IETF Logo Mail Archive

Re: [Cfrg] [TLS] Salsa20 stream cipher in TLS

"David McGrew (mcgrew)" <mcgrew@cisco.com> Mon, 18 March 2013 19:25 UTC

Return-Path: <mcgrew@cisco.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9BA5721F8606 for <cfrg@ietfa.amsl.com>; Mon, 18 Mar 2013 12:25:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -110.599
X-Spam-Level:
X-Spam-Status: No, score=-110.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 03QcTbVLPdMG for <cfrg@ietfa.amsl.com>; Mon, 18 Mar 2013 12:25:09 -0700 (PDT)
Received: from rcdn-iport-3.cisco.com (rcdn-iport-3.cisco.com [173.37.86.74]) by ietfa.amsl.com (Postfix) with ESMTP id 2168E21F86C1 for <cfrg@irtf.org>; Mon, 18 Mar 2013 12:23:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=2652; q=dns/txt; s=iport; t=1363634630; x=1364844230; h=from:to:cc:subject:date:message-id:in-reply-to: content-id:content-transfer-encoding:mime-version; bh=8vehR51qWhLI+badoKnlpXr05HUhctN0m30MFDYIVLc=; b=R62FaZ29XH2yLiJn/MJJdaVkDMkhpXhdCiVM0HTId6oMCYOogjqwCCZM rgdBVr6mvwF8f20tpsRlBamNREhkDaOqFEIvzmKCWbBqHoJ9TGosFP6cB 0mH1UAaOe+CpBYU2O8T1LCdRfTpuLaRkNaMD+WBE0JvV163H9MEDtwCrZ w=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AgAFABFpR1GtJXG+/2dsb2JhbABDxSGBVhZ0giYBBAEBATc0CxIBCCIUNwslAgQOBQgMiAAMwhaOZDEHgl9hA5d9j2ODCoIo
X-IronPort-AV: E=Sophos;i="4.84,865,1355097600"; d="scan'208";a="188805962"
Received: from rcdn-core2-3.cisco.com ([173.37.113.190]) by rcdn-iport-3.cisco.com with ESMTP; 18 Mar 2013 19:23:42 +0000
Received: from xhc-rcd-x05.cisco.com (xhc-rcd-x05.cisco.com [173.37.183.79]) by rcdn-core2-3.cisco.com (8.14.5/8.14.5) with ESMTP id r2IJNg9u029822 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Mon, 18 Mar 2013 19:23:42 GMT
Received: from xmb-rcd-x04.cisco.com ([169.254.8.112]) by xhc-rcd-x05.cisco.com ([173.37.183.79]) with mapi id 14.02.0318.004; Mon, 18 Mar 2013 14:23:42 -0500
From: "David McGrew (mcgrew)" <mcgrew@cisco.com>
To: Simon Josefsson <simon@josefsson.org>
Thread-Topic: [TLS] Salsa20 stream cipher in TLS
Thread-Index: AQHOI2IRfwT9uKfaFUuf1DQlms1pvpir5i+A
Date: Mon, 18 Mar 2013 19:23:41 +0000
Message-ID: <747787E65E3FBD4E93F0EB2F14DB556B183EB8AD@xmb-rcd-x04.cisco.com>
In-Reply-To: <87ppyxhc6y.fsf@latte.josefsson.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.2.1.120420
x-originating-ip: [10.117.10.227]
Content-Type: text/plain; charset="us-ascii"
Content-ID: <C3E25D1B0E493B43B2A3669D90CAA3A3@emea.cisco.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "cfrg@irtf.org" <cfrg@irtf.org>, "joachim@secworks.se" <joachim@secworks.se>, "tls@ietf.org" <tls@ietf.org>
Subject: Re: [Cfrg] [TLS] Salsa20 stream cipher in TLS
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 18 Mar 2013 19:25:26 -0000

Hi Simon,

On 3/17/13 6:51 PM, "Simon Josefsson" <simon@josefsson.org> wrote:

>All,
>
>FYI, we have published -00 of a draft that describes how the Salsa20
>stream cipher can be added to TLS and DTLS, see:
>
>http://tools.ietf.org/html/draft-josefsson-salsa20-tls
>
>While we are not asking for WG adoption of this draft now, we are at a
>point where we would like to invite external review and solicit
>feedback.  

Some early feedback; copied CFRG.  It would be good to have review from
that community.

It is not exactly clear what problem is being addressed by this work.
Would be good to add a problem statement section.   In addition, it would
be good to provide the currently-unmet requirements to CAESAR (Competition
for Authenticated Encryption: Security, Applicability, and Robustness)
http://competitions.cr.yp.to/

Some more detailed comments, quoting from the draft:

   Recent attacks has indicated problems with CBC-mode cipher suites in
   TLS/DTLS and problems with the only supported stream cipher (RC4) in
   TLS has been known for a long time.  While AEAD cipher suites address
   these issues, concerns about performance are sometimes raised.


What are the performance concerns?   I suggest citing some relevant
performance data.

  Because the GenericStreamCipher definition in TLS does not provide
   any way to transport the Salsa20 nonce that is required for
   functionality and needed to provide the random access property, we
   let the output from the stream cipher operation be the concatenation
   of the IV and the encrypted data.


Please, define a Salsa20-based AEAD mechanism instead of a new TLS format!
 

>Some elements of the draft is still in flux.  For example,
>initial performance benchmarks suggests HMAC-SHA256 was a poor choice
>for the MAC so we are looking into UMAC and HMAC-SHA1 as alternatives.
>Still, all comments are appreciated.

If anything other than HMAC-SHA1 is used, that would underscore the value
of defining an AEAD algorithm.   If the main motivation for this work is
encryption that is computationally cheap, then it makes sense to pair the
algorithm with an authentication method with the same characteristics.

For security considerations, I suggest citing the analysis of Salsa20, and
adding a sentence or paragraph summarizing the best-known attacks.
Something like "Salsa20 has been analyzed by X independent teams, and the
best known attack breaks 8 of 20 rounds."

David

>
>/Simon
>_______________________________________________
>TLS mailing list
>TLS@ietf.org
>https://www.ietf.org/mailman/listinfo/tls

v2.23.0 | Report a Bug | By Email