Re: [Cfrg] Salsa20 stream cipher in TLS
Simon Josefsson <simon@josefsson.org> Tue, 19 March 2013 20:41 UTC
Return-Path: <simon@josefsson.org>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3A7FD21F8F29; Tue, 19 Mar 2013 13:41:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -99.909
X-Spam-Level:
X-Spam-Status: No, score=-99.909 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, FH_HOST_EQ_D_D_D_D=0.765, HELO_MISMATCH_COM=0.553, HOST_EQ_STATICB=1.372, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id r1GqV0Pf7P86; Tue, 19 Mar 2013 13:41:39 -0700 (PDT)
Received: from yxa-v.extundo.com (static-213-115-179-173.sme.bredbandsbolaget.se [213.115.179.173]) by ietfa.amsl.com (Postfix) with ESMTP id 30FF221F8F35; Tue, 19 Mar 2013 13:41:38 -0700 (PDT)
Received: from latte.josefsson.org (host-95-192-103-177.mobileonline.telia.com [95.192.103.177]) (authenticated bits=0) by yxa-v.extundo.com (8.14.3/8.14.3/Debian-5+lenny1) with ESMTP id r2JKfMM7009797 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Tue, 19 Mar 2013 21:41:24 +0100
From: Simon Josefsson <simon@josefsson.org>
To: Wan-Teh Chang <wtc@google.com>
References: <514862C6.4070809@secworks.se> <747787E65E3FBD4E93F0EB2F14DB556B183EBFA6@xmb-rcd-x04.cisco.com> <CAL9PXLyRn82DCOE3DR+O+t-dAOuynLazcceAtAzM-HdX3O18yw@mail.gmail.com> <CALTJjxG+nobTrSiM2H60-=oJa6Jva-oC29HjkgZmngtMfXM=Qw@mail.gmail.com>
OpenPGP: id=B565716F; url=http://josefsson.org/key.txt
X-Hashcash: 1:22:130319:joachim@secworks.se::dxc0gSCGfbu+z/Zk:0VfY
X-Hashcash: 1:22:130319:cfrg@irtf.org::C0oV06b/PWJtk+mu:2lj
X-Hashcash: 1:22:130319:tls@ietf.org::jQ6n40INzvdPyq9Q:35oy
X-Hashcash: 1:22:130319:agl@google.com::mSitBaG3KYHSk7bU:HxoV
X-Hashcash: 1:22:130319:wtc@google.com::fW1tmDJk5QKNqjFy:Jl6J
Date: Tue, 19 Mar 2013 21:41:16 +0100
In-Reply-To: <CALTJjxG+nobTrSiM2H60-=oJa6Jva-oC29HjkgZmngtMfXM=Qw@mail.gmail.com> (Wan-Teh Chang's message of "Tue, 19 Mar 2013 11:23:39 -0700")
Message-ID: <87fvzrktqr.fsf@latte.josefsson.org>
User-Agent: Gnus/5.130006 (Ma Gnus v0.6) Emacs/24.2 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
X-Virus-Scanned: clamav-milter 0.97.3 at yxa-v
X-Virus-Status: Clean
Cc: "cfrg@irtf.org" <cfrg@irtf.org>, "joachim@secworks.se" <joachim@secworks.se>, Adam Langley <agl@google.com>, "tls@ietf.org" <tls@ietf.org>
Subject: Re: [Cfrg] Salsa20 stream cipher in TLS
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Mar 2013 20:41:40 -0000
Wan-Teh Chang <wtc@google.com> writes: > Although it may be possible to retrofit GenericAEADCipher into TLS 1.0 and > 1.1, the existing implementations of the AES-GCM cipher suites restrict them > to TLS 1.2, so there will still be interoperability problems. Implementations could be fixed here, if we want to. There may still be interop problems, but there will always be interop problems so implementations need to handle them anyway. > Assuming we can solve the problems of using GenericAEADCipher and > updating key expansion in TLS 1.0 and 1.1, new AEAD cipher suites can > describe how they will be used in older versions of TLS from day one. > So it still seems worthwhile to solve the problem of using AEAD cipher > suites in TLS 1.0 and 1.1. That may be useful, and would likely have helped adoption of AEAD ciphers in TLS if it was done from the start. I'm not sure why TLS 1.2 isn't negotiated more often by browsers. If it is an implementation issue, I'm not convinced specifying AEAD ciphers for TLS 1.0 and TLS 1.1 will help: they just get another implementation issue to implement that instead. Admittedly, it is a different implementation task, so it may be fixed earlier than the other issue, but that is difficult to predict. Generally, it might be better to push browsers vendors to switch to TLS 1.2 more quickly, then the problem is also solved. /Simon
- Re: [Cfrg] [TLS] Salsa20 stream cipher in TLS David McGrew (mcgrew)
- Re: [Cfrg] Salsa20 stream cipher in TLS Simon Josefsson
- Re: [Cfrg] Salsa20 stream cipher in TLS Simon Josefsson
- Re: [Cfrg] Salsa20 stream cipher in TLS David McGrew (mcgrew)
- Re: [Cfrg] Salsa20 stream cipher in TLS Simon Josefsson
- Re: [Cfrg] [TLS] Salsa20 stream cipher in TLS David McGrew (mcgrew)
- Re: [Cfrg] Salsa20 stream cipher in TLS Simon Josefsson
- Re: [Cfrg] [TLS] Salsa20 stream cipher in TLS David McGrew (mcgrew)
- Re: [Cfrg] Salsa20 stream cipher in TLS Simon Josefsson
- Re: [Cfrg] Salsa20 stream cipher in TLS Jon Callas
- Re: [Cfrg] Salsa20 stream cipher in TLS David McGrew (mcgrew)
- Re: [Cfrg] Salsa20 stream cipher in TLS Jon Callas
- Re: [Cfrg] [TLS] Salsa20 stream cipher in TLS Peter Gutmann
- Re: [Cfrg] Salsa20 stream cipher in TLS Peter Gutmann
- Re: [Cfrg] Salsa20 stream cipher in TLS Simon Josefsson
- Re: [Cfrg] [TLS] Salsa20 stream cipher in TLS Yoav Nir
- Re: [Cfrg] [TLS] Salsa20 stream cipher in TLS Yoav Nir
- Re: [Cfrg] [TLS] Salsa20 stream cipher in TLS Yoav Nir