1 / 9

AERO Algorithm Overview 28-29 October 2013 San Antonio, Texas USA

AERO Algorithm Overview 28-29 October 2013 San Antonio, Texas USA. Howard Weiss NASA/JPL/PARSONS*. Identity crisis: Formerly SPARTA Formerly Cobham Formerly SPARTA. AGENDA. Provide introduction and overview of: Authenticated Encryption with Replay prOtection (AERO )

afric
Download Presentation

AERO Algorithm Overview 28-29 October 2013 San Antonio, Texas USA

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. AERO Algorithm Overview28-29 October 2013San Antonio, Texas USA Howard WeissNASA/JPL/PARSONS* • Identity crisis: • Formerly SPARTA • Formerly Cobham • Formerly SPARTA

  2. AGENDA • Provide introduction and overview of: • Authenticated Encryption with Replay prOtection (AERO) • All information obtained from IETF Internet Draft

  3. USAGE and APPLICABILITY • Provides confidentiality, authentication, and replay protection • Especially well suited for bandwidth constrained environments • Minimal data expansion • Avoids managing implicit state, • Provides strong misuse resistance • Well suited for use when multiple senders & receivers share crypto keys

  4. AERO Introduction • Internet Engineering Task Force (IETF) Internet Draft • Authenticated Encryption with Replay prOtection (AERO); draft-mcgrew-aero-00.txt; D. McGrew (Cisco) and J. Foley (Cisco) • Authenticated Encryption with replay protection • Stateful & self-synchronizing encryption • Replay protection • Authentication • Replay & authentication provided via single mechanism • Makes use of underlying stateless encryption (AES) • Uses AES in eXtendedCode Book (XCB) mode • AERO_AES_128_XCB • AERO_AES_192_XCB • AERO_AES_256_XCB

  5. AERO Overview • Minimization of overhead • Combines authentication & replay protection • Eliminates replay overhead and need for implicit state information • Sequence number is encrypted with plaintext • Sender maintains a sequence number which is xmitted to the receiver • Receiver verifies received sequence number • No nonce or initialization vector (IV) used • Reduces overhead • No need to coordinate nonces among multiple receivers • Eliminates problems with nonce misuse as is the case with AES/GCM

  6. AERO Encryption Process A= associated data P= plaintext S= sequence number Padding = 128-bit block I2S = integer-to-string K= key C= ciphertext Length (C) == Length (P)

  7. AERO Decryption Steps 4.5. Decryption To decrypt an encrypted message (A, C), 1. The stateless decryption algorithm is applied to A and C, using the secret key K in the context, returning a candidate sequence number Z, which is a T-bit unsigned integer, and a plaintext Q, which is an octet string. 2. If PMIN * 8 > T, then padding is removed from Q as follows. B is set to the value of the last octet of Q, converted to an 8-bit unsigned integer. If B > (128 - T)/8, then the FAIL symbol is returned, and processing halts. Otherwise, the octet string P is set to all but the final B + 1 octets of Q. 3. Z is converted from an octet string to an unsigned integer using the S2I routine defined in Section 1.3. 4. Z is processed as follows; see Figure 3 for an illustration. 1. If Z is between 0 and S-W, inclusive, then Z is rejected. 2. If Z is between S-W+1 and S, inclusive, then the bitmask M is checked. If M[S-Z] = 0, then Z is accepted, M[S-Z] is set to 1, and P is returned as the plaintext. If M[S-Z] = 1, then Z is rejected. 3. If Z is between S+1 and S+W, inclusive, then Z is accepted, S is set to Z, and P is returned as the plaintext. The bitmask is shifted by Z-S (in the direction of higher indicies). 4. If Z is between S+W+1 and R, inclusive, then Z is rejected and R is set to Z. 5. If Z is between R+1 and R+V, inclusive, then Z is accepted, S is set to Z, the bitmask M is set to the all-zero value, and P is returned as the plaintext. 6. If Z is between R+V+1 and 2^T+1, inclusive, then Z is rejected and R is set to Z. 5. When Z is rejected, then AERO decryption MUST return the FAIL symbol, which indicates that either the message was a replay or a forgery attempt.

  8. AERO Decryption Process

  9. AERO Rationale & Summary • Padding is an unfortunate requirement • AES is block oriented • Pad stripping incorporates an authentication check • Incorporation of the sequence number inside AERO • Brings security-critical function inside the cryptographic boundary • Use of XBC is computationally expensive • Does not support pipelined implementation using XBC • XBC is an off-line algorithm that requires plaintext to be fully buffered • Could employ Online Pseudo-Random Permutation (OPRP)

More Related