Mar 27, 2015
2© 2004, Cisco Systems, Inc. All rights reserved.
Scalable, Efficient Cryptography for Multiple
Security ServicesDavid A. McGrew
Cisco Systems, Inc.
33© 2004, Cisco Systems, Inc. All rights reserved.
3
GCM Overview
• Block cipher mode of operationProvides both confidentiality and authentication
• Provides high speed, low latency at low costBest mode of operation for packet networks
• Usability features
• Proposed to NIST and other standards areas
• Joint work with John Viega of Secure Software
44© 2004, Cisco Systems, Inc. All rights reserved.
4
Block Cipher
• Inputs
K - key
P - plaintext (128 bits)
• Output
C - ciphertext (128 bits)
55© 2004, Cisco Systems, Inc. All rights reserved.
5
Authenticated Encryption Operation
• Inputs
K - key (same length as block cipher key)
IV - unique value (length between 1 and 264 bits)
P - plaintext (length between 0 and 239 bits)
A - additional authenticated data (1 to 264 bits)
• Outputs
C - ciphertext (same length as P )
T - authentication tag (length between 0 and 128 bits)
66© 2004, Cisco Systems, Inc. All rights reserved.
6
Example: GCM Frame Encryption
77© 2004, Cisco Systems, Inc. All rights reserved.
7
AE Mode Requirements
• Line rate (10+ Gbps) in hardware• Parallelizable, pipelineable
• Low implementation cost
• Low (packet) latency
• Good software performance
• Provably secure
• Unencumbered by intellectual propertyPromotes standardization
88© 2004, Cisco Systems, Inc. All rights reserved.
8
GCM Uses
• IEEE Link Security (802.1AE)GCM is mandatory cryptoalgorithm in draft
• IPsec ESPDraft based on ESP-AES-CCM, ESP-AES-CTR
• Fibre Channel Security
• Future fast wireless LAN
99© 2004, Cisco Systems, Inc. All rights reserved.
9
GCM Internals
• Counter Mode encryption
Based on IPsec CTR specification
Efficient, compact
• MAC is encrypted hash
Polynomial hash over GF(2128)
Multiply and accumulate
• MAC key H = EK(0128)
1010© 2004, Cisco Systems, Inc. All rights reserved.
10
Counter Mode Encryption
1111© 2004, Cisco Systems, Inc. All rights reserved.
11
Universal Hash-based MACs
P[GHASH(M) GHASH(M’) = a] ≤ ~ len(M)/2^128
1212© 2004, Cisco Systems, Inc. All rights reserved.
12
GHASH
Input consists of C, A, length(A) | length(C)
1313© 2004, Cisco Systems, Inc. All rights reserved.
13
The Field GF(2128)
• Addition, multiplication, …
• Polynomial basisField element 128 term binary polynomial
• Addition is just exclusive-or
• Multiplication ~ 1282 = 216 bit operations
Well-suited for hardware implementations
1414© 2004, Cisco Systems, Inc. All rights reserved.
14
Software
• Counter mode is simpleSoftware can avoid first AES round - 10% gain
• GF(2128) multiplyLookup tables - computed per key
256 bytes to 64 kilobytes
• Fastest mode on packets up to 576 bytes
1515© 2004, Cisco Systems, Inc. All rights reserved.
15
Software Performance (cycles/byte)
1616© 2004, Cisco Systems, Inc. All rights reserved.
16
GCM Benefits
• Can act as stand-alone MAC
Could be used in IPsec AH or ESP with NULL encryption
• Can act as incremental MAC
• Can accept IVs of arbitrary length
1717© 2004, Cisco Systems, Inc. All rights reserved.
17
Arbitrary Length IVs
• Optimized for 96-bit IV
Preserves performance, maintains security
• Promotes usability
Can use ‘natural’ nonces - filenames, network addresses, …
Obviates need to derive secondary keys
1818© 2004, Cisco Systems, Inc. All rights reserved.
18
Arbitrary Length IV: File Encryption
• IV = seq_num | filename
0000 | “/etc/passwd”
0001 | “/etc/passwd”
…
• Authentication tag T appended to file
1919© 2004, Cisco Systems, Inc. All rights reserved.
19
Incremental MAC
• Given (MSG, MAC), can compute MAC for MSG ∂ efficiently
• Useful for remote authentication
Secure storage networking
Network filesystems (e.g. CFS)
2020© 2004, Cisco Systems, Inc. All rights reserved.
20
Incremental MAC: Remote Storage
• A = B[0] | B[1] | … | B[N-1]
• P = {}
• IV = version number (plus other info)
• When B[i] is changed to B’[i] , compute
New T = Old T AES(Old IV) AES(New IV) HASH(H, B[i]) HASH(H, B’[i])
2121© 2004, Cisco Systems, Inc. All rights reserved.
21
Security
• Counter mode well understood
AES GCM secure up to ~ 2^68 bytes
• MAC based on XOR-universal hashWell understood theory
Good security properties
2222© 2004, Cisco Systems, Inc. All rights reserved.
22
Security Considerations
• IV reuse in encryption can expose HBut reuse in decryption does not
• Given one forged message, can produce many more easily
But does not change likelihood of zero forgeries
• All-zero counter value is highly unlikely and undetectable
2323© 2004, Cisco Systems, Inc. All rights reserved.
23
References (1 of 2)
• GCM and OCBcsrc.nist.gov/CryptoToolkit/modes/proposedmodes/
• IEEE Link Securitywww.ieee802.org/1/pages/802.1ae.html
www.ieee802.org/linksec/
• Fibre Channelwww.t11.org/
www.fibrechannel.org/
• IPsec draft-ietf-ipsec-ciph-aes-gcm-00.txt
2424© 2004, Cisco Systems, Inc. All rights reserved.
24
References (2 of 2)
• Counter modeDiffie and Hellman. Privacy and Authentication: An Introduction to Cryptography. Proceedings of the IEEE, Volume 67, Number 3, March, 1979.
Bellare, Desai, Jokkipi, and Rogaway. A concrete security treatment of symmetric encryption, Proceedings of 38th Annual Symposium on Foundations of Computer Science, IEEE, 1997.
• Universal hashing and MACsWegman and Carter. New hash functions and their use in authentication and set equality. Journal of Computer and System Sciences. Vol. 22, 265-279, 1981.
Krawczyk. LFSR-based hashing and authentication. Proceedings of CRYPTO '94. Lecture Notes in Computer Science No. 839, 129-139.
25Presentation_ID © 2001, Cisco Systems, Inc. All rights reserved.
2626© 2004, Cisco Systems, Inc. All rights reserved.
26
Comparison to OCB
• GCM has slightly higher per-block costGF(2128) multiply
• OCB has extra per-packet AES invocationAdds AES latency to packet encryption latency
• Software: GCM faster on short packets
• Hardware: GCM slightly higher cost, 1/2 latency
• GCM may need additional key store
• GCM has additional benefits
2727© 2004, Cisco Systems, Inc. All rights reserved.
27
Security Model (1 of 2)
• Block cipher is secure if indistinguishable from a random permutation
• GCM secure if
Ciphertext indistinguishable from random, and
Forgery unlikely to succeed
2828© 2004, Cisco Systems, Inc. All rights reserved.
28
Security Model (2 of 2)