Re: [Cfrg] [secdir] ISE seeks help with some crypto drafts

Tony Arcieri <> Fri, 08 March 2019 18:45 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 89A76129AB8 for <>; Fri, 8 Mar 2019 10:45:51 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id B9Ud2Rq8kFlH for <>; Fri, 8 Mar 2019 10:45:49 -0800 (PST)
Received: from ( [IPv6:2607:f8b0:4864:20::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 9F75C1295D8 for <>; Fri, 8 Mar 2019 10:45:48 -0800 (PST)
Received: by with SMTP id s16so16622192oih.9 for <>; Fri, 08 Mar 2019 10:45:48 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Cp+dEMQ/IerEvC2cXX+Xzy+lMQEJRxsa79kjOmZxP8M=; b=oJ+vE5R43ajKDY3v+woxeDoirEme/9+1EgZcEY3ZoWBBzB/BdiZBuTGk5kwstojupT HoWJAuXLSCgOQ3lcMVFwJY0eulra8phLqmHIe8v+6OXK55eO4w38Pz4/YGonZTuroPPh Miw9foVMbMmuQ5y190VDuQEJtjTpwYDRlXhWigtHi/n8L/SvjAOZQzsHvtIT1i5BLNOO eQaP5sAObBp7kmGUk2wLNYN2CWrkOfh/k3NB6RIri/Wfy6WX76lmgemo6odQwMqqGotU p5BFonAwq1yWs5lFyGIL+1vRajcbgp0IT0De0kAd4XmDROdP/7knydxhnnk5DptZ1Z/l YObA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Cp+dEMQ/IerEvC2cXX+Xzy+lMQEJRxsa79kjOmZxP8M=; b=f2c1gbDW9hQ4jKBbYe6hL/VnEW4pZ9/7iT14flxm6u/QTIRlI803qGTf9cosLKZ5uY iEszypmq8/7Ieg7gDz5bVXEW++DoGbIyKA5knD9hEeA/3qSWpA0/sjsTmsVad1j1EiCw zFBPbNOEdcI94etaQGmk2QrQdMh1COPfGwhrhBl0AlkmYwO3AYvWL3oKjcWCo1qBTaqe 9IJ+VridTYO/nRk0BZjsUi5S5ZJ7zae6hou2VzwWqbIhJwOvawl8JiemoHyqDZzCxM78 ZDMN16f7yZPp17fObQXQom/IN1jFEQDcPUkiv8XVBsfxCDA85dyhTWiW6nhVi7iH6Pes ziDA==
X-Gm-Message-State: APjAAAXE9X1+w3FAwxh8rBI21qjHFR2wwyGGkvKaQ7g9AE/3YSy6uHO3 +8am4hbT4KRMfpNyPry/i2nD9CmiEte1jJoQL8k=
X-Google-Smtp-Source: APXvYqyM8N39B/IrWKshBmpzk1lwsa2a1CAhYxlI6LW+jv4fyMMMikZnctgBsaFR9JfA6DCUw82GwkgwF81suYkwOHE=
X-Received: by 2002:aca:c745:: with SMTP id x66mr8831365oif.44.1552070747605; Fri, 08 Mar 2019 10:45:47 -0800 (PST)
MIME-Version: 1.0
References: <> <>
In-Reply-To: <>
From: Tony Arcieri <>
Date: Fri, 8 Mar 2019 10:45:36 -0800
Message-ID: <>
To: Paul Wouters <>
Cc: "RFC ISE (Adrian Farrel)" <>, CFRG <>, secdir <>
Content-Type: multipart/alternative; boundary="00000000000093d233058399a1dc"
Archived-At: <>
Subject: Re: [Cfrg] [secdir] ISE seeks help with some crypto drafts
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 08 Mar 2019 18:45:51 -0000

On Fri, Mar 8, 2019 at 9:53 AM Paul Wouters <> wrote:

> I have strong reservations about the ocb draft. Rogaway has patents
> on OCB, and has put constrains on its use and there is no generic IPR
> statement that the IETF normally likes to see for work published as
> RFC. Until such a time, I do not think publishing RFC's with OCB is
> advised. A few years ago I asked the TLS OCB authors about extending
> their allowed usage to IKE/IPsec and they told me this use was not
> covered by Rogaway's license to them. While this has since changed a bit,
> and there is no longer a specific TLS-only license, other constrains are
> still in place.  Specifying OCB documents that cannot be implemented or
> deployed indiscriminatory is troublesome.

I would agree the IPR story for OCB is presently bad.

Rogaway had previously voiced interest in completely resolving the patent
situation (i.e. disavowing the patents, with an attorney's assistance)
however sadly it seems he never completed this work. Perhaps I can attempt
to get the ball rolling on that again...

Second, I'm not a cryptographer, but it seems OCB has recently seen some
> attacks that might impact the security of OCB:
> Cryptanalysis of OCB2
> Breaking the confidentiality of OCB2
> Plaintext Recovery Attack of OCB2

There are three variants of OCB: OCB1, OCB2, and OCB3.

These attacks apply to OCB2. They do not apply to OCB1 or OCB3.

OCB3 is realistically what we should be using provided the IPR story can be
cleared up.

Tony Arcieri