1

AERO Algorithm Overview

28-29 October 2013San Antonio, Texas USA

Howard WeissNASA/JPL/PARSONS*

• Identity crisis:• Formerly SPARTA• Formerly Cobham• Formerly SPARTA

2

AGENDA

• Provide introduction and overview of:– Authenticated Encryption with Replay prOtection

(AERO)

• All information obtained from IETF Internet Draft

3

USAGE and APPLICABILITY

• Provides confidentiality, authentication, and replay protection

• Especially well suited for bandwidth constrained environments– Minimal data expansion – Avoids managing implicit state, – Provides strong misuse resistance

• Well suited for use when multiple senders & receivers share crypto keys

4

AERO Introduction

• Internet Engineering Task Force (IETF) Internet Draft– Authenticated Encryption with Replay prOtection (AERO);

draft-mcgrew-aero-00.txt; D. McGrew (Cisco) and J. Foley (Cisco)

• Authenticated Encryption with replay protection– Stateful & self-synchronizing encryption– Replay protection– Authentication

» Replay & authentication provided via single mechanism– Makes use of underlying stateless encryption (AES)

• Uses AES in eXtended Code Book (XCB) mode– AERO_AES_128_XCB– AERO_AES_192_XCB– AERO_AES_256_XCB

5

AERO Overview

• Minimization of overhead– Combines authentication & replay protection

» Eliminates replay overhead and need for implicit state information

» Sequence number is encrypted with plaintext• Sender maintains a sequence number which is

xmitted to the receiver• Receiver verifies received sequence number

– No nonce or initialization vector (IV) used» Reduces overhead» No need to coordinate nonces among multiple

receivers» Eliminates problems with nonce misuse as is the

case with AES/GCM

6

AERO Encryption Process

A = associated dataP = plaintextS = sequence number Padding = 128-bit blockI2S = integer-to-stringK = keyC = ciphertext

Length (C) == Length (P)

7

AERO Decryption Steps4.5. Decryption

To decrypt an encrypted message (A, C),

1. The stateless decryption algorithm is applied to A and C, using the secret key K in the context, returning a candidate sequence number Z, which is a T-bit unsigned integer, and a plaintext Q, which is an octet string.

2. If PMIN * 8 > T, then padding is removed from Q as follows. B is set to the value of the last octet of Q, converted to an 8-bit unsigned integer. If B > (128 - T)/8, then the FAIL symbol is returned, and processing halts. Otherwise, the octet string P is set to all but the final B + 1 octets of Q.

3. Z is converted from an octet string to an unsigned integer using the S2I routine defined in Section 1.3.

4. Z is processed as follows; see Figure 3 for an illustration.

1. If Z is between 0 and S-W, inclusive, then Z is rejected.

2. If Z is between S-W+1 and S, inclusive, then the bitmask M is checked. If M[S-Z] = 0, then Z is accepted, M[S-Z] is set to 1, and P is returned as the plaintext. If M[S-Z] = 1, then Z is rejected.

3. If Z is between S+1 and S+W, inclusive, then Z is accepted, S is set to Z, and P is returned as the plaintext. The bitmask is shifted by Z-S (in the direction of higher indicies).

4. If Z is between S+W+1 and R, inclusive, then Z is rejected and R is set to Z.

5. If Z is between R+1 and R+V, inclusive, then Z is accepted, S is set to Z, the bitmask M is set to the all-zero value, and P is returned as the plaintext.

6. If Z is between R+V+1 and 2^T+1, inclusive, then Z is rejected and R is set to Z.

5. When Z is rejected, then AERO decryption MUST return the FAIL symbol, which indicates that either the message was a replay or a forgery attempt.

8

AERO Decryption Process

9

AERO Rationale & Summary

• Padding is an unfortunate requirement– AES is block oriented– Pad stripping incorporates an authentication check

• Incorporation of the sequence number inside AERO– Brings security-critical function inside the cryptographic

boundary• Use of XBC is computationally expensive• Does not support pipelined implementation using XBC

– XBC is an off-line algorithm that requires plaintext to be fully buffered

– Could employ Online Pseudo-Random Permutation (OPRP)