Re: [Cfrg] Salsa20 stream cipher in TLS
"David McGrew (mcgrew)" <mcgrew@cisco.com> Wed, 20 March 2013 09:55 UTC
Return-Path: <mcgrew@cisco.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DCA1E21F8A41 for <cfrg@ietfa.amsl.com>; Wed, 20 Mar 2013 02:55:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -110.599
X-Spam-Level:
X-Spam-Status: No, score=-110.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nEu7kHOrZU24 for <cfrg@ietfa.amsl.com>; Wed, 20 Mar 2013 02:55:51 -0700 (PDT)
Received: from rcdn-iport-9.cisco.com (rcdn-iport-9.cisco.com [173.37.86.80]) by ietfa.amsl.com (Postfix) with ESMTP id 073D721F8A64 for <cfrg@irtf.org>; Wed, 20 Mar 2013 02:55:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=2952; q=dns/txt; s=iport; t=1363773351; x=1364982951; h=from:to:cc:subject:date:message-id:in-reply-to: content-id:content-transfer-encoding:mime-version; bh=m5Nr3Z/zGLgaPY+jnDMdm0bpXh4VW79Nn6qE5aBkRkc=; b=I4+vcYKoEgsXis0l5emvcwwUCeYAv+veDS8qPEPoyxZorertpqpjkLcl ioWrKrA+nU/01/TqjhgKyKd2PyjOta6WTIsyW5bZJXrie9UWgnHQDKU8B D+mee1866UBgYV4h1QdrkL4qePjcY9aJHmTLIFbN2r4aFYLcsYfRb/Fej E=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AgEFAGCHSVGtJXG+/2dsb2JhbABDxRKBSBZ0giQBAQEDAQEBATc0CxIBCBgKFDcLJQIEAQ0FCAGIBQYMwhAXjDyCIjEHgl9hA6digwqCKA
X-IronPort-AV: E=Sophos;i="4.84,876,1355097600"; d="scan'208";a="186440167"
Received: from rcdn-core2-3.cisco.com ([173.37.113.190]) by rcdn-iport-9.cisco.com with ESMTP; 20 Mar 2013 09:55:28 +0000
Received: from xhc-aln-x13.cisco.com (xhc-aln-x13.cisco.com [173.36.12.87]) by rcdn-core2-3.cisco.com (8.14.5/8.14.5) with ESMTP id r2K9tRAZ008319 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Wed, 20 Mar 2013 09:55:27 GMT
Received: from xmb-rcd-x04.cisco.com ([169.254.8.112]) by xhc-aln-x13.cisco.com ([173.36.12.87]) with mapi id 14.02.0318.004; Wed, 20 Mar 2013 04:55:27 -0500
From: "David McGrew (mcgrew)" <mcgrew@cisco.com>
To: Jon Callas <jon@callas.org>, Simon Josefsson <simon@josefsson.org>
Thread-Topic: [Cfrg] Salsa20 stream cipher in TLS
Thread-Index: AQHOJOIar3FapCbYoEGyY4Iqyk/e/pit/XkAgABrnQA=
Date: Wed, 20 Mar 2013 09:55:26 +0000
Message-ID: <747787E65E3FBD4E93F0EB2F14DB556B183EC751@xmb-rcd-x04.cisco.com>
In-Reply-To: <DFD6D239-7754-4CA7-A2FD-3735A0D500AB@callas.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.2.1.120420
x-originating-ip: [10.117.10.227]
Content-Type: text/plain; charset="us-ascii"
Content-ID: <C279EB682E2FC745B3C27306C54D30B9@emea.cisco.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: Wan-Teh Chang <wtc@google.com>, "cfrg@irtf.org" <cfrg@irtf.org>, "joachim@secworks.se" <joachim@secworks.se>, Adam Langley <agl@google.com>, "tls@ietf.org" <tls@ietf.org>
Subject: Re: [Cfrg] Salsa20 stream cipher in TLS
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Mar 2013 09:55:52 -0000
Hi Jon, On 3/19/13 7:30 PM, "Jon Callas" <jon@callas.org> wrote: >-----BEGIN PGP SIGNED MESSAGE----- >Hash: SHA1 > >On Mar 19, 2013, at 1:41 PM, Simon Josefsson <simon@josefsson.org> wrote: > >> I'm not sure why TLS 1.2 isn't negotiated more often by browsers. If it >> is an implementation issue, I'm not convinced specifying AEAD ciphers >> for TLS 1.0 and TLS 1.1 will help: they just get another implementation >> issue to implement that instead. Admittedly, it is a different >> implementation task, so it may be fixed earlier than the other issue, >> but that is difficult to predict. Generally, it might be better to push >> browsers vendors to switch to TLS 1.2 more quickly, then the problem is >> also solved. > >There are two reasons. Uncertainty about ECC, and uncertainty about GCM. > >We can debate how much the ECC uncertainty is warranted, but lots of >people have it. We can also debate the GCM issues, but GCM is tetchy to >use properly. >And yes, you could always use CCM instead. But most people don't know >that CCM is part of TLS 1.2. I didn't know it I discovered it while >writing this note. > >The general opinion about TLS 1.2 is that that's the version for Suite B. >That's not precisely true. I had that opinion for a while until I learned >I was mistaken. However, if you have concerns about either ECC or GCM, >then you have concerns about TLS 1.2. I don't know if you can do 1.2 >without ECC or GCM. TLSv1.2 barely mentions either GCM or ECC, much less requires their use. RFC 5246 says: in the absence of an application profile standard specifying otherwise, a TLSv1.2-compliant application MUST implement the cipher suite TLS_RSA_WITH_AES_128_CBC_SHA. No ECC or GCM ciphersuites are mentioned in that RFC. On the flip side, there are benefits in using that version; v1.2 allows to use SHA256 in key derivation (PRF) and message authentication (HMAC), allows the use of AEAD, and adds other fixes. GCM does require a distinct nonce for each encryption operation, which makes it vulnerable to "nonce misuse", or makes it tetchy as you say. However, this property is a non-issue in TLS, since it is easy to use a sequence number as a nonce, and session keys don't persist between sessions. For comparison, Salsa20 and UMAC, both recently mentioned on this thread, would also have exactly the same distinct-nonce requirement, and essentially RC4 does as well (in the sense that an application that mis-manages the RC4 state would likely cause a loss of confidentiality). David > > Jon > > >-----BEGIN PGP SIGNATURE----- >Version: PGP Universal 3.2.0 (Build 1672) >Charset: us-ascii > >wj8DBQFRSPUpsTedWZOD3gYRAimEAJ0V1eXYxUqRHxWWNaX1GzZJIIz0ZgCfRBXF >48rWFyQymJ1znyyvWCKO4MY= >=Jh5v >-----END PGP SIGNATURE----- >_______________________________________________ >Cfrg mailing list >Cfrg@irtf.org >http://www.irtf.org/mailman/listinfo/cfrg
- Re: [Cfrg] [TLS] Salsa20 stream cipher in TLS David McGrew (mcgrew)
- Re: [Cfrg] Salsa20 stream cipher in TLS Simon Josefsson
- Re: [Cfrg] Salsa20 stream cipher in TLS Simon Josefsson
- Re: [Cfrg] Salsa20 stream cipher in TLS David McGrew (mcgrew)
- Re: [Cfrg] Salsa20 stream cipher in TLS Simon Josefsson
- Re: [Cfrg] [TLS] Salsa20 stream cipher in TLS David McGrew (mcgrew)
- Re: [Cfrg] Salsa20 stream cipher in TLS Simon Josefsson
- Re: [Cfrg] [TLS] Salsa20 stream cipher in TLS David McGrew (mcgrew)
- Re: [Cfrg] Salsa20 stream cipher in TLS Simon Josefsson
- Re: [Cfrg] Salsa20 stream cipher in TLS Jon Callas
- Re: [Cfrg] Salsa20 stream cipher in TLS David McGrew (mcgrew)
- Re: [Cfrg] Salsa20 stream cipher in TLS Jon Callas
- Re: [Cfrg] [TLS] Salsa20 stream cipher in TLS Peter Gutmann
- Re: [Cfrg] Salsa20 stream cipher in TLS Peter Gutmann
- Re: [Cfrg] Salsa20 stream cipher in TLS Simon Josefsson
- Re: [Cfrg] [TLS] Salsa20 stream cipher in TLS Yoav Nir
- Re: [Cfrg] [TLS] Salsa20 stream cipher in TLS Yoav Nir
- Re: [Cfrg] [TLS] Salsa20 stream cipher in TLS Yoav Nir