2 © 2004, Cisco Systems, Inc. All rights reserved. Scalable, Efficient Cryptography for Multiple Security Services David A. McGrew Cisco Systems, Inc.

Slides:



Advertisements
Similar presentations
1 KCipher-2 KDDI R&D Laboratories Inc.. ©KDDI R&D Laboratories Inc. All rights Reserved. 2 Introduction LFSR-based stream ciphers Linear recurrence between.
Advertisements

1 UNIT I (Contd..) High-Speed LANs. 2 Introduction Fast Ethernet and Gigabit Ethernet Fast Ethernet and Gigabit Ethernet Fibre Channel Fibre Channel High-speed.
Advanced Piloting Cruise Plot.
1 Vorlesung Informatik 2 Algorithmen und Datenstrukturen (Parallel Algorithms) Robin Pomplun.
Symmetric Encryption Prof. Ravi Sandhu.
PKI Introduction Ravi Sandhu 2 © Ravi Sandhu 2002 CRYPTOGRAPHIC TECHNOLOGY PROS AND CONS SECRET KEY SYMMETRIC KEY Faster Not scalable No digital signatures.
Copyright © 2003 Pearson Education, Inc. Slide 1 Computer Systems Organization & Architecture Chapters 8-12 John D. Carpinelli.
Chapter 1 The Study of Body Function Image PowerPoint
1 Copyright © 2013 Elsevier Inc. All rights reserved. Chapter 1 Embedded Computing.
Copyright © 2011, Elsevier Inc. All rights reserved. Chapter 6 Author: Julia Richards and R. Scott Hawley.
Author: Julia Richards and R. Scott Hawley
1 Copyright © 2013 Elsevier Inc. All rights reserved. Appendix 01.
1 Copyright © 2010, Elsevier Inc. All rights Reserved Fig 2.1 Chapter 2.
Properties Use, share, or modify this drill on mathematic properties. There is too much material for a single class, so you’ll have to select for your.
Submission Title: [AES Modes] Date Submitted: [May 10, 2002]
Doc.: IEEE /178 Submission July 2000 A. Prasad, A. Raji Lucent TechnologiesSlide 1 A Proposal for IEEE e Security IEEE Task Group.
Business Transaction Management Software for Application Coordination 1 Business Processes and Coordination.
Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13
Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13
Properties of Real Numbers CommutativeAssociativeDistributive Identity + × Inverse + ×
Year 6 mental test 5 second questions
1 Chapter 12 File Management Patricia Roy Manatee Community College, Venice, FL ©2008, Prentice Hall Operating Systems: Internals and Design Principles,
Around the World AdditionSubtraction MultiplicationDivision AdditionSubtraction MultiplicationDivision.
PUBLIC KEY CRYPTOSYSTEMS Symmetric Cryptosystems 6/05/2014 | pag. 2.
Block Cipher Modes of Operation and Stream Ciphers
ECE454/CS594 Computer and Network Security
SE-292 High Performance Computing
ABC Technology Project
Chapter 15 Integrated Services Digital Network ISDN Services History Subscriber Access Layers BISDN WCB/McGraw-Hill The McGraw-Hill Companies, Inc., 1998.
VOORBLAD.
Copyright © 2012, Elsevier Inc. All rights Reserved. 1 Chapter 7 Modeling Structure with Blocks.
Basel-ICU-Journal Challenge18/20/ Basel-ICU-Journal Challenge8/20/2014.
1..
© 2012 National Heart Foundation of Australia. Slide 2.
1 © 2004, Cisco Systems, Inc. All rights reserved. CCNA 1 v3.1 Module 6 Ethernet Fundamentals.
1 © 2004, Cisco Systems, Inc. All rights reserved. CCNA 1 v3.1 Module 10 Routing Fundamentals and Subnets.
Adding Up In Chunks.
GG Consulting, LLC I-SUITE. Source: TEA SHARS Frequently asked questions 2.
Chapter 9: Subnetting IP Networks
25 seconds left…...
We will resume in: 25 Minutes.
©Brooks/Cole, 2001 Chapter 12 Derived Types-- Enumerated, Structure and Union.
Essential Cell Biology
©2004 Brooks/Cole FIGURES FOR CHAPTER 12 REGISTERS AND COUNTERS Click the mouse to move to the next page. Use the ESC key to exit this chapter. This chapter.
L8. Reviews Rocky K. C. Chang, May Foci of this course 2 Rocky K. C. Chang  Understand the 3 fundamental cryptographic functions and how they are.
SE-292 High Performance Computing Memory Hierarchy R. Govindarajan
1 © 2004, Cisco Systems, Inc. All rights reserved. CCNA 1 v3.1 Module 9 TCP/IP Protocol Suite and IP Addressing.
PSSA Preparation.
VPN AND REMOTE ACCESS Mohammad S. Hasan 1 VPN and Remote Access.
Essential Cell Biology
14.1 Chapter 14 Wireless LANs Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
30.1 Chapter 30 Cryptography Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
McGraw-Hill©The McGraw-Hill Companies, Inc., 2001 Chapter 16 Integrated Services Digital Network (ISDN)
1 Intercepting Mobile Communications: The Insecurity of …or “Why WEP Stinks” Dustin Christmann.
“Advanced Encryption Standard” & “Modes of Operation”
#1 EAX A two-pass authenticated encryption mode Mihir BellarePhillip RogawayDavid Wagner U.C. San Diego U.C. Davis and U.C. Berkeley Chiang Mai University.
Lecture 23 Symmetric Encryption
Modes of Operation. Topics  Overview of Modes of Operation  EBC, CBC, CFB, OFB, CTR  Notes and Remarks on each modes.
Shambhu Upadhyaya Security – AES-CCMP Shambhu Upadhyaya Wireless Network Security CSE 566 (Lecture 13)
Lecture 23 Symmetric Encryption
Should NIST Develop an Additional Version of GCM? July 26, 2007 Morris Dworkin, Mathematician Security Technology Group
Doc.: IEEE /634r1 Submission November 2001 Ferguson, Housley, WhitingSlide 1 AES Mode Choices OCB vs. Counter Mode with CBC-MAC Niels Ferguson,
AES Mode Choices OCB vs. Counter Mode with CBC-MAC
December 2015 Project: IEEE P Working Group for Wireless Personal Area Networks (WPANs) Submission Title: [Security considerations for 15.3e] Date.
July 15, 2019 doc.: IEEE r0 May, 2002 Project: IEEE P Working Group for Wireless Personal Area Networks (WPANs) Submission Title: [AES.
Counter With Cipher Block Chaining-MAC
Counter Mode, Output Feedback Mode
Presentation transcript:

2 © 2004, Cisco Systems, Inc. All rights reserved. Scalable, Efficient Cryptography for Multiple Security Services David A. McGrew Cisco Systems, Inc.

33 © 2004, Cisco Systems, Inc. All rights reserved. 3 GCM Overview Block cipher mode of operation Provides both confidentiality and authentication Provides high speed, low latency at low cost Best mode of operation for packet networks Usability features Proposed to NIST and other standards areas Joint work with John Viega of Secure Software

44 © 2004, Cisco Systems, Inc. All rights reserved. 4 Block Cipher Inputs K - key P - plaintext (128 bits) Output C - ciphertext (128 bits)

55 © 2004, Cisco Systems, Inc. All rights reserved. 5 Authenticated Encryption Operation Inputs K - key (same length as block cipher key) IV - unique value (length between 1 and 2 64 bits) P - plaintext (length between 0 and 2 39 bits) A - additional authenticated data (1 to 2 64 bits) Outputs C - ciphertext (same length as P ) T - authentication tag (length between 0 and 128 bits)

66 © 2004, Cisco Systems, Inc. All rights reserved. 6 Example: GCM Frame Encryption

77 © 2004, Cisco Systems, Inc. All rights reserved. 7 AE Mode Requirements Line rate (10+ Gbps) in hardware Parallelizable, pipelineable Low implementation cost Low (packet) latency Good software performance Provably secure Unencumbered by intellectual property Promotes standardization

88 © 2004, Cisco Systems, Inc. All rights reserved. 8 GCM Uses IEEE Link Security (802.1AE) GCM is mandatory cryptoalgorithm in draft IPsec ESP Draft based on ESP-AES-CCM, ESP-AES-CTR Fibre Channel Security Future fast wireless LAN

99 © 2004, Cisco Systems, Inc. All rights reserved. 9 GCM Internals Counter Mode encryption Based on IPsec CTR specification Efficient, compact MAC is encrypted hash Polynomial hash over GF(2 128 ) Multiply and accumulate MAC key H = E K (0 128 )

10 © 2004, Cisco Systems, Inc. All rights reserved. 10 Counter Mode Encryption

11 © 2004, Cisco Systems, Inc. All rights reserved. 11 Universal Hash-based MACs P[GHASH(M) GHASH(M) = a] ~ len(M)/2^128

12 © 2004, Cisco Systems, Inc. All rights reserved. 12 GHASH Input consists of C, A, length(A) | length(C)

13 © 2004, Cisco Systems, Inc. All rights reserved. 13 The Field GF(2 128 ) Addition, multiplication, … Polynomial basis Field element 128 term binary polynomial Addition is just exclusive-or Multiplication ~ = 2 16 bit operations Well-suited for hardware implementations

14 © 2004, Cisco Systems, Inc. All rights reserved. 14 Software Counter mode is simple Software can avoid first AES round - 10% gain GF(2 128 ) multiply Lookup tables - computed per key 256 bytes to 64 kilobytes Fastest mode on packets up to 576 bytes

15 © 2004, Cisco Systems, Inc. All rights reserved. 15 Software Performance (cycles/byte)

16 © 2004, Cisco Systems, Inc. All rights reserved. 16 GCM Benefits Can act as stand-alone MAC Could be used in IPsec AH or ESP with NULL encryption Can act as incremental MAC Can accept IVs of arbitrary length

17 © 2004, Cisco Systems, Inc. All rights reserved. 17 Arbitrary Length IVs Optimized for 96-bit IV Preserves performance, maintains security Promotes usability Can use natural nonces - filenames, network addresses, … Obviates need to derive secondary keys

18 © 2004, Cisco Systems, Inc. All rights reserved. 18 Arbitrary Length IV: File Encryption IV = seq_num | filename 0000 | /etc/passwd 0001 | /etc/passwd … Authentication tag T appended to file

19 © 2004, Cisco Systems, Inc. All rights reserved. 19 Incremental MAC Given (MSG, MAC), can compute MAC for MSG efficiently Useful for remote authentication Secure storage networking Network filesystems (e.g. CFS)

20 © 2004, Cisco Systems, Inc. All rights reserved. 20 Incremental MAC: Remote Storage A = B[0] | B[1] | … | B[N-1] P = {} IV = version number (plus other info) When B[i] is changed to B[i], compute New T = Old T AES(Old IV) AES(New IV) HASH(H, B[i]) HASH(H, B[i])

21 © 2004, Cisco Systems, Inc. All rights reserved. 21 Security Counter mode well understood AES GCM secure up to ~ 2^68 bytes MAC based on XOR-universal hash Well understood theory Good security properties

22 © 2004, Cisco Systems, Inc. All rights reserved. 22 Security Considerations IV reuse in encryption can expose H But reuse in decryption does not Given one forged message, can produce many more easily But does not change likelihood of zero forgeries All-zero counter value is highly unlikely and undetectable

23 © 2004, Cisco Systems, Inc. All rights reserved. 23 References (1 of 2) GCM and OCB csrc.nist.gov/CryptoToolkit/modes/proposedmodes/ IEEE Link Security Fibre Channel IPsec draft-ietf-ipsec-ciph-aes-gcm-00.txt

24 © 2004, Cisco Systems, Inc. All rights reserved. 24 References (2 of 2) Counter mode Diffie and Hellman. Privacy and Authentication: An Introduction to Cryptography. Proceedings of the IEEE, Volume 67, Number 3, March, Bellare, Desai, Jokkipi, and Rogaway. A concrete security treatment of symmetric encryption, Proceedings of 38th Annual Symposium on Foundations of Computer Science, IEEE, Universal hashing and MACs Wegman and Carter. New hash functions and their use in authentication and set equality. Journal of Computer and System Sciences. Vol. 22, , Krawczyk. LFSR-based hashing and authentication. Proceedings of CRYPTO '94. Lecture Notes in Computer Science No. 839,

25 Presentation_ID © 2001, Cisco Systems, Inc. All rights reserved.

26 © 2004, Cisco Systems, Inc. All rights reserved. 26 Comparison to OCB GCM has slightly higher per-block cost GF(2 128 ) multiply OCB has extra per-packet AES invocation Adds AES latency to packet encryption latency Software: GCM faster on short packets Hardware: GCM slightly higher cost, 1/2 latency GCM may need additional key store GCM has additional benefits

27 © 2004, Cisco Systems, Inc. All rights reserved. 27 Security Model (1 of 2) Block cipher is secure if indistinguishable from a random permutation GCM secure if Ciphertext indistinguishable from random, and Forgery unlikely to succeed

28 © 2004, Cisco Systems, Inc. All rights reserved. 28 Security Model (2 of 2)

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.