Hi Mark,
The synthetic initialization vector (SIV) is also the integrity check value. It's a 2-pass cipher mode. To generate you do a keyed CMAC on the plaintext and use the resulting digest as the IV to CTR mode. To process, it's the inverse,
decrypt the ciphertext with the IV and see if the result produces the IV when CMAC'd. Since garbage will always successfully decrypt with CTR mode (to more garbage but how do you know?), the "plaintext" needs to be thrown away, not exported to the caller,
if the IV does not check out. See RFC 5297 for beautiful ASCII art diagrams
☺
So yes, the overhead is 17 bytes at a minimum and a tad more to make sure that the same Device ID (upper case!) isn't given out twice, plus any kind of traffic analysis obfuscation a user wants to do.
regards,
Dan.
--
"the object of life is not to be on the side of the majority, but to
escape finding oneself in the ranks of the insane." – Marcus Aurelius
On 8/2/23, 11:44 AM, "mark.hamilton2152@xxxxxxxxx" <mark.hamilton2152@xxxxxxxxx> wrote:
Thanks, Dan.
But, doesn’t AES-SIV also add the length of the SIV to the resulting total? (Sorry for neophyte questions… I would really like to make sure we are all accounting for the annex correctly in our discussion about
the Device ID field size, though.)
As for, “then why are we telling the attacker his attack is successful or not?” Well, the usual: the problem of conflicting/competing requirements, I guess is the best answer…
Mark
From: Harkins, Dan <daniel.harkins@xxxxxxx>
Sent: Wednesday, August 2, 2023 12:39 PM
To: mark.hamilton2152@xxxxxxxxx; STDS-802-11-TGBH@xxxxxxxxxxxxxxxxx
Subject: Re: [STDS-802-11-TGBH] Minimum length (and optionality) of Device ID
Hi Mark,
On 8/2/23, 11:20 AM, "mark.hamilton2152@xxxxxxxxx" <mark.hamilton2152@xxxxxxxxx> wrote:
Dan,
I think we are running into the terminology problem, again. When I say “Device ID” (upper case ‘D’), I mean what is carried in that field of the IE/KDE and sent OTA.
Yep, I agree, the device ID can be short, and Annex AD will still protect it. But, the resulting Device ID (sent OTA) will be relatively large (that is, more than a handful of octets), right? And, hence if we
propose something like 6 octets as the minimum length of the Device ID, then anything that uses the Annex will be compliant. But, I’m stating this as a double-check that I’m right…?
The Annex adds 17 octets of overhead (16 octets of integrity check and 1 octet to indicate padding) and has an optional padding and a user-specified tweak so it's difficult to say how big it would be. A single octet
device ID (lower case!) with no padding and an 8 octet tweak would result in a 26 octet Device ID (upper case!). Of course if collision of blobs (i.e. giving the same Device ID (upper case!) to STAs for a static, unchanging device ID (lower case!)) over the
course of all of a STA's associations over the AP's uptime is not so much of a concern the tweak can be smaller.
But if the Annex is not used then, yes, there is a possibility of an attacker running through all umpteen possibilities of device IDs (lower case!) until one "works". So again, I will ask, if that is a concern then
why are we telling the attacker his attack is successful or not? "Nope, try again… nope, try again… yes, it worked!" The cognitive dissonance is a bit much for me.
regards,
Dan.
--
"the object of life is not to be on the side of the majority, but to
escape finding oneself in the ranks of the insane." – Marcus Aurelius
Mark
From: Harkins, Dan <daniel.harkins@xxxxxxx>
Sent: Wednesday, August 2, 2023 12:14 PM
To: mark.hamilton2152@xxxxxxxxx;
STDS-802-11-TGBH@xxxxxxxxxxxxxxxxx
Subject: Re: [STDS-802-11-TGBH] Minimum length (and optionality) of Device ID
On 8/2/23, 10:57 AM, "mark.hamilton2152@xxxxxxxxx" <mark.hamilton2152@xxxxxxxxx> wrote:
Thanks, Dan.
Just a quick response on the first point. If the length of the communicated Device ID (which is what we’re discussing, the length in the actual IE/KDE as it is carried OTA) could be very short (for example, 1
octet), then it would be much easier to brute force try all 256 possibilities until you get a “Recognized” response from the network. Even 6 octets would be a big improvement.
If the user of the 11bh amendment cared then it would not use a "very short" identifier. While I am amenable to the argument that the customer doesn't really know what he's doing I would also caution us from thinking
that we do. If we have "security considerations" regarding the use of our standard then we should explicitly mention them and if we have consensus that short device IDs are problematic then we should have a nice informative note on that subject. Personally
I don't think they are but that's just me.
And, again, if we are concerned about this brute force attack then why are we telling the attacker whether or not his guess was good or not?
I don’t think the Annex AD method can/would produce such a short Device ID to be sent OTA, anyway, so I think that is beyond this discussion. That is, we are only talking about when the annex is not being used
(for whatever implementation choice reasons).
The Annex can and would protect such a short device ID because of the security properties of AES-SIV. The size of the plaintext does not affect the non-forgeability property. It is computationally infeasible for
an adversary to construct a blob that would pass the integrity verification part of AES-SIV whether the plaintext is 1 octet or 250 octets. That's the whole point.
regards,
Dan.
--
"the object of life is not to be on the side of the majority, but to
escape finding oneself in the ranks of the insane." – Marcus Aurelius
Mark
From: Harkins, Dan <daniel.harkins@xxxxxxx>
Sent: Wednesday, August 2, 2023 11:32 AM
To: mark.hamilton2152@xxxxxxxxx;
STDS-802-11-TGBH@xxxxxxxxxxxxxxxxx
Subject: Re: [STDS-802-11-TGBH] Minimum length (and optionality) of Device ID
Hi Mark,
On 8/2/23, 9:53 AM, "Mark Hamilton" <mark.hamilton2152@xxxxxxxxx> wrote:
A couple of counter arguments (I think, if I’m understanding the points made):
-
I am concerned that with no minimum length requirement for a Device ID, we will get comments that there is a “security hole” in that an attacker could easily brute force try a lot/every possible short Device ID string until one works.
We’ve had discussions in the past that we don’t want to introduce a mechanism that allows trivial spoofing of a “known” device, by either a rogue STA or AP. As long as we have agreement that we don’t care about this problem, and/or it is out of our scope
to worry about perhaps (in which case maybe we at least want a NOTE?), then I can see arguments for allowing (or at least not disallowing) very short Device IDs.
Keeping in mind why 11bh got formed. This device ID is replacing a plaintext MAC address that was used by networks for identification purposes. I fail to see how a short device ID would open some "security hole"
that didn't exist with a spoofable identifier that was passed in the clear! We didn't get formed because the outcry was "the identifier we were using could be spoofed and we demand more security", it was "the identifier we were using is useless now and we
just need something, anything".
I wonder what "until one works" means anyway. Don't we have some status bit saying, "didn't recognize that but here's a new one for you"? So if fear of this "security hole" was real then we should not be expressing
a status bit to tell the attacker that it "works" or not—"you can end your brute force attack now mr attacker, I recognize that value."
Also, maybe this is another reason to use the (optional for now) technique in the Annex. It is computationally infeasible for an adversary to forge a blob even if it knew the size and make-up of the device ID.
In addition. It adds padding to the device ID to make traffic analysis more difficult and adds a tweak to the computation to ensure that blobs will not be repeated. If we are concerned about the security of using device IDs then maybe we should promote the
informative annex into normative text. (And I will take the outcry to not do that as evidence that this security concern is not serious).
I think a minimum length of the device ID (128 bits?) is more the illusion of security. AES-SIV has provable security and we can point to that instead of handwave about how hard it would be to brute force device
IDs and what it means to say "until one works".
-
Ben’s takeaway (just below) seems to have been that the Device ID comes from a “higher layer protocol”. That has not been my assumption. I could imagine that this is possible, but I can also imagine that it is generate (in an implementation-dependent
manner) within the 802 layer. Do we need to get agreement/add clarification on this (again, maybe just a NOTE)?
I guess it depends on the purpose. But regardless of whether it comes from a higher layer protocol or not, the construction of the device ID is outside the scope of 11bh and therefore the resulting length of the
constructed device ID is as well. Let's not constrain the use of this amendment with unnecessary limits on its use.
regards,
Dan.
--
"the object of life is not to be on the side of the majority, but to
escape finding oneself in the ranks of the insane." – Marcus Aurelius
Mark
From: Benjamin Rolfe <ben@xxxxxxxxxxxxxx>
Sent: Wednesday, August 2, 2023 8:49 AM
To: STDS-802-11-TGBH@xxxxxxxxxxxxxxxxx
Subject: Re: [STDS-802-11-TGBH] Minimum length (and optionality) of Device ID
Thanks Dan, that explanation is very helpful.
An alternative to rejecting the comment would be "revised" and clarify the field definition consistent with Dan's explanation. As is it says that it contains something
that is undefined (refers only to an informative annex) which a voter might suggest makes the spec not technically complete.
A change such as:
The Device ID field is an octet string and is defined by the higher layer protocol. See also Annex AD.1.
(borrowing language from 802.11-2020 for similar situations where the content is defined at the network layer).
FWIW it would seem from the discussion that clarification will help. It helped me!
Ben
From: Harkins, Dan <daniel.harkins@xxxxxxx>
Sent: Tuesday, August 1, 2023 5:50 PM
To: STDS-802-11-TGBH@xxxxxxxxxxxxxxxxx <STDS-802-11-TGBH@xxxxxxxxxxxxxxxxx>
Subject: Re: [STDS-802-11-TGBH] Minimum length (and optionality) of Device ID
Hello,
I missed the TGbh call this morning but I understand there was a discussion about min/max device ID lengths. It is my opinion that the contents of a device ID and its subsequent length are entirely outside the
scope of the standard. The only requirement is it has to fit in an IE and if you do the Annex encryption stuff you will need to take into account the overhead it imposes (17 octets plus tweak plus padding if used) and make sure your device IDs will still fit
after being encrypted. There is no need to specify a min. STAs don't care what their device ID is (remember, these use cases are entirely to help the network side of the conversation) and the network owns the device ID space so it can do anything it wants.
I would support rejection of the comments that ask for min/max limits on device IDs.
regards,
Dan.
--
"the object of life is not to be on the side of the majority, but to
escape finding oneself in the ranks of the insane." – Marcus Aurelius
On 8/1/23, 9:18 AM, "Mark Hamilton" <mark.hamilton2152@xxxxxxxxx> wrote:
All,
I just wanted to point out a couple examples from the baseline (REVme, that is), for fields which are not always present, and/or have variable length or some restrictions on their length (when they are present).
Supported Operating Classes element:
Note the “(optional)” inside the field’s box, and the “variable” below the box. Also, note that the text then describes when the field is present or not, and minimal information about what it carries when it
is present:
Time Advertisement element:
Again “(optional)” inside the box, and this time a fixed choice of length below the box (0 or a fixed length). And, again, minimal description in the text about when the field is present, and what it means when
it is present:
Multi-band element:
Of interest here, is the use of “4 x m” for the length of the last field. So, there are examples of a simple “formula” type of length, even with an optional field – which can presumably be 0 if m is 0.
QMF Policy frame:
This is one with the possibility of “not present” (0 length), or a specific range of lengths allowed when it is present. And, here the text describes when it is present, and points elsewhere (although still in
clause 9 ?! 😊) for its structure and definition when it is present:
Personally, I think that last example might be the most relevant one for us to mirror, if we decide the Device ID length can be a range (when present), or ours could be like Time Advertisement element if we decide
the Device ID is fixed length (when present).
Other thoughts/flames?
Mark
To unsubscribe from the STDS-802-11-TGBH list, click the following link:
https://listserv.ieee.org/cgi-bin/wa?SUBED1=STDS-802-11-TGBH&A=1
To unsubscribe from the STDS-802-11-TGBH list, click the following link:
https://listserv.ieee.org/cgi-bin/wa?SUBED1=STDS-802-11-TGBH&A=1
To unsubscribe from the STDS-802-11-TGBH list, click the following link:
https://listserv.ieee.org/cgi-bin/wa?SUBED1=STDS-802-11-TGBH&A=1
To unsubscribe from the STDS-802-11-TGBH list, click the following link:
https://listserv.ieee.org/cgi-bin/wa?SUBED1=STDS-802-11-TGBH&A=1
To unsubscribe from the STDS-802-11-TGBH list, click the following link: https://listserv.ieee.org/cgi-bin/wa?SUBED1=STDS-802-11-TGBH&A=1