Presentation is loading. Please wait.

Presentation is loading. Please wait.

Authenticated Encryption with Replay prOtection (AERO)

Published byAntoine Grays Modified over 9 years ago

Similar presentations

Presentation on theme: "Authenticated Encryption with Replay prOtection (AERO)"— Presentation transcript:

1 Authenticated Encryption with Replay prOtection (AERO) mcgrew@cisco.com

2 AERO Authenticated Encryption algorithm Stateful and self-synchronizing Easy to use Robust against nonce misuse and decryption misuse Saves bandwidth No nonce, no sequence number New standards contributions and research

3 Communication Security Goals Unreliable transport Message loss Message reorder Multiple senders, multiple receivers Adaptive chosen plaintext, chosen ciphertext attacks Security against forgery Plaintext indistinguishable from random

4 Conventional Encryption + Authentication Ciphertext Header SEQ IV Tag Message AES-CBC Encryption HMAC Sequence Number Sequence Number

5 Conventional A+E with Extended SEQ Ciphertext SEQ IV Tag Message AES-CBC Encryption HMAC SEQ LO SEQ LO SEQ HI SEQ HI Header

6 Conventional Decryption Ciphertext Header SEQ IV Tag Message AES-CBC Decryption HMAC Sequence Number Check Sequence Number Check SEQ HI SEQ HI

7 Authenticated Encryption with Associated Data (AEAD) Ciphertext SEQ IV Tag Message AES-GCM Encryption SEQ LO SEQ LO SEQ HI SEQ HI Header

8 Authenticated Encryption with Associated Data (AEAD) Ciphertext SEQ IV Tag Message AES-GCM Encryption SEQ LO SEQ LO SEQ HI SEQ HI Bandwidth: SEQ, IV, Tag Header

9 Authenticated Encryption with Associated Data (AEAD) Ciphertext SEQ IV Tag Message AES-GCM Encryption SEQ LO SEQ LO SEQ HI SEQ HI Multiple receivers awkward Bandwidth: SEQ, IV, Tag Header

10 Authenticated Encryption with Associated Data (AEAD) Ciphertext SEQ IV Tag Message AES-GCM Encryption SEQ LO SEQ LO SEQ HI SEQ HI IV hard to manage Multiple senders INSECURE if mismanaged Multiple receivers awkward Bandwidth: SEQ, IV, Tag Header

11 Authenticated Encryption with Associated Data (AEAD) Ciphertext SEQ IV Tag Message AES-GCM Encryption SEQ LO SEQ LO SEQ HI SEQ HI Complex to use IV hard to manage Multiple senders INSECURE if mismanaged Multiple receivers awkward Bandwidth: SEQ, IV, Tag

12 Header Authenticated Encryption with Associated Data (AEAD) Ciphertext SEQ IV Tag Message AES-GCM Encryption SEQ LO SEQ LO SEQ HI SEQ HI Complex to use IV hard to manage Multiple senders INSECURE if mismanaged Multiple receivers awkward Bandwidth: SEQ, IV, Tag Decryption Misuse

13 AERO Ciphertext Header Message AERO Encryption Easy to use No IV to manage Multiple senders Secure if misused Multiple receivers easy Minimal overhead Robust against decryption misuse

14 AERO Encryption Wide Pseudo Random Permutation (WPRP) Encryption Ciphertext Sequence Number Plaintext || Header

15 Wide Pseudo Random Permutation (WPRP) WPRP Encryption 562a666ab08dae419b3 0818a309a064f40a9b2

16 Wide Pseudo Random Permutation (WPRP) WPRP Encryption 562a666ab08dae419b3 0818a309a064f40a9b2 WPRP Encryption 562a666ab18dae419bf e295e324f8a7181ad927

17 Wide Pseudo Random Permutation (WPRP) WPRP Decryption 562a666ab08dae419b3 0818a309a064f40a9b2 WPRP Decryption 562a666ab18dae419bf e295e324f8a7181ad927 AES Extended Codebook (XCB) Mode of Operation

18 AERO Decryption Wide Pseudo Random Permutation (WPRP) Decryption Ciphertext Candidate Seq Num Candidate Seq Num Plaintext || Header Check Return Plaintext, Update s Return Plaintext, Update s Return FAIL Plaintext FAIL (or) s, r

19 Candidate Sequence Number Checking sr 0 2 t -1 Largest sequence number accepted so far Last rejected candidate sequence number CSN

20 Likely next candidates sr 0 2 t -1 Largest sequence number accepted so far Last rejected candidate sequence number CSN s+1 s+2

21 Candidate Sequence Number Checking ww sr 0 v Largest sequence number accepted so far Last rejected candidate sequence number CSN 2 t -1

22 (Re)synchronization sr 0 2 t -1 Largest sequence number accepted so far Last rejected candidate sequence number CSN Actual Sequence Number Actual Sequence Number

23 (Re)synchronization sr 0 2 t -1 Largest sequence number accepted so far Last rejected candidate sequence number CSN Actual Sequence Number Actual Sequence Number Actual Sequence Number +1 Actual Sequence Number +1

24 Candidate Sequence Number Checking ww 0 v set s accept check bitmask accept update s update bitmask accept set r to s reject CSN sr 2 t -1

25 Security of Authentication 0 2w+v ~ 72 out of 2 t accepted CSN sr Probability of successful forgery = 2t2t 72 ~ 2 -t+7 2 t -1

26 IPSec Ciphertext SPI SEQ IV Tag 4 bytes 8 bytes 12 bytes Ciphertext SPI 4 bytes plaintext length + 12 bytes ESP AES-GCM, AES-CCM, or AES-CTR plus HMAC-SHA1 ESP AERO 24+ bytes overhead per packet 12 bytes overhead per packet no misuse resistance misuse resistance length of plaintext + pad

27 Performance WPRP CPB ~ 1.5 x GCM CPB Inefficient on long messages Higher latency Larger memory requirements … but this is true of all AEAD methods … More efficient on short messages Short frames (about 100 bytes for 802.15) Four bytes less overhead means: ~ 4% less power used in transmission ~ 4% less power used in reception ~ 4% lower probability that retransmission is needed

28 Status Research Formalization of security models and goals WPRP encryption alternatives IETF draft-mcgrew-aero-00.txt draft-mcgrew-srtp-aero-01.txt draft-mcgrew-dtls-aero-00.txt CAESAR Does not work with conventional AEAD API

Download ppt "Authenticated Encryption with Replay prOtection (AERO)"

Similar presentations

Block Cipher Modes of Operation and Stream Ciphers

Block Cipher Modes of Operation and Stream Ciphers
“Advanced Encryption Standard” & “Modes of Operation”

“Advanced Encryption Standard” & “Modes of Operation”
CS470, A.SelcukIPsec – AH & ESP1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukIPsec – AH & ESP1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
CMSC 414 Computer and Network Security Lecture 4 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 4 Jonathan Katz.
CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.

CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.
Computer Science CSC 474Dr. Peng Ning1 CSC 474 Information Systems Security Topic 2.2 Secret Key Cryptography.

Computer Science CSC 474Dr. Peng Ning1 CSC 474 Information Systems Security Topic 2.2 Secret Key Cryptography.
CMSC 414 Computer and Network Security Lecture 26 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 26 Jonathan Katz.
1`` ```` ```` ```` ```` ```` ```` ```` ```` ```` `` AEGIS A Fast Authenticated Encryption Algorithm Hongjun Wu Bart Preneel Nanyang Technological University.

1`` ```` ```` ```` ```` ```` ```` ```` ```` ```` `` AEGIS A Fast Authenticated Encryption Algorithm Hongjun Wu Bart Preneel Nanyang Technological University.
CSCE 715: Network Systems Security

CSCE 715: Network Systems Security
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Network Security Essentials Chapter 8 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.

Network Security Essentials Chapter 8 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.
Impacts of Security Protocols on Real- time Multimedia Communications Kihun Hong 1, Souhwan Jung 1, Luigi Lo Iacono 2, Christoph.

Impacts of Security Protocols on Real- time Multimedia Communications Kihun Hong 1, Souhwan Jung 1, Luigi Lo Iacono 2, Christoph.
1 Lecture 15: IPsec AH and ESP IPsec introduction: uses and modes IPsec concepts –security association –security policy database IPsec headers –authentication.

1 Lecture 15: IPsec AH and ESP IPsec introduction: uses and modes IPsec concepts –security association –security policy database IPsec headers –authentication.
IP Security IPSec 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.

IP Security IPSec 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Submission doc.: IEEE 11-12/1253r1 November 2012 Dan Harkins, Aruba NetworksSlide 1 Why Use SIV for 11ai? Date: 2012-10-30 Authors:

Submission doc.: IEEE 11-12/1253r1 November 2012 Dan Harkins, Aruba NetworksSlide 1 Why Use SIV for 11ai? Date: Authors:
CSCE 790: Computer Network Security Chin-Tser Huang University of South Carolina.

CSCE 790: Computer Network Security Chin-Tser Huang University of South Carolina.
CMSC 414 Computer and Network Security Lecture 4 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 4 Jonathan Katz.
Wired Equivalent Privacy (WEP)

Wired Equivalent Privacy (WEP)
CMSC 414 Computer and Network Security Lecture 5 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 5 Jonathan Katz.

Similar presentations

Ads by Google