget, Atheros et alSlide 39 Backup

doc.: IEEE /223 Submission May 2001 Nancy Cam-Winget, Atheros et alSlide 40 Comparison Security Goals WEPWEP2AES/OCB privacyRequires rapid key exchange (~10min) Vulnerable to weak keys Key strength: O(2 127 ) AES ops to recover key integrityVulnerable to probabilistic chosen-plaintext attacks Probability of forgery is 2 -MIC_bit_length authenticityNot addressed Easily addressed

doc.: IEEE /223 Submission May 2001 Nancy Cam-Winget, Atheros et alSlide 41 Export Considerations NIST has taken (worldwide) commercial considerations. Collaborative efforts with Canadian Government (

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.