Feature #4550
open
Improve AES support in security::transform
Added by Zhiyi Zhang about 6 years ago. Updated over 2 years ago.
0%
Description
Name-based Access Control (NAC) relies AES and RSA encryption/decryption process.
We'd better provide interfaces in ndn-cxx/sec/transform for AES encryption/decryption, and some helper functions for AES key generation and export/import.
Updated by Davide Pesavento about 6 years ago
- Subject changed from Add AES support to ndn-cxx sec/transform for Name-based Access Control to Improve AES support in security::transform
- Category set to Security
- Target version set to v0.7
- Start date deleted (
03/16/2018)
What mode(s) of AES? BlockCipher already supports AES-CBC
Updated by Zhiyi Zhang about 6 years ago
Davide Pesavento wrote:
What mode(s) of AES?
BlockCipheralready supports AES-CBC
NAC supports two algos: AES-CBC and AES-ECB. Given that CBC is more secure than ECB. It's fine for NAC to cut the option of ECB. I think we'd better have some helper functions to initialize IV and AES key.
Updated by Davide Pesavento about 6 years ago
Zhiyi Zhang wrote:
NAC supports two algos: AES-CBC and AES-ECB. Given that CBC is more secure than ECB. It's fine for NAC to cut the option of ECB.
ECB is insecure and should definitely NOT be used.
We should consider adding the CTR mode of AES, which allows to decrypt each block independently, unlike CBC which requires knowing the ciphertext of the previous block (can be inefficient for blocks that are at a packet boundary). Moreover, in CTR mode, plaintext blocks can be encrypted in parallel.
I suppose we also need the KW (RFC 3394) and/or KWP (RFC 5649) modes for key wrapping..? Or is NAC using something else for that?
I think we'd better have some helper functions to initialize IV and AES key.
Makes sense. We can add a SymmetricKey wrapper similar to the existing PublicKey and PrivateKey classes.
Updated by Junxiao Shi about 6 years ago
ECB is insecure and should definitely NOT be used.
ECB is simple. It’s insecure for uncompressed bitmaps, but fine for small inputs shorter than a cipher block. Most sensor readings belong to this category.
We should consider adding the CTR mode of AES, which allows to decrypt each block independently, unlike CBC which requires knowing the ciphertext of the previous block (can be inefficient for blocks that are at a packet boundary). Moreover, in CTR mode, plaintext blocks can be encrypted in parallel.
CTR mode can be useful for encrypting sensor readings, if the counter can somehow be tied to the application layer sequence number.
CBC for small inputs is basically ECB.
Updated by Davide Pesavento about 6 years ago
ECB is simple. It’s insecure for uncompressed bitmaps, but fine for small inputs shorter than a cipher block
NAC should not make any assumptions on the size of the plaintext. Even for short inputs, CBC is never worse than ECB, so I don't see many reasons to offer AES-ECB as an option, the potential for misuse is just too high.
CBC for small inputs is basically ECB.
Only if you use a different key for each block. ECB doesn't have an IV.
Updated by Junxiao Shi over 2 years ago
Davide Pesavento wrote in #note-5:
CBC for small inputs is basically ECB.
Only if you use a different key for each block. ECB doesn't have an IV.
Ergh, I'm unaware of that.
4 years later, I can only endorse AES-CBC and AES-GCM.
Other modes are crappy.
Updated by Davide Pesavento over 2 years ago
Nowadays, AEADs like AES-GCM and AES-GCM-SIV (*) should be strongly preferred. In some cases (e.g., separate authenticity/integrity checking) and if you know what you're doing, CBC and CTR can be acceptable.
(*) CCM is fine too but less popular than the GCM modes.