Download presentation
Presentation is loading. Please wait.
1
doc.: IEEE 802.15-<doc#>
<month year> doc.: IEEE <doc#> <May 2010> Project: IEEE P Working Group for Wireless Personal Area Networks (WPANs) Submission Title: [Generalizaed secure services to accommodate cryptos] Date Submitted: [13 May, 2010] Source: [Masayuki Kanda, Shin’ichiro Matsuo, Masahiro Kuroda, Grace Sung, Ryuji Kohno, Toshinori Fukunaga] Company [NTT, IPA,NICT] Address [4-2-1 Nukui-Kitamachi, Koganei, Tokyo, Japan(NICT) ] Phone:[ ], FAX: [ ], Abstract: [This document explains the updates for security services in the baseline document mac-and-security-baseline-proosal-c-normative-text-doc.doc to the TG6 group. The proposal normative text is generalized-security-services.doc. ] Purpose: [Discussion in Task Group ] Notice: This document has been prepared to assist the IEEE P It is offered as a basis for discussion and is not binding on the contributing individual(s) or organization(s). The material in this document is subject to change in form and content after further study. The contributor(s) reserve(s) the right to add, amend or withdraw material contained herein. Release: The contributor acknowledges and accepts that this contribution becomes the property of IEEE and may be made publicly available by P <M. Kanda, S.Matsuo, M. Kuroda. G. Sung, R.Kohno, T. Fukunaga> <author>, <company>
2
Generalized secure services to accommodate cryptos
<month year> doc.: IEEE <doc#> <May 2010> Generalized secure services to accommodate cryptos Masayuki Kanda [NTT, IPA] Shin’ichiro Matsuo,Masahiro Kuroda, Grace Sung,Ryuji Kohno [NICT] Toshinori Fukunaga [NTT] <M. Kanda, S.Matsuo, M. Kuroda. G. Sung, R.Kohno, T. Fukunaga> <author>, <company>
3
Outline Addition of Security services using Camellia cipher
<May 2010> Outline Addition of Security services using Camellia cipher Normative text describes details of the security services process using Camellia cipher Camellia is assigned to the field value “1” in the message security protocol field Amendments of Security association frames Frame payload format for security disassociation frames are revised to add security suit selector Security association frame is amended because of mistakes Other points KMAC calculations in and are amended because of mistakes The length of MIC should be extended to enhance collision resistance <M. Kanda, S.Matsuo, M. Kuroda. G. Sung, R.Kohno, T. Fukunaga>
4
Addition of Security services using Camellia cipher
<May 2010> Addition of Security services using Camellia cipher For AES and Camellia, all modes of operation described in this document can be shared without any modifications SP800-38B/C (also ISO/IEC 19772) only specifies “Prerequisites: block cipher CIPH (with block size b)”, not “AES” AES and Camellia have perfectly convertible interface < Ref > SP800-38B CMAC Generation <Ref> SP800-38C CCM Generation-Encryption Process <M. Kanda, S.Matsuo, M. Kuroda. G. Sung, R.Kohno, T. Fukunaga>
5
Addition of Security services using Camellia cipher
<May 2010> Addition of Security services using Camellia cipher Implementation outline for CCM Unencrypted Frame Payload Encrypted Frame Payload Counter (Unencrypted) B0 B1 B2 B3 Bm MIC B1 B2 B3 Bm CIPHK ctr0 CIPHK CIPHK ctr1 CIPHK ctr2 CIPHK CIPHK ctr3 CCM Process (Independence of ciphers) CIPHK CIPHK CIPHK ctrm CIPHK message security protocol is “0” message security protocol is “1” Cipher is selected, depending on the message security protocol field in the Security_suite_selector (Ref: in 6.3.2) Cipher (CIPHK) AES Key (K) Camellia AES-CCM Camellia-CCM <M. Kanda, S.Matsuo, M. Kuroda. G. Sung, R.Kohno, T. Fukunaga>
6
Addition of Security services using Camellia cipher
<May 2010> Addition of Security services using Camellia cipher 8. Security Services Proposal All present descriptions of chapter 8 are duplicated only except algorithm name and reference Example: Using AES-CMAC Using Camellia-CMAC (Chap. 8.1) In these association protocols, the cipher-based message authentication code (CMAC) algorithm as specified in the NIST Special Publication B, with the AES forward cipher function under a 128-bit key as specified in FIPS Pub 197, is used to compute key message authentication codes (KMAC) and the desired shared master key. Specifically, the functional notation CMAC(K, M) represents the 128-bit output of the CMAC applied under key K to message M based on the AES forward cipher function. In these association protocols, the cipher-based message authentication code (CMAC) algorithm as specified in the NIST Special Publication B, with the Camellia forward cipher function under a 128-bit key as specified in ISO/IEC , is used to compute key message authentication codes (KMAC) and the desired shared master key. Specifically, the functional notation CMAC(K, M) represents the 128-bit output of the CMAC applied under key K to message M based on the Camellia forward cipher function. Using AES-CCM Using Camellia-CCM (Chap ) Secured frames shall be authenticated, and encrypted/decrypted when required, based on AES-128 CCM, i.e., the CCM mode as specified in the NIST Special Publication C, with the AES forward cipher function for 128-bit keys as specified in FIPS Pub 197 applied as the underlying block cipher algorithm. Secured frames shall be authenticated, and encrypted/decrypted when required, based on Camellia-128 CCM, i.e., the CCM mode as specified in ISO/IEC 19772, with the Camellia forward cipher function for 128-bit keys as specified in ISO/IEC applied as the underlying block cipher algorithm. <M. Kanda, S.Matsuo, M. Kuroda. G. Sung, R.Kohno, T. Fukunaga>
7
Addition of Security services using Camellia cipher
<May 2010> Addition of Security services using Camellia cipher Our proposal for revision: Merger of both descriptions Algorithm name: change “AES” to “128-bit block cipher(-based)” Reference: change “NIST SP” to “ISO/IEC standard” Clarification for algorithm selection; i.e., Message Security Protocol Proposal - Merged version Using CMAC (Chap. 8.1) In these association protocols, depending on the message security protocol in the security suite selector of the frame payload of the first Security Association frame or the Security Disassociation frame, the cipher-based message authentication code (CMAC) algorithm as specified in the NIST Special Publication B, with the 128-bit block cipher-based forward cipher function under a 128-bit key as specified in ISO/IEC , is used to compute key message authentication codes (KMAC) and the desired shared master key. Specifically, the functional notation CMAC(K, M) represents the 128-bit output of the CMAC applied under key K to message M based on the 128-bit block cipher-based forward cipher function. Using CCM (Chap ) Secured frames shall be authenticated, and encrypted/decrypted when required, based on 128-bit block cipher-based CCM, i.e., the CCM mode as specified in ISO/IEC 19772, with the 128-bit block cipher-based forward cipher function for 128-bit keys as specified in ISO/IEC applied as the underlying block cipher algorithm, depending on the message security protocol in the security suite selector of the frame payload of the first Security Association frame. <M. Kanda, S.Matsuo, M. Kuroda. G. Sung, R.Kohno, T. Fukunaga>
8
Amendments of Security association frames
<May 2010> Amendments of Security association frames Frame payload format for security disassociation frames are revised to add security suit selector 8.1.6 Disassociation Security association frame (Fig. 17) is amended (Baseline document) (Proposal) Octets: 6 6 16 8 Octets: 6 6 2 16 8 Octet order: 0-5 0-5 0-15 0-7 Octet order: 0-5 0-5 0-1 0-15 0-7 Recipient Address Sender Address Sender Nonce DA_KMAC Recipient Address Sender Address Security Suite Selector Sender Nonce DA_KMAC (Baseline document) (Proposal) The node and the hub shall compute DA_KMAC as follows: P = CMAC(MK, Address_A || Address_B || Nonce_A) DA_KMAC = LMB_64(P) * CMAC means AES-CMAC definitively The node and the hub shall compute DA_KMAC, depending on the message security protocol in the Security_Suite_Selector, as follows: P = CMAC(MK, Address_A || Address_B || Nonce_A || Security_Suite_Seletor) DA_KMAC = LMB_64(P) (Baseline document) (Amendment) Octets: 6 6 2 1 72 Octet order: 0-5 0-5 0-1 0-71 Security Association Protocol Security Level Required Control Frame Authentication Reserved Message Security Protocol Recipient Address Sender Address Security Suite Selector Association Sequence Number Security Association Data <M. Kanda, S.Matsuo, M. Kuroda. G. Sung, R.Kohno, T. Fukunaga>
9
Other points KMAC calculations in 8.1.5 and 8.1.6 are amended
<May 2010> Other points KMAC calculations in and are amended The length of resultant KMAC is 128-bit, while the length of KMAC field is 64-bit Need to add the “LMB_64” truncation The length of MIC should be extended to enhance collision resistance 32-bit MIC is too short to achieve collision resistance from the aspect of cryptology SP800-38C also states “value of Tlen that is less than 64 shall not be used without a careful analysis of the risks of accepting inauthentic data as authentic” Should extend to 64-bit (8-octets) or more <M. Kanda, S.Matsuo, M. Kuroda. G. Sung, R.Kohno, T. Fukunaga>
10
<May 2010> What’s Camellia 128-bit block cipher (allowing key sizes of 128, 192, and 256 bits), jointly developed in 2000 by NTT & Mitsubishi Compatible interface with AES Very stable specification World’s highest security and efficiency – technically comparable to AES Ready for easy usage circumstance Camellia essential patents can be used at no charge by any user without concluding royalty-free licensing agreement Already adopted to various international standards & recommendations Already supported into various major open source software, e.g., Mozilla, OpenSSL, Linux, FreeBSD and Kerberos NTT’s open source codes of Camellia free of charge through multiple OSS licenses (GPL, LGPL, BSD, MPL, OpenSSL) <M. Kanda, S.Matsuo, M. Kuroda. G. Sung, R.Kohno, T. Fukunaga>
11
<May 2010> Security Achievement of the world’s highest resistant security against state-of-the-art attacks and future unknown attacks NO vulnerabilities of Camellia with any size of keys are found against state-of-the-art attacks by world’s top-class researchers (over 40 papers) World’s top-class resistant security (security margin) against unknown attacks in the future [FYI] In 2009, AES-192/256 can be theoretically broken using related-key attack proposed by Alex Biryukov, et al. Suitable to backup – Adoption of Feistel structure (like DES-style), Not SPN structure (like AES-style) ( at the present time) Breakable rounds 7 8 9 10 11 12 13 14 15 Original 128-bit keys Successful attacks Best Known attacks Unknown attacks Unknown attacks up to 18 rounds 256-bit keys Unknown attacks up to 24 rounds Breakable rounds for AES 6 7 8 9 10 11 12 13 14 15 128-bit keys Successful attacks Best Known attacks Unknown attacks 256-bit keys Break <M. Kanda, S.Matsuo, M. Kuroda. G. Sung, R.Kohno, T. Fukunaga>
12
Performance and Flexibility
<May 2010> Performance and Flexibility Achievement of high-speed software without dependence on platform such as PCs or smart cards For PCs: Performance is achieved by using many registers, pre-computed large tables and powerful instruction sets For smart cards: Containment of memory usage is achieved using small tables and on-the-fly subkey generation Achievement of world's smallest hardware implementation with world top-class efficiency Substitution tables can be implemented using an inversion function over GF(28) and affine transformations F function can be shared between data randomization block and key scheduler On-the-fly subkey generation technique can be used with secret key and intermediate keys <M. Kanda, S.Matsuo, M. Kuroda. G. Sung, R.Kohno, T. Fukunaga>
13
Performance and Flexibility
<May 2010> Performance and Flexibility Performance of Camellia is comparable to that of AES on any platform Designed world’s smallest circuit for 128-bit block ciphers (smaller than 10 Kgates) with world top-class efficiency (128-bit key ASIC) 2728Mbps/20.0KGs 1908Mbps/20.8KGs 2155Mbps/29.8KGs 2024Mbps/13.2KGs 1881Mbps/44.3KGs 1051Mbps/11.9KGs 1422Mbps/31.1KGs 971.2Mbps/7.8KGs 325.8Mbps/6.5KGs 969.7Mbps/14.2KGs 204.6Mbps/6.3KGs 567.3Mbps/9.1KGs 71.6Mbps/6.4KGs <M. Kanda, S.Matsuo, M. Kuroda. G. Sung, R.Kohno, T. Fukunaga>
14
Performance and Flexibility
<May 2010> Performance and Flexibility Anyone can implement Camellia using open documents Quote: “Hardware-Focused Performance Comparison for the Standard Block Ciphers AES, Camellia, and Triple-DES,” by Akashi Satoh (IBM Japan Ltd) <M. Kanda, S.Matsuo, M. Kuroda. G. Sung, R.Kohno, T. Fukunaga>
15
Performance and Flexibility
<May 2010> Performance and Flexibility Comparison between AES and Camellia (by Satoh, et al.) <M. Kanda, S.Matsuo, M. Kuroda. G. Sung, R.Kohno, T. Fukunaga>
16
Performance and Flexibility
<May 2010> Performance and Flexibility AES & Camellia Combination Hardware Quote: “Unified Hardware Architecture for 128-bit Block Ciphers AES and Camellia ,” by Akashi Satoh (IBM Japan Ltd) <M. Kanda, S.Matsuo, M. Kuroda. G. Sung, R.Kohno, T. Fukunaga>
17
For More Detail … Please see the Camellia website !!
<May 2010> For More Detail … Please see the Camellia website !! Introduction handout Specifications Technical Information Open Source codes Test Vectors <M. Kanda, S.Matsuo, M. Kuroda. G. Sung, R.Kohno, T. Fukunaga>
18
For More Detail … Also see Cryptographic Hardware Project website
<May 2010> For More Detail … Also see Cryptographic Hardware Project website Camellia sample hardware core exists <M. Kanda, S.Matsuo, M. Kuroda. G. Sung, R.Kohno, T. Fukunaga>
Similar presentations
![Submission Title: [Add name of submission]](/83/13598968/big_thumb.jpg "Submission Title: [Add name of submission]>")
![November 2017 Project: IEEE P802.15 Working Group for Wireless Personal Area Networks (WPANs) Submission Title: [AES-256 for 802.15.4] Date Submitted:](/85/13703044/big_thumb.jpg "November 2017 Project: IEEE P802.15 Working Group for Wireless Personal Area Networks (WPANs) Submission Title: [AES-256 for 802.15.4] Date Submitted:>")
![Project: IEEE P802.15 Working Group for Wireless Personal Area Networks (WPANs) Submission Title: [Add name of submission] Date Submitted:](/90/14461158/big_thumb.jpg "Project: IEEE P802.15 Working Group for Wireless Personal Area Networks (WPANs) Submission Title: [Add name of submission] Date Submitted:>")
![October 2017 Project: IEEE P802.15 Working Group for Wireless Personal Area Networks (WPANs) Submission Title: [AES-256 for 802.15.4] Date Submitted: [17.](/90/14519303/big_thumb.jpg "October 2017 Project: IEEE P802.15 Working Group for Wireless Personal Area Networks (WPANs) Submission Title: [AES-256 for 802.15.4] Date Submitted: [17.>")
![October 2017 Project: IEEE P802.15 Working Group for Wireless Personal Area Networks (WPANs) Submission Title: [AES-256 for 802.15.4] Date Submitted: [17.](/90/14591750/big_thumb.jpg "October 2017 Project: IEEE P802.15 Working Group for Wireless Personal Area Networks (WPANs) Submission Title: [AES-256 for 802.15.4] Date Submitted: [17.>")
![January 15th Project: IEEE P802.15 Working Group for Wireless Personal Area Networks (WPANs) Submission Title: [Security protocol for Body area networks]](/90/14619669/big_thumb.jpg "January 15th Project: IEEE P802.15 Working Group for Wireless Personal Area Networks (WPANs) Submission Title: [Security protocol for Body area networks]>")
![May 2018 Project: IEEE P802.15 Working Group for Wireless Personal Area Networks (WPANs) Submission Title: [Considerations on general MAC frame] Date Submitted:](/90/14787937/big_thumb.jpg "May 2018 Project: IEEE P802.15 Working Group for Wireless Personal Area Networks (WPANs) Submission Title: [Considerations on general MAC frame] Date Submitted:>")
