1 / 15

AES Mode Choices OCB vs. Counter Mode with CBC-MAC

AES Mode Choices OCB vs. Counter Mode with CBC-MAC. Niels Ferguson, MacFergus BV Russ Housley, RSA Labs Doug Whiting, HiFn. Introduction. 802.11i currently specifies AES-OCB for confidentiality and integrity Have concerns with this choice

liora
Download Presentation

AES Mode Choices OCB vs. Counter Mode with CBC-MAC

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. AES Mode ChoicesOCB vs. Counter Mode with CBC-MAC Niels Ferguson, MacFergus BV Russ Housley, RSA Labs Doug Whiting, HiFn Ferguson, Housley, Whiting

  2. Introduction • 802.11i currently specifies AES-OCB for confidentiality and integrity • Have concerns with this choice • Highlight issues by comparing to AES Counter (CTR) mode withAES-CBC-MAC Ferguson, Housley, Whiting

  3. AES CTR with CBC-MAC • CBC-MAC • Over: Length || SA || DA || … || Payload • Truncate to 64 bits and append to payload • CBC-MAC key derived from encryption key, only single-key required (may be pre-computed or computed on-the-fly) • Encrypt using AES CTR, using IV to ensure unique counter values Ferguson, Housley, Whiting

  4. AES CTR with CBC-MAC: Details Ferguson, Housley, Whiting

  5. Dimensions of Comparison • Patent Status • Size of Implementation • Power Consumption • Speed • Cleartext Integrity Coverage • Simplicity of Key Management • Packet Overhead • Crypto Confidence Ferguson, Housley, Whiting

  6. Patent Status • IEEE 802 has long history with patents • Bottom line: Avoid patents when there are viable unencumbered alternatives • No patents on CTR or CBC-MAC • Three independent IP claimants on OCB • All three emphatically believe that their yet-to-be-issued patent(s) cover OCB mode • Virgil Gligor, Charanjit Jutla (IBM), and Phil Rogaway • Fair, non-discriminatory, and non-onerous are subjective (especially after standard is done) Ferguson, Housley, Whiting

  7. Size of Implementation • Unlike OCB, AES CTR and CBC-MAC require only encryption operations, not decryption • Software: CTR with CBC-MAC is smaller • Cut table size in half (4K bytes vs. 8K bytes) • Cut round key table size in half (save 160 bytes) • Cut code size in half (roughly) • Hardware: CTR with CBC-MAC is SMALLER than AES-OCB • Silicon area roughly 1.5x to 2x smaller than performing both encrypt and decrypt operations • Less than 20K gates for encryption only (fraction of overall ASIC?) Ferguson, Housley, Whiting

  8. Power Consumption (in Hardware) • OCB performs roughly half the number of crypto operations as CTR withCBC-MAC • “Duty cycle” of encryption logic activity @ 40 MHz (assuming gated clocks) • ~3% for 802.11b (CTR with CBC-MAC) • ~15% for 802.11a (CTR with CBC-MAC) • Small fraction of gates, small duty cycle, digital vs. analog  power for encryption is “in the noise” (< 1%) Ferguson, Housley, Whiting

  9. [Power Duty Cycle Computations] • Assumptions: • 10 clocks per 128-bit AES block • 40 MHz clock (i.e., 4M AES blocks/sec) • AES throughput = 512 Mbps • 802.11b  6.5 Mbps (max), x2 (for CTR with CBC-MAC)  13 Mbps • Duty cycle  13/512 < 3% Ferguson, Housley, Whiting

  10. Speed • Most 802.11 implementations of AES will be in hardware • Hardware: 55 Mbps (or twice that) is very slow for AES, as shown by the duty cycle in previous slide • Software: OCB is twice the speed of CTR with CBC-MAC • OCB “wins” if 1x is fast enough, but 2x is too slow Ferguson, Housley, Whiting

  11. Cleartext Integrity Coverage • OCB “nonce stealing” allows integrity protection outside the payload • IV plus header fields <= 128 bits • Current proposal has reduced IV to 27 bits because of this OCB limitation • How would we protect another MAC address? • CBC-MAC can cover an arbitrary amount of cleartext in addition to the payload Ferguson, Housley, Whiting

  12. Simplicity of Key Management • OCB uses two keys internally on decrypt • Pre-computed or computed on-the-fly • CTR with CBC-MAC uses two keys • Derive CBC-MAC key from CTR key with one encrypt operation (counter = zero) • Pre-computed or computed on-the-fly Ferguson, Housley, Whiting

  13. Packet Overhead • OCB • IV • Check value • CTR with CBC-MAC • IV • Check value • Same overhead for same security Ferguson, Housley, Whiting

  14. Crypto Confidence • OCB is new • In crypto, new is dangerous • Some provably secure systems have been broken • Proofs can contain subtle errors • Proofs are always based on assumptions anda restricted model • CTR and CBC-MAC are 20+ years old • Well studied, no surprises • OCB and CTR both require care with IVs Ferguson, Housley, Whiting

  15. Conclusion • No compelling advantage to OCB • Please consider unencumbered alternatives Ferguson, Housley, Whiting

More Related