Presentation is loading. Please wait.

Presentation is loading. Please wait.

Doc.: IEEE 802.11-01/223 Submission May 2001 Nancy Cam-Winget, Atheros et alSlide 1 An Analysis of AES in OCB Mode Nancy Cam-Winget, Atheros Communications.

Published byKenia Hawken Modified over 9 years ago

Similar presentations

Presentation on theme: "Doc.: IEEE 802.11-01/223 Submission May 2001 Nancy Cam-Winget, Atheros et alSlide 1 An Analysis of AES in OCB Mode Nancy Cam-Winget, Atheros Communications."— Presentation transcript:

1 doc.: IEEE 802.11-01/223 Submission May 2001 Nancy Cam-Winget, Atheros et alSlide 1 An Analysis of AES in OCB Mode Nancy Cam-Winget, Atheros Communications Jesse Walker, Intel Corporation

2 doc.: IEEE 802.11-01/223 Submission May 2001 Nancy Cam-Winget, Atheros et alSlide 2 Acknowledgements Bill Arbaugh – U of Maryland Greg Chesson – Atheros Communications Phil Rogaway – UC Davis Aman Singla – Atheros Communications

3 doc.: IEEE 802.11-01/223 Submission May 2001 Nancy Cam-Winget, Atheros et alSlide 3 Agenda Background Discussion of AES OCB mode Security Considerations Acceptance Considerations Performance Considerations True Integrity:Using OCB to fix a bug in the Draft Summary

4 doc.: IEEE 802.11-01/223 Submission May 2001 Nancy Cam-Winget, Atheros et alSlide 4 Review of WEP WEP attacks –IV can NEVER safely be reused with same key –RC4 unsuitable for 802.11 datagrams –CRC can be used to speed up dictionary attack The use of RC4 requires the key schedule to be reinitialized for every packet –Hurts performance –This property is what got WEP in trouble in the first place –RC4 is a fine cipher, but inappropriate as a bulk crypto mechanism in a datagram environment

5 doc.: IEEE 802.11-01/223 Submission May 2001 Nancy Cam-Winget, Atheros et alSlide 5 Concepts Data privacy –Protection of data. Prevent unauthorized viewing of the data Data integrity –Prevent modification, insertion or deletion of data (collectively known as “forgery”) –Validation of data: MIC Data authenticity –Synonym for data integrity

6 doc.: IEEE 802.11-01/223 Submission May 2001 Nancy Cam-Winget, Atheros et alSlide 6 Data (true) Integrity Beyond data integrity (no change in plaintext) it also means ensuring received data was actually sent by genuine peer on an established link –The link is immune from forgery This is a necessary attribute of any scheme seeking to control access

7 doc.: IEEE 802.11-01/223 Submission May 2001 Nancy Cam-Winget, Atheros et alSlide 7 Security Framework Requirements defined in 802.11-00/231 Clause 4 Extensibility, Compatibility, and Interoperability includes support for: –Authentication algorithm –Privacy algorithm –Data integrity algorithm

8 doc.: IEEE 802.11-01/223 Submission May 2001 Nancy Cam-Winget, Atheros et alSlide 8 Why Per-Packet Data Integrity? Requirements say so –Ref: doc IEEE 802.11/231 clause 4.2.2 More important, 802.11 security seeks to provide meaningful access control –Not feasible to control access unless all packets on authenticated association are also validated –If no per-packet data integrity check, then association authentication meaningless, i.e., forgery is always possible to an attacker

9 doc.: IEEE 802.11-01/223 Submission May 2001 Nancy Cam-Winget, Atheros et alSlide 9 Security Requirements Discussion Data privacy –Goal: prevent inadvertent unauthorized disclosure due to message transfer –Mechanism to achieve goal: encryption Data integrity –Goal: prevent data forgery, replay –Mechanism to achieve goal: Message Integrity Code + sequence number + link protection

10 doc.: IEEE 802.11-01/223 Submission May 2001 Nancy Cam-Winget, Atheros et alSlide 10 Security Mechanism Goals Meet security requirements Work with 802 authentication/key management infrastructure Implementation ease (and payload overhead) Good performance

11 doc.: IEEE 802.11-01/223 Submission May 2001 Nancy Cam-Winget, Atheros et alSlide 11 Agenda Background Discussion of AES OCB mode Security Considerations Acceptance Considerations Performance Considerations True Integrity:Using OCB to fix a bug in the Draft Summary

12 doc.: IEEE 802.11-01/223 Submission May 2001 Nancy Cam-Winget, Atheros et alSlide 12 AES Cipher NIST selection criteria is similar to 802.11’s: –Security –Performance in both software and hardware –Efficiency –Ease of implementation NIST selection process took 4 years! –Initiated Jan 1997, decision finalized Feb 2001

13 doc.: IEEE 802.11-01/223 Submission May 2001 Nancy Cam-Winget, Atheros et alSlide 13 AES properties Symmetric 128bit block cipher –NIST allows 128-, 192- and 256bit keys blocks –802.11 proposes using 128-bit keys Low memory requirements Good performance across all known hardware and software platforms –Highly parallelizable –Compact source code –~ 285 cycles/block on a Pentium Pro

14 doc.: IEEE 802.11-01/223 Submission May 2001 Nancy Cam-Winget, Atheros et alSlide 14 AES Strengths (1) Exhaustive key search best known attack against AES—and large key size makes exhaustive search computationally infeasible –Key recovery operations O(2 127 ) AES operations on average 128-bit block size makes it orders of magnitude more secure than same algorithm with a 64-bit block size

15 doc.: IEEE 802.11-01/223 Submission May 2001 Nancy Cam-Winget, Atheros et alSlide 15 AES Strengths (2) Performance –Highly parallelizable –Compact implementations –Efficient key schedule computation Platform neutrality –Efficient implementation possible on all platforms Critical path instructions: 8-bit  8-bit S-box, XOR6, XOR5, XOR2, MUX2 –Endian-neutrality

16 doc.: IEEE 802.11-01/223 Submission May 2001 Nancy Cam-Winget, Atheros et alSlide 16 Agenda Background Discussion of AES OCB mode Security Considerations Acceptance Considerations Performance Considerations True Integrity:Using OCB to fix a bug in the Draft Summary

17 doc.: IEEE 802.11-01/223 Submission May 2001 Nancy Cam-Winget, Atheros et alSlide 17 OCB mode of operation OCB mode is a block cipher mode of operation OCB provides authenticated-encryption: provides both privacy and authenticity –i.e. provides data authenticity at almost no extra cost over the cost of encryption

18 doc.: IEEE 802.11-01/223 Submission May 2001 Nancy Cam-Winget, Atheros et alSlide 18 Why Use a Mode of Operation? AES is a block cipher Networking produces arbitrary length messages to encipher/decipher Naïve use of any block cipher for arbitrary length messages (called Electronic Codebook, or ECB mode) is insecure

19 doc.: IEEE 802.11-01/223 Submission May 2001 Nancy Cam-Winget, Atheros et alSlide 19 Example Modes of Operation Partition message M into blocks M = M 1 M 2 … M m ECB Mode: C i  E K (M i ) (insecure if m > 1) Counter Mode: C i  E K (counter)  M i, counter  counter + 1 (secure if counter is never reused with same key K) CBC Mode: C i  E K (C i-1  M i ), C 0  E K (IV  M 0 ) (secure if IV is random and never reused with same key K)

20 doc.: IEEE 802.11-01/223 Submission May 2001 Nancy Cam-Winget, Atheros et alSlide 20 Comparison of Modes ModePrivacyIntegrityComments ECBSometimesNoVulnerable to attack. Must choose a MIC CounterYesNoVulnerable if counter is ever reused. Must choose a MIC CBCYesNoSound encryption. Must choose a MIC CBC-MACNoYesRecent attack on forgery (An, Bellare 1999) OCBYes one key and one pass over data gives both privacy and integrity

21 doc.: IEEE 802.11-01/223 Submission May 2001 Nancy Cam-Winget, Atheros et alSlide 21 OCB Properties Uses nearly the theoretical minimal number of block cipher calls required to accomplish both privacy and integrity: number of blocks + 1 Smaller IV is sufficient Single key used for both encryption and MIC Key setup is minimal Session state is minimized

22 doc.: IEEE 802.11-01/223 Submission May 2001 Nancy Cam-Winget, Atheros et alSlide 22 Agenda Background Discussion of AES OCB mode Security Considerations Acceptance Considerations Performance Considerations True Integrity:Using OCB to fix a bug in the Draft Summary

23 doc.: IEEE 802.11-01/223 Submission May 2001 Nancy Cam-Winget, Atheros et alSlide 23 OCB Security Strength Proven privacy and proven integrity –encryption strength stronger than CBC mode –data integrity strength at least as good as CBC-MAC Just like security proofs for CBC and Counter mode and for CBC-MAC, OCB security proof is a reduction: –If a computationally cheap algorithm exists to break OCB, then same algorithm can be used to cheaply break the underlying block cipher –This means: If you believe block cipher x is secure, you believe x-OCB is also secure

24 doc.: IEEE 802.11-01/223 Submission May 2001 Nancy Cam-Winget, Atheros et alSlide 24 Agenda Background Discussion of AES OCB mode Security Considerations Acceptance Considerations Performance Considerations True Integrity:Using OCB to fix a bug in the Draft Summary

25 doc.: IEEE 802.11-01/223 Submission May 2001 Nancy Cam-Winget, Atheros et alSlide 25 Why not separate encryption and integrity algorithms? Requires more customer sophistication –Must know when to enable one or both –Opens the door to unsound practice of encryption without data authentication Requires more resources –Sender, receiver need state for 2 keys –Encapsulation/decapsulation require two passes over packet

26 doc.: IEEE 802.11-01/223 Submission May 2001 Nancy Cam-Winget, Atheros et alSlide 26 Won’t IP issues make OCB harder to implement? Rogaway has filed patent on OCB OCB based on IAPM, and IBM has filed patent on IAPM Rogaway has non-discriminatory licensing statement for OCB ( http://www.cs.ucdavis.edu/~rogaway/ocb/ocb-back.htm ) http://www.cs.ucdavis.edu/~rogaway/ocb/ocb-back.htm IBM has non-discriminatory license statement for IAPM ( http://csrc.nist.gov/encryption/modes/proposedmodes/iapm/iapm-ip.pdf ) http://csrc.nist.gov/encryption/modes/proposedmodes/iapm/iapm-ip.pdf Gligor’s (XCBC) work similar to Jutla’s; VDG has filed patent VDG has issued non-discriminatory license statement (http://csrc.nist.gov/encryption/modes/proposedmodes/xcbc/xcbc-doc.pdf)http://csrc.nist.gov/encryption/modes/proposedmodes/xcbc/xcbc-doc.pdf

27 doc.: IEEE 802.11-01/223 Submission May 2001 Nancy Cam-Winget, Atheros et alSlide 27 Won’t OCB Change? If it does, so what? We will use the OCB version dated April 1, 2001 –A full proof of security available –A final specification available Rogaway considers OCB definition final ( http://www.cs.ucdavis.edu/~rogaway/ocb/ocb-back.htm )

28 doc.: IEEE 802.11-01/223 Submission May 2001 Nancy Cam-Winget, Atheros et alSlide 28 Agenda Background Discussion of AES OCB mode Security Considerations Acceptance Considerations Performance Considerations True Integrity:Using OCB to fix a bug in the Draft Summary

29 doc.: IEEE 802.11-01/223 Submission May 2001 Nancy Cam-Winget, Atheros et alSlide 29 Some Raw Performance* Selected MICs: –HMAC-MD535.9 cycles/byte –HMAC-SHA158.6 cycles/byte –DES-CBC-MAC48.1 cycles/byte –AES-CBC-MAC18.1 cycles/byte Selected Ciphers: –RC4**12 cycles/byte –3DES144.8 cycles/byte –AES-CBC18.1 cycles/byte –AES-OCB22.7 cycles/byte *On a Pentium Pro 200 with NT 4.0. HMAC, MD5, SHA-1, DES taken from OpenSSL 0.9.6; AES/OCB from the reference code ** Does not account for resetting or key schedule that is a per packet overhead

30 doc.: IEEE 802.11-01/223 Submission May 2001 Nancy Cam-Winget, Atheros et alSlide 30 Line Rate Cycles in Software 2 = HMAC-MD5 3 = HMAC-SHA1 4 = DES-CBC-MAC 5 = AES-CBC-MAC 6 = RC4 7 = 3DES 8 = AES-CBC 9 = AES-OCB

31 doc.: IEEE 802.11-01/223 Submission May 2001 Nancy Cam-Winget, Atheros et alSlide 31 Performance Considerations Separate privacy and integrity algorithms require –Two passes over packet data e.g. AES-CBC + AES-CBC-MAC ~ 36 cycles/byte –Two keys per half-duplex association –Implementation of separate algorithms e.g., 3DES-CBC + HMAC-SHA-1 OCB –Uses one pass over packet data –1 key per half-duplex association –Implementation of 1 algorithm only – less code/gates

32 doc.: IEEE 802.11-01/223 Submission May 2001 Nancy Cam-Winget, Atheros et alSlide 32 Agenda Background Discussion of AES OCB mode Security Considerations Implementation Considerations Performance Considerations True Integrity:Using OCB to fix a bug in the Draft Summary

33 doc.: IEEE 802.11-01/223 Submission May 2001 Nancy Cam-Winget, Atheros et alSlide 33 Another type of attack STA 1 STA 2 AP Attacker Change pkt DA to be Attacker An authenticated attacker can easily modify the destination’s address from any packet and get a decrypted packet by simply modifying the contents of the Address 3 field!

34 doc.: IEEE 802.11-01/223 Submission May 2001 Nancy Cam-Winget, Atheros et alSlide 34 Address is always Addr 3 ToDSFromDSAddr 3 Comments 00BSSIDCommon key is used; attack is moot 10SADA is qualifier sending to SA 01DASA is qualifier sending to DA 11DARA is qualifier sending to DA

35 doc.: IEEE 802.11-01/223 Submission May 2001 Nancy Cam-Winget, Atheros et alSlide 35 OCB can provide true Integrity AES can easily protect addresses by inclusion in the IV: IV = 0 2bytes || Addr 3 (6bytes) || Replay Seq (8bytes)

36 doc.: IEEE 802.11-01/223 Submission May 2001 Nancy Cam-Winget, Atheros et alSlide 36 Agenda Background Discussion of AES OCB mode Security Considerations Implementation Considerations Performance Considerations Summary

37 doc.: IEEE 802.11-01/223 Submission May 2001 Nancy Cam-Winget, Atheros et alSlide 37 Summary OCB mode security is proven –Its proof says any weakness can only be in underlying cipher –its mandatory use of data integrity increases chance correct use AES-OCB maximizes performance on the widest variety of platforms Licensing –Rogaway, IBM and VDG all have non-discriminatory license statements Opportunity to lead –NIST plans to replace DES with AES as the standard cipher this year

38 doc.: IEEE 802.11-01/223 Submission May 2001 Nancy Cam-Winget, Atheros et alSlide 38 Feedback?

39 doc.: IEEE 802.11-01/223 Submission May 2001 Nancy Cam-Winget, Atheros et alSlide 39 Backup

40 doc.: IEEE 802.11-01/223 Submission May 2001 Nancy Cam-Winget, Atheros et alSlide 40 Comparison Security Goals WEPWEP2AES/OCB privacyRequires rapid key exchange (~10min) Vulnerable to weak keys Key strength: O(2 127 ) AES ops to recover key integrityVulnerable to probabilistic chosen-plaintext attacks Probability of forgery is 2 -MIC_bit_length authenticityNot addressed Easily addressed

41 doc.: IEEE 802.11-01/223 Submission May 2001 Nancy Cam-Winget, Atheros et alSlide 41 Export Considerations NIST has taken (worldwide) commercial considerations. Collaborative efforts with Canadian Government (http://csrc.nist.gov/encryption/aes/aesfact.html)http://csrc.nist.gov/encryption/aes/aesfact.html

Download ppt "Doc.: IEEE 802.11-01/223 Submission May 2001 Nancy Cam-Winget, Atheros et alSlide 1 An Analysis of AES in OCB Mode Nancy Cam-Winget, Atheros Communications."

Similar presentations

AP STUDY SESSION 2.

AP STUDY SESSION 2.
ISA 662 SSL Prof. Ravi Sandhu. 2 © Ravi Sandhu SECURE SOCKETS LAYER (SSL) layered on top of TCP SSL versions 1.0, 2.0, 3.0, 3.1 Netscape protocol later.

ISA 662 SSL Prof. Ravi Sandhu. 2 © Ravi Sandhu SECURE SOCKETS LAYER (SSL) layered on top of TCP SSL versions 1.0, 2.0, 3.0, 3.1 Netscape protocol later.
Symmetric Encryption Prof. Ravi Sandhu.

Symmetric Encryption Prof. Ravi Sandhu.
© 2008 Pearson Addison Wesley. All rights reserved Chapter Seven Costs.

© 2008 Pearson Addison Wesley. All rights reserved Chapter Seven Costs.
Copyright © 2003 Pearson Education, Inc. Slide 1 Computer Systems Organization & Architecture Chapters 8-12 John D. Carpinelli.

Copyright © 2003 Pearson Education, Inc. Slide 1 Computer Systems Organization & Architecture Chapters 8-12 John D. Carpinelli.
Processes and Operating Systems

Processes and Operating Systems
Copyright © 2011, Elsevier Inc. All rights reserved. Chapter 6 Author: Julia Richards and R. Scott Hawley.

Copyright © 2011, Elsevier Inc. All rights reserved. Chapter 6 Author: Julia Richards and R. Scott Hawley.
Author: Julia Richards and R. Scott Hawley

Author: Julia Richards and R. Scott Hawley
1 Copyright © 2013 Elsevier Inc. All rights reserved. Chapter 3 CPUs.

1 Copyright © 2013 Elsevier Inc. All rights reserved. Chapter 3 CPUs.
Properties Use, share, or modify this drill on mathematic properties. There is too much material for a single class, so you’ll have to select for your.

Properties Use, share, or modify this drill on mathematic properties. There is too much material for a single class, so you’ll have to select for your.
Hashes and Message Digests

Hashes and Message Digests
Submission Title: [AES Modes] Date Submitted: [May 10, 2002]

Submission Title: [AES Modes] Date Submitted: [May 10, 2002]
Doc.: IEEE 802.11-98/178 Submission July 2000 A. Prasad, A. Raji Lucent TechnologiesSlide 1 A Proposal for IEEE 802.11e Security IEEE 802.11 Task Group.

Doc.: IEEE /178 Submission July 2000 A. Prasad, A. Raji Lucent TechnologiesSlide 1 A Proposal for IEEE e Security IEEE Task Group.
Doc.: IEEE 802.11-01/147March 2000 TGe SecuritySlide 1 The Status of TGe S Draft Text Jesse Walker Intel Corporation (503) 712-1849.

Doc.: IEEE /147March 2000 TGe SecuritySlide 1 The Status of TGe S Draft Text Jesse Walker Intel Corporation (503)
UNITED NATIONS Shipment Details Report – January 2006.

UNITED NATIONS Shipment Details Report – January 2006.
1 RA I Sub-Regional Training Seminar on CLIMAT&CLIMAT TEMP Reporting Casablanca, Morocco, 20 – 22 December 2005 Status of observing programmes in RA I.

1 RA I Sub-Regional Training Seminar on CLIMAT&CLIMAT TEMP Reporting Casablanca, Morocco, 20 – 22 December 2005 Status of observing programmes in RA I.
Create an Application Title 1A - Adult Chapter 3.

Create an Application Title 1A - Adult Chapter 3.
2 © 2004, Cisco Systems, Inc. All rights reserved. Scalable, Efficient Cryptography for Multiple Security Services David A. McGrew Cisco Systems, Inc.

2 © 2004, Cisco Systems, Inc. All rights reserved. Scalable, Efficient Cryptography for Multiple Security Services David A. McGrew Cisco Systems, Inc.
Cryptography encryption authentication digital signatures

Cryptography encryption authentication digital signatures
1 Pretty Good Privacy (PGP) Security for Electronic Email.

1 Pretty Good Privacy (PGP) Security for Electronic .

Similar presentations

Ads by Google