70 likes | 80 Views
This proposal introduces four new ciphersuites for TLS, using the SIV mode of authenticated encryption with RSA and Diffie-Hellman key exchange. SIV is resistant to nonce misuse and is suitable for applications where nonce management is outside the cryptographic engine.
E N D
RSA-AES-SIV TLS Ciphersuites Dan Harkins
RSA-AES-SIV Ciphersuites • What is being proposed? • New ciphersuites for TLS using SIV mode of authenticated encryption. • RSA key exchange and Diffie-Hellman key exchange both with RSA authentication and SIV using two different key sizes Four new ciphersuites. • Draft modeled closely on draft-ietf-tls-rsa-aes-gcm but minus some of the verbage on nonce management.
RSA-AES-SIV Ciphersuites • Why is it being proposed? • Unlike other authenticated encryption modes SIV is resistant to nonce misuse. • Uniquely suited when nonce management is outside the cryptographic engine– e.g. when applications receive TLS services via an API to a library. • For control-plane (versus data plane) applications where a two-pass mode is not onerous and where resistance to unintentional programming errors, misconfiguration, and intentional misuse are needed, e.g. CAPWAP’s control channel.
What is SIV? • An Authenticated Encryption with Associated Data (AEAD) cipher mode. • Uses AES in CTR mode and CMAC mode. • PRF construction takes a vector of associated data (plus plaintext), a component in that vector is the nonce. • If a nonce is reused authenticity is retained and confidentiality is affected only to the extent that an adversary knows the same nonce was used with the same plaintext and key twice. • Provable security!
SIV Encrypt SIV Decrypt … … AD1 ADn P AD1 ADn P S2V-CMAC CTR S2V-CMAC CTR IV C IV C IV’ != FAIL Associated Data Plaintext Ciphertext From “Deterministic Authenticated Encryption” by Phil Rogaway and Thomas Shrimpton
Free Code! • http://www.lounge.org/siv_for_openssl.tgz % cd openssl-x-y-z % tar xzvf siv_for_openssl.tgz crypto/aes/Makefile crypto/aes/aes_siv.c crypto/aes/siv.h % make clean; make
References • “Deterministic Authenticated Encryption, A Provable-Security Treatment of the Key-Wrap Problem”– Phil Rogaway and Thomas Shrimpton, from Advances in Cryptology EUROCRYPT ’06. • draft-harkins-tls-rsa-siv-00.txt • draft-dharkins-siv-aes-01.txt • draft-ietf-tls-rsa-aes-gcm-00.txt