1 AERO Algorithm Overview 28-29 October 2013 San Antonio, Texas USA Howard Weiss NASA/JPL/PARSONS* Identity crisis: Formerly SPARTA Formerly Cobham Formerly.

Slides:

Advertisements

Similar presentations

Chapter 3 Public Key Cryptography and Message authentication.

Advertisements

Internet Security CSCE 813 IPsec

CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.

ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.

Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

Transport Layer Security (TLS) Protocol Introduction to networks and communications(CS555) Prof : Dr Kurt maly Student:Abhinav y.

Authenticated Encryption with Replay prOtection (AERO)

1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.

1 Enhancing Wireless Security with WPA CS-265 Project Section: 2 (11:30 – 12:20) Shefali Jariwala Student ID

BY MUKTADIUR RAHMAN MAY 06, 2010 INTERODUCTION TO CRYPTOGRAPHY.

Wired Equivalent Privacy (WEP)

1 CS 577 “TinySec: A Link Layer Security Architecture for Wireless Sensor Networks” Chris Karlof, Naveen Sastry, David Wagner UC Berkeley Summary presented.

Temporal Key Integrity Protocol (TKIP) Presented By: Laxmi Nissanka Rao Kim Sang Soo.

Privacy and Security in Embedded Sensor Networks Daniel Turner 11/18/08 CSE237a.

Encapsulation Security Payload Protocol Lan Vu. OUTLINE 1.Introduction and terms 2.ESP Overview 3.ESP Packet Format 4.ESP Fields 5.ESP Modes 6.ESP packet.

TinySec: Link Layer Security Chris Karlof, Naveen Sastry, David Wagner University of California, Berkeley Presenter: Todd Fielder.

THE USE OF IP ESP TO PROVIDE A MIX OF SECURITY SERVICES IN IP DATAGRAM SREEJITH SREEDHARAN CS843 PROJECT PRESENTATION 04/28/03.

Introduction to Symmetric Block Cipher Jing Deng Based on Prof. Rick Han’s Lecture Slides Dr. Andreas Steffen’s Security Tutorial.

Fall 2010/Lecture 311 CS 426 (Fall 2010) Public Key Encryption and Digital Signatures.

Lecture 23 Symmetric Encryption

Chapter 13: Electronic Commerce and Information Security Invitation to Computer Science, C++ Version, Fourth Edition SP09: Contains security section (13.4)

Lecture 4 Cryptographic Tools (cont) modified from slides of Lawrie Brown.

Encryption Schemes Second Pass Brice Toth 21 November 2001.

Chapter 8.  Cryptography is the science of keeping information secure in terms of confidentiality and integrity.  Cryptography is also referred to as.

Lecture 2: Message Authentication Anish Arora CSE5473 Introduction to Network Security.

Practical Techniques for Searches on Encrypted Data Yongdae Kim Written by Song, Wagner, Perrig.

Acknowledgements: William Stallings.William Stallings All rights Reserved Session 4 Public Key Cryptography (Part 2) Network Security Essentials Application.

Modes of Operation. Topics  Overview of Modes of Operation  EBC, CBC, CFB, OFB, CTR  Notes and Remarks on each modes.

One-Time Pad Or Vernam Cipher Sayed Mahdi Mohammad Hasanzadeh Spring 2004.

IEEE MEDIA INDEPENDENT HANDOVER DCN: Title: On padding method of AES-CBC Date Submitted: January, 17th, 2013 Presented at IEEE.

Security.  is one of the most widely used and regarded network services  currently message contents are not secure may be inspected either.

Message Authentication and Hash Functions Chapter 11.

SEC835 Runtime authentication Secure session management Secure use of cryptomaterials.

CMSC 414 Computer and Network Security Lecture 5 Jonathan Katz.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Wireless LAN Security. Security Basics Three basic tools – Hash function. SHA-1, SHA-2, MD5… – Block Cipher. AES, RC4,… – Public key / Private key. RSA.

Chapter 9: Algorithms Types and Modes Dulal C. Kar Based on Schneier.

Dr. Reuven Aviv, Nov 2008 Conventional Encryption 1 Conventional Encryption & Message Confidentiality Acknowledgements for slides Henric Johnson Blekinge.

Shambhu Upadhyaya Security – AES-CCMP Shambhu Upadhyaya Wireless Network Security CSE 566 (Lecture 13)

Modes of Usage Dan Fleck CS 469: Security Engineering These slides are modified with permission from Bill Young (Univ of Texas) 11 Coming up: Modes of.

DRKH: A Power Efficient Encryption Protocol for Wireless Devices El Shibani Omar Hamdan Alzahrani.

TinySec: A Link Layer Security Architecture for Wireless Sensor Networks Chris Karlof :: Naveen Sastry :: David Wagner Presented by Roh, Yohan October.

IPsec Introduction 18.2 Security associations 18.3 Internet Security Association and Key Management Protocol (ISAKMP) 18.4 Internet Key Exchange.

Enterprise Security API (ESAPI) 2.0 Crypto Changes

1 Symmetric key cryptography: DES DES: Data Encryption Standard US encryption standard [NIST 1993] 56-bit symmetric key, 64 bit plaintext input How secure.

Symmetric Encryption Lesson Introduction ●Block cipher primitives ●DES ●AES ●Encrypting large message ●Message integrity.

Intro to Cryptography Lesson Introduction

PGP & IP Security  Pretty Good Privacy – PGP Pretty Good Privacy  IP Security. IP Security.

Invitation to Computer Science 5 th Edition Chapter 8 Information Security.

RSA-AES-SIV TLS Ciphersuites Dan Harkins. RSA-AES-SIV Ciphersuites What is being proposed? –New ciphersuites for TLS using SIV mode of authenticated encryption.

Wired Equivalent Privacy (WEP) Chris Overcash. Contents What is WEP? What is WEP? How is it implemented? How is it implemented? Why is it insecure? Why.

IT 221: Introduction to Information Security Principles Lecture 5: Message Authentications, Hash Functions and Hash/Mac Algorithms For Educational Purposes.

Should NIST Develop an Additional Version of GCM? July 26, 2007 Morris Dworkin, Mathematician Security Technology Group

MiniSec: A Secure Sensor Network Communication Architecture Carnegie Mellon UniversityUniversity of Maryland at College Park Mark Luk, Ghita Mezzour, Adrian.

IPSEC Modes of Operation. Breno de MedeirosFlorida State University Fall 2005 IPSEC  To establish a secure IPSEC connection two nodes must execute a.

Cryptography Hyunsung Kim, PhD University of Malawi, Chancellor College Kyungil University February, 2016.

Computer Security By Rubel Biswas. Introduction History Terms & Definitions Symmetric and Asymmetric Attacks on Cryptosystems Outline.

Cryptographic Hash Function. A hash function H accepts a variable-length block of data as input and produces a fixed-size hash value h = H(M). The principal.

VPNs and IPSec Review VPN concepts Encryption IPSec Lab.

Cryptographic Hash Function

CSCE 715: Network Systems Security

Cryptography Lecture 10.

Security Of Wireless Sensor Networks

Chapter -7 CRYPTOGRAPHIC HASH FUNCTIONS

Security of Wireless Sensor Networks

Cryptography Lecture 9.

Secret-Key Encryption

Presentation transcript:

1 AERO Algorithm Overview October 2013 San Antonio, Texas USA Howard Weiss NASA/JPL/PARSONS* Identity crisis: Formerly SPARTA Formerly Cobham Formerly SPARTA

2 AGENDA Provide introduction and overview of: – Authenticated Encryption with Replay prOtection (AERO) All information obtained from IETF Internet Draft

3 USAGE and APPLICABILITY Provides confidentiality, authentication, and replay protection Especially well suited for bandwidth constrained environments – Minimal data expansion – Avoids managing implicit state, – Provides strong misuse resistance Well suited for use when multiple senders & receivers share crypto keys

4 AERO Introduction Internet Engineering Task Force (IETF) Internet Draft – Authenticated Encryption with Replay prOtection (AERO); draft-mcgrew-aero-00.txt; D. McGrew (Cisco) and J. Foley (Cisco) Authenticated Encryption with replay protection – Stateful & self-synchronizing encryption – Replay protection – Authentication » Replay & authentication provided via single mechanism – Makes use of underlying stateless encryption (AES) Uses AES in eXtended Code Book (XCB) mode – AERO_AES_128_XCB – AERO_AES_192_XCB – AERO_AES_256_XCB

5 AERO Overview Minimization of overhead – Combines authentication & replay protection » Eliminates replay overhead and need for implicit state information » Sequence number is encrypted with plaintext Sender maintains a sequence number which is xmitted to the receiver Receiver verifies received sequence number – No nonce or initialization vector (IV) used » Reduces overhead » No need to coordinate nonces among multiple receivers » Eliminates problems with nonce misuse as is the case with AES/GCM

6 AERO Encryption Process A = associated data P = plaintext S = sequence number Padding = 128-bit block I2S = integer-to-string K = key C = ciphertext Length (C) == Length (P)

7 AERO Decryption Steps 4.5. Decryption To decrypt an encrypted message (A, C), 1. The stateless decryption algorithm is applied to A and C, using the secret key K in the context, returning a candidate sequence number Z, which is a T-bit unsigned integer, and a plaintext Q, which is an octet string. 2. If PMIN * 8 > T, then padding is removed from Q as follows. B is set to the value of the last octet of Q, converted to an 8-bit unsigned integer. If B > (128 - T)/8, then the FAIL symbol is returned, and processing halts. Otherwise, the octet string P is set to all but the final B + 1 octets of Q. 3. Z is converted from an octet string to an unsigned integer using the S2I routine defined in Section Z is processed as follows; see Figure 3 for an illustration. 1. If Z is between 0 and S-W, inclusive, then Z is rejected. 2. If Z is between S-W+1 and S, inclusive, then the bitmask M is checked. If M[S-Z] = 0, then Z is accepted, M[S-Z] is set to 1, and P is returned as the plaintext. If M[S-Z] = 1, then Z is rejected. 3. If Z is between S+1 and S+W, inclusive, then Z is accepted, S is set to Z, and P is returned as the plaintext. The bitmask is shifted by Z-S (in the direction of higher indicies). 4. If Z is between S+W+1 and R, inclusive, then Z is rejected and R is set to Z. 5. If Z is between R+1 and R+V, inclusive, then Z is accepted, S is set to Z, the bitmask M is set to the all-zero value, and P is returned as the plaintext. 6. If Z is between R+V+1 and 2^T+1, inclusive, then Z is rejected and R is set to Z. 5. When Z is rejected, then AERO decryption MUST return the FAIL symbol, which indicates that either the message was a replay or a forgery attempt.

8 AERO Decryption Process

9 AERO Rationale & Summary Padding is an unfortunate requirement – AES is block oriented – Pad stripping incorporates an authentication check Incorporation of the sequence number inside AERO – Brings security-critical function inside the cryptographic boundary Use of XBC is computationally expensive Does not support pipelined implementation using XBC – XBC is an off-line algorithm that requires plaintext to be fully buffered – Could employ Online Pseudo-Random Permutation (OPRP)