RSA-AES-SIV TLS Ciphersuites - PowerPoint PPT Presentation

About This Presentation
Title:

RSA-AES-SIV TLS Ciphersuites

Description:

RSA-AES-SIV TLS Ciphersuites Dan Harkins RSA-AES-SIV Ciphersuites What is being proposed? New ciphersuites for TLS using SIV mode of authenticated encryption. – PowerPoint PPT presentation

Number of Views:64
Avg rating:3.0/5.0
Slides: 8
Provided by: ietfOrgpr
Learn more at: https://www.ietf.org
Category:
Tags: aes | rsa | siv | tls | ciphersuites

less

Transcript and Presenter's Notes

Title: RSA-AES-SIV TLS Ciphersuites


1
RSA-AES-SIV TLS Ciphersuites
  • Dan Harkins

2
RSA-AES-SIV Ciphersuites
  • What is being proposed?
  • New ciphersuites for TLS using SIV mode of
    authenticated encryption.
  • RSA key exchange and Diffie-Hellman key exchange
    both with RSA authentication and SIV using two
    different key sizes ? Four new ciphersuites.
  • Draft modeled closely on
    draft-ietf-tls-rsa-aes-gcm but minus some of
    the verbage on nonce management.

3
RSA-AES-SIV Ciphersuites
  • Why is it being proposed?
  • Unlike other authenticated encryption modes SIV
    is resistant to nonce misuse.
  • Uniquely suited when nonce management is outside
    the cryptographic engine e.g. when applications
    receive TLS services via an API to a library.
  • For control-plane (versus data plane)
    applications where a two-pass mode is not onerous
    and where resistance to unintentional programming
    errors, misconfiguration, and intentional misuse
    are needed, e.g. CAPWAPs control channel.

4
What is SIV?
  • An Authenticated Encryption with Associated Data
    (AEAD) cipher mode.
  • Uses AES in CTR mode and CMAC mode.
  • PRF construction takes a vector of associated
    data (plus plaintext), a component in that vector
    is the nonce.
  • If a nonce is reused authenticity is retained and
    confidentiality is affected only to the extent
    that an adversary knows the same nonce was used
    with the same plaintext and key twice.
  • Provable security!

5
SIV Encrypt SIV Decrypt


AD1
ADn
P
AD1
ADn
P
S2V-CMAC
CTR
S2V-CMAC
CTR
IV
C
IV
C
IV
!
FAIL
Associated Data
Plaintext
Ciphertext
From Deterministic Authenticated Encryption
by Phil Rogaway and Thomas Shrimpton
6
Free Code!
  • http//www.lounge.org/siv_for_openssl.tgz
  • cd openssl-x-y-z
  • tar xzvf siv_for_openssl.tgz
  • crypto/aes/Makefile
  • crypto/aes/aes_siv.c
  • crypto/aes/siv.h
  • make clean make

7
References
  • Deterministic Authenticated Encryption, A
    Provable-Security Treatment of the Key-Wrap
    Problem Phil Rogaway and Thomas Shrimpton, from
    Advances in Cryptology EUROCRYPT 06.
  • draft-harkins-tls-rsa-siv-00.txt
  • draft-dharkins-siv-aes-01.txt
  • draft-ietf-tls-rsa-aes-gcm-00.txt
Write a Comment
User Comments (0)
About PowerShow.com