1
AERO Algorithm Overview
28-29 October 2013San Antonio, Texas USA
Howard WeissNASA/JPL/PARSONS*
• Identity crisis:• Formerly SPARTA• Formerly Cobham• Formerly SPARTA
2
AGENDA
• Provide introduction and overview of:– Authenticated Encryption with Replay prOtection
(AERO)
• All information obtained from IETF Internet Draft
3
USAGE and APPLICABILITY
• Provides confidentiality, authentication, and replay protection
• Especially well suited for bandwidth constrained environments– Minimal data expansion – Avoids managing implicit state, – Provides strong misuse resistance
• Well suited for use when multiple senders & receivers share crypto keys
4
AERO Introduction
• Internet Engineering Task Force (IETF) Internet Draft– Authenticated Encryption with Replay prOtection (AERO);
draft-mcgrew-aero-00.txt; D. McGrew (Cisco) and J. Foley (Cisco)
• Authenticated Encryption with replay protection– Stateful & self-synchronizing encryption– Replay protection– Authentication
» Replay & authentication provided via single mechanism– Makes use of underlying stateless encryption (AES)
• Uses AES in eXtended Code Book (XCB) mode– AERO_AES_128_XCB– AERO_AES_192_XCB– AERO_AES_256_XCB
5
AERO Overview
• Minimization of overhead– Combines authentication & replay protection
» Eliminates replay overhead and need for implicit state information
» Sequence number is encrypted with plaintext• Sender maintains a sequence number which is
xmitted to the receiver• Receiver verifies received sequence number
– No nonce or initialization vector (IV) used» Reduces overhead» No need to coordinate nonces among multiple
receivers» Eliminates problems with nonce misuse as is the
case with AES/GCM
6
AERO Encryption Process
A = associated dataP = plaintextS = sequence number Padding = 128-bit blockI2S = integer-to-stringK = keyC = ciphertext
Length (C) == Length (P)
7
AERO Decryption Steps4.5. Decryption
To decrypt an encrypted message (A, C),
1. The stateless decryption algorithm is applied to A and C, using the secret key K in the context, returning a candidate sequence number Z, which is a T-bit unsigned integer, and a plaintext Q, which is an octet string.
2. If PMIN * 8 > T, then padding is removed from Q as follows. B is set to the value of the last octet of Q, converted to an 8-bit unsigned integer. If B > (128 - T)/8, then the FAIL symbol is returned, and processing halts. Otherwise, the octet string P is set to all but the final B + 1 octets of Q.
3. Z is converted from an octet string to an unsigned integer using the S2I routine defined in Section 1.3.
4. Z is processed as follows; see Figure 3 for an illustration.
1. If Z is between 0 and S-W, inclusive, then Z is rejected.
2. If Z is between S-W+1 and S, inclusive, then the bitmask M is checked. If M[S-Z] = 0, then Z is accepted, M[S-Z] is set to 1, and P is returned as the plaintext. If M[S-Z] = 1, then Z is rejected.
3. If Z is between S+1 and S+W, inclusive, then Z is accepted, S is set to Z, and P is returned as the plaintext. The bitmask is shifted by Z-S (in the direction of higher indicies).
4. If Z is between S+W+1 and R, inclusive, then Z is rejected and R is set to Z.
5. If Z is between R+1 and R+V, inclusive, then Z is accepted, S is set to Z, the bitmask M is set to the all-zero value, and P is returned as the plaintext.
6. If Z is between R+V+1 and 2^T+1, inclusive, then Z is rejected and R is set to Z.
5. When Z is rejected, then AERO decryption MUST return the FAIL symbol, which indicates that either the message was a replay or a forgery attempt.
8
AERO Decryption Process
9
AERO Rationale & Summary
• Padding is an unfortunate requirement– AES is block oriented– Pad stripping incorporates an authentication check
• Incorporation of the sequence number inside AERO– Brings security-critical function inside the cryptographic
boundary• Use of XBC is computationally expensive• Does not support pipelined implementation using XBC
– XBC is an off-line algorithm that requires plaintext to be fully buffered
– Could employ Online Pseudo-Random Permutation (OPRP)