Re: [Cfrg] problems with draft-josefsson-salsa20-tls-02
Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com> Thu, 22 August 2013 19:57 UTC
Return-Path: <n.mavrogiannopoulos@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B6B2521F9F77 for <cfrg@ietfa.amsl.com>; Thu, 22 Aug 2013 12:57:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id k0un06cpj+m7 for <cfrg@ietfa.amsl.com>; Thu, 22 Aug 2013 12:57:10 -0700 (PDT)
Received: from mail-la0-x231.google.com (mail-la0-x231.google.com [IPv6:2a00:1450:4010:c03::231]) by ietfa.amsl.com (Postfix) with ESMTP id DFB0121F9EED for <cfrg@irtf.org>; Thu, 22 Aug 2013 12:57:09 -0700 (PDT)
Received: by mail-la0-f49.google.com with SMTP id ev20so1835743lab.36 for <cfrg@irtf.org>; Thu, 22 Aug 2013 12:57:08 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=eFVaFpI4XAB8PnGLdjflG1Ywv2gydd22PzwAu9VWS7A=; b=z+L6EpEd+xGUXEzisAgLh7dab+RwQXiFLmPN0Sgq19jJ152VIEwpKqFRPhnWNK1L07 N+CtplGEjr9Zg4vuAJtpMp0dkpGCITIsR+f9bisg9Z3l6GYHgxEnEoOLG5x3yYrVkETX Bx8jtPX7dBgMzPkIHvDHC8+0xBNswg3PRVKbylUM5myU5b5h8G4dOjQM8yVLP01IcJ1j zBYld7jYNA8/gR+4gUmdwnNnKJUp7tD8KXLU7cJ/KG9+MSCLM8UYcQRDZnfyGxgtO+ZH VYn42tJu7y+Uhs4bDjUdVdiiPk2WlL4NhOZlRfWrY9m3dzTj1dFLag+nTz75W6Pj6AVM rSIQ==
MIME-Version: 1.0
X-Received: by 10.112.158.225 with SMTP id wx1mr2716051lbb.37.1377201427206; Thu, 22 Aug 2013 12:57:07 -0700 (PDT)
Received: by 10.112.63.66 with HTTP; Thu, 22 Aug 2013 12:57:07 -0700 (PDT)
In-Reply-To: <1376512356.16950.360.camel@darkstar>
References: <3C4AAD4B5304AB44A6BA85173B4675CAB247161D@MSMR-GH1-UEA03.corp.nsa.gov> <1376512356.16950.360.camel@darkstar>
Date: Thu, 22 Aug 2013 22:57:07 +0300
Message-ID: <CAJU7zaJqifkKc0Ldpc26Y5ubSYgsactA+g4sZLOvEHan++uEbA@mail.gmail.com>
From: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
To: David McGrew <mcgrew@cisco.com>
Content-Type: multipart/alternative; boundary="001a11c34932da596104e48eb1d7"
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] problems with draft-josefsson-salsa20-tls-02
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 22 Aug 2013 19:57:11 -0000
On Wed, Aug 14, 2013 at 11:32 PM, David McGrew <mcgrew@cisco.com> wrote: Hello, I believe your comments relate more to the ietf-tls rather than this list. In any case some comments are in-line. > This draft lists two motivations: RC4 security is inadequate, and the > performance of the symmetric cryptography in other ciphersuites is > inadequate. I agree with the first premise, and the authors deserve > kudos for raising and starting to address the issue. However, the > second premise is questionable. The draft cites [AEAD-PERFORMANCE], and > that reference shows that the performance of AES-GCM and AES-CCM are > suboptimal in some scenarios, not that they are inadequate. The draft > ought to cite some other work such as [1] to provide a broader viewpoint > on ciphersuite performance and deployment considerations of new > ciphersuites. If it is the case that SALSA20 and UMAC (or POLY1305) > compellingly outperform existing ciphersuites on some particular client > environments and server environments, the draft should document the > particulars. > I thought that it was generally accepted that salsa20 (or any other estream candidate) outperform AES. There are benchmarks in the estream framework we can link to [0] if it is deemed necessary. [0]. http://www.ecrypt.eu.org/stream/perf/ The security question that we should be considering is: are the > authenticated encryption schemes defined in this draft sound? The > strategy used in this draft is to rely on the "generic composition" > framework provided by TLS: a new GenericStreamCipher is defined and is > used at the same time as a TLS MAC algorithm, which is either the > conventional TLS HMAC or the new TLS UMAC algorithm defined in this > draft. Thus, there is a merely a loose binding between authentication > and encryption, and a potential opportunity for a side channel attack > like the ones described in [CBC-ATTACK]. I don't understand why you think that. There is no padding involved in the salsa20 ciphersuites, so the padding based [CBC-ATTACK] (or any other similar attack) do not apply. To my knowledge there is no known issue for the mode used in salsa20/hmac or salsa20/umac in the draft. The draft recognizes the value > of resisting side channel attacks, but the loose binding approach works > against that goal. Instead of defining a GenericStreamCipher, the draft > should define an AEAD algorithm, which would close the door on that sort > of vulnerability. > I don't quite understand that. Could you elaborate on the particulars? Why do you think that the TLS GenericStreamCipher is vulnerable to side-channel attacks (and the GenericAEADCipher is not?). I believe your comment is towards the general constructions (and more precisely you mean the GenericBlockCipher) rather than this particular ciphersuite. > One of the motivations for not using the TLS GenericAEADCipher mechanism > is that it appears only in TLSv1.2. However, the draft proposes > extensions to both the GenericStreamCipher and MAC algorithms used by > TLSv1.0 and TLSv1.1, and it would be no more intrusive to those > protocols to define the use of GenericAEADCipher in them. Using the > same AEAD mechanism for versions 1.0, 1.1, and 1.2 would result in > smaller and less complex implementation. > Only if you can work in clean slate. Unfortunately that doesn't happen in practice. In practice one would add the ciphersuite in an existing implementation that may not support TLS 1.2. > The draft has no mechanism to allow multiple encrypters to work in > parallel, such as is provided in Section 6.2 of RFC5288. > Actually RFC5288 needs this section because it uses a random nonce. Since the salsa draft doesn't use a random nonce it doesn't require such a special provision for parallel encryptors. Parallel encryptors come for free in the salsa20 draft. > Previous AEAD work has chosen to not use the sequence number provided by > TLS (and other protocols) because of a lack of assurance that those > values will be unique. This draft does use those sequence numbers, > which enables its ciphersuites to have less data overhead, but > introducing a potential vulnerability through mismanagement of sequence > numbers by TLS implementations. > TLS ensures that sequence numbers are unique. All of the TLS 1.x documents mention specifically: "Sequence numbers are of type uint64 and may not exceed 2^64-1. Sequence numbers do not wrap". regards, Nikos
- Re: [Cfrg] Task for the CFRG zooko
- [Cfrg] Task for the CFRG Igoe, Kevin M.
- Re: [Cfrg] Task for the CFRG Ted Krovetz
- Re: [Cfrg] Task for the CFRG Blumenthal, Uri - 0558 - MITLL
- [Cfrg] theoretical question ... RE: Task for the … Dan Brown
- Re: [Cfrg] Task for the CFRG David McGrew
- [Cfrg] problems with draft-josefsson-salsa20-tls-… David McGrew
- Re: [Cfrg] Task for the CFRG Ben Laurie
- Re: [Cfrg] Task for the CFRG Paul Hoffman
- Re: [Cfrg] Task for the CFRG Joachim Strömbergson
- Re: [Cfrg] problems with draft-josefsson-salsa20-… Nikos Mavrogiannopoulos
- Re: [Cfrg] problems with draft-josefsson-salsa20-… zooko
- Re: [Cfrg] problems with draft-josefsson-salsa20-… David McGrew
- Re: [Cfrg] problems with draft-josefsson-salsa20-… Nikos Mavrogiannopoulos