Project

General

Profile

Actions

Feature #4550

open

Improve AES support in security::transform

Added by Zhiyi Zhang over 6 years ago. Updated almost 3 years ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
Security
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:

Description

Name-based Access Control (NAC) relies AES and RSA encryption/decryption process.
We'd better provide interfaces in ndn-cxx/sec/transform for AES encryption/decryption, and some helper functions for AES key generation and export/import.

Actions #1

Updated by Davide Pesavento over 6 years ago

  • Subject changed from Add AES support to ndn-cxx sec/transform for Name-based Access Control to Improve AES support in security::transform
  • Category set to Security
  • Target version set to v0.7
  • Start date deleted (03/16/2018)

What mode(s) of AES? BlockCipher already supports AES-CBC

Actions #2

Updated by Zhiyi Zhang over 6 years ago

Davide Pesavento wrote:

What mode(s) of AES? BlockCipher already supports AES-CBC

NAC supports two algos: AES-CBC and AES-ECB. Given that CBC is more secure than ECB. It's fine for NAC to cut the option of ECB. I think we'd better have some helper functions to initialize IV and AES key.

Actions #3

Updated by Davide Pesavento over 6 years ago

Zhiyi Zhang wrote:

NAC supports two algos: AES-CBC and AES-ECB. Given that CBC is more secure than ECB. It's fine for NAC to cut the option of ECB.

ECB is insecure and should definitely NOT be used.

We should consider adding the CTR mode of AES, which allows to decrypt each block independently, unlike CBC which requires knowing the ciphertext of the previous block (can be inefficient for blocks that are at a packet boundary). Moreover, in CTR mode, plaintext blocks can be encrypted in parallel.

I suppose we also need the KW (RFC 3394) and/or KWP (RFC 5649) modes for key wrapping..? Or is NAC using something else for that?

I think we'd better have some helper functions to initialize IV and AES key.

Makes sense. We can add a SymmetricKey wrapper similar to the existing PublicKey and PrivateKey classes.

Actions #4

Updated by Junxiao Shi over 6 years ago

ECB is insecure and should definitely NOT be used.

ECB is simple. It’s insecure for uncompressed bitmaps, but fine for small inputs shorter than a cipher block. Most sensor readings belong to this category.

We should consider adding the CTR mode of AES, which allows to decrypt each block independently, unlike CBC which requires knowing the ciphertext of the previous block (can be inefficient for blocks that are at a packet boundary). Moreover, in CTR mode, plaintext blocks can be encrypted in parallel.

CTR mode can be useful for encrypting sensor readings, if the counter can somehow be tied to the application layer sequence number.
CBC for small inputs is basically ECB.

Actions #5

Updated by Davide Pesavento over 6 years ago

ECB is simple. It’s insecure for uncompressed bitmaps, but fine for small inputs shorter than a cipher block

NAC should not make any assumptions on the size of the plaintext. Even for short inputs, CBC is never worse than ECB, so I don't see many reasons to offer AES-ECB as an option, the potential for misuse is just too high.

CBC for small inputs is basically ECB.

Only if you use a different key for each block. ECB doesn't have an IV.

Actions #6

Updated by Davide Pesavento about 5 years ago

  • Target version deleted (v0.7)
Actions #7

Updated by Davide Pesavento over 4 years ago

  • Tags set to security, API
Actions #8

Updated by Junxiao Shi almost 3 years ago

Davide Pesavento wrote in #note-5:

CBC for small inputs is basically ECB.

Only if you use a different key for each block. ECB doesn't have an IV.

Ergh, I'm unaware of that.

4 years later, I can only endorse AES-CBC and AES-GCM.
Other modes are crappy.

Actions #9

Updated by Davide Pesavento almost 3 years ago

Nowadays, AEADs like AES-GCM and AES-GCM-SIV (*) should be strongly preferred. In some cases (e.g., separate authenticity/integrity checking) and if you know what you're doing, CBC and CTR can be acceptable.

(*) CCM is fine too but less popular than the GCM modes.

Actions

Also available in: Atom PDF