1. 21-13-0212-00-MuGM IEEE 802.21 MEDIA INDEPENDENT HANDOVER DCN: 21-13-0212-00-MuGM Title: On encryption mode to generate GKB Date Submitted: Nov, 12, 2013 Presented at IEEE 802.21 session #59 in Dallas Authors or Source(s): Yoshikazu Hanatani (Toshiba) Abstract: This contribution introduces ECB mode issue to discuss remedies of cmt #109 in LB7a. 1

2. 21-13-0212-00-MuGM IEEE 802.21 presentation release statements This document has been prepared to assist the IEEE 802.21 Working Group. It is offered as a basis for discussion and is not binding on the contributing individual(s) or organization(s). The material in this document is subject to change in form and content after further study. The contributor(s) reserve(s) the right to add, amend or withdraw material contained herein. The contributor grants a free, irrevocable license to the IEEE to incorporate material contained in this contribution, and any modifications thereof, in the creation of an IEEE Standards publication; to copyright in the IEEE’s name any IEEE Standards publication even though it may include portions of this contribution; and at the IEEE’s sole discretion to permit others to reproduce in whole or in part the resulting IEEE Standards publication. The contributor also acknowledges and accepts that this contribution may be made public by IEEE 802.21. The contributor is familiar with IEEE patent policy, as outlined in Section 6.3 of the IEEE-SA Standards Board Operations Manual and in Understanding Patent Issues During IEEE Standards Development http://standards.ieee.org/board/pat/guide.html> Section 6.3 of the IEEE-SA Standards Board Operations Manualhttp://standards.ieee.org/guides/opman/sect6.html#6.3 http://standards.ieee.org/board/pat/guide.html IEEE 802.21 presentation release statements This document has been prepared to assist the IEEE 802.21 Working Group. It is offered as a basis for discussion and is not binding on the contributing individual(s) or organization(s). The material in this document is subject to change in form and content after further study. The contributor(s) reserve(s) the right to add, amend or withdraw material contained herein. The contributor grants a free, irrevocable license to the IEEE to incorporate material contained in this contribution, and any modifications thereof, in the creation of an IEEE Standards publication; to copyright in the IEEE’s name any IEEE Standards publication even though it may include portions of this contribution; and at the IEEE’s sole discretion to permit others to reproduce in whole or in part the resulting IEEE Standards publication. The contributor also acknowledges and accepts that this contribution may be made public by IEEE 802.21. The contributor is familiar with IEEE patent policy, as stated in Section 6 of the IEEE-SA Standards Board bylaws and in Understanding Patent Issues During IEEE Standards Development http://standards.ieee.org/board/pat/faq.pdf> Section 6 of the IEEE-SA Standards Board bylawshttp://standards.ieee.org/guides/bylaws/sect6-7.html#6 http://standards.ieee.org/board/pat/faq.pdf 2

3. AES-ECB Strong point Efficient An initial vector (IV) is not needed. Weak point It may leak information of a plain text. The same plaintext is always encrypted to the same ciphertext. In generally, the ECB mode is not recommended. 21-13-0212-00-MuGM M1M2M3 M = AES-Enc C1C2C3 C = kkk 16byte 3

4. GKB using AES-ECB The GKB method in the current draft uses AES-ECB. AACS also uses AES-ECB to generate MKB. MGK is chosen from [0,…, 2 128 -1] uniformly at random. When 2 64 MGKs are chosen, there are the same MGK with probability 1/2. (Birthday bound) MGK is encrypted by different node keys. 21-13-0212-00-MuGM MGK AES-Enc C1C2C3 GroupKeyData = k1k2k3 16byte 4

5. Comparison GKB using AES-ECB IV is not needed. Information of MGK may be leaked, but it is very low probability, when MGK is updated every time. There is a problem when MGK is not updated even if group members are changed. GKB using another mode Some IV is needed. The data size of GroupKeyData is increased. Information of MGK is not leaked. 21-13-0212-00-MuGM MGK AES-*** C1C2C3 GroupKeyData = k1k2k3 16byte IV1IV2 IV3 5

6. Remedies for cmt #109 1.Support GKB with AES-ECB only. (Current Draft) 2.Support GKB with AES-***. Shorter IV is desirable. 3.Support GKB with AES-ECB and AES-***. 21-13-0212-00-MuGM6