Re: [Cfrg] Salsa20 stream cipher in TLS
"David McGrew (mcgrew)" <mcgrew@cisco.com> Mon, 18 March 2013 21:12 UTC
Return-Path: <mcgrew@cisco.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A81AB21F914C for <cfrg@ietfa.amsl.com>; Mon, 18 Mar 2013 14:12:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -110.599
X-Spam-Level:
X-Spam-Status: No, score=-110.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BnKsNNiigq9a for <cfrg@ietfa.amsl.com>; Mon, 18 Mar 2013 14:12:03 -0700 (PDT)
Received: from rcdn-iport-3.cisco.com (rcdn-iport-3.cisco.com [173.37.86.74]) by ietfa.amsl.com (Postfix) with ESMTP id A880221F9146 for <cfrg@irtf.org>; Mon, 18 Mar 2013 14:12:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=4226; q=dns/txt; s=iport; t=1363641123; x=1364850723; h=from:to:cc:subject:date:message-id:in-reply-to: content-id:content-transfer-encoding:mime-version; bh=YHFhIrKFdBhAXh/7aHgA1Pr31JADzxXnkwFK6nSfbxg=; b=D7UxWsI+WkcEkdFmERdv0xZn/gVhBfaQKY0lav+oA8QesmajbLmQ+R4b c/gtl47/yquy7ZvmdxqV2QVkzLHy8If7niIe8YMfgCqbTrFiYwGguuvUw m6NRu2dfaenHJpH8GOK7LzjrXOGXQbO07wzLSRM0zrf35GO7exPGziVAi s=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: Av8EAIeAR1GtJXG8/2dsb2JhbABDxS6BVhZ0giQBAQEDATo/EgEIIhRCJQIEDgUIiAYGwieOXzEHgl9hA4t6kVOKE4MKgig
X-IronPort-AV: E=Sophos;i="4.84,867,1355097600"; d="scan'208";a="188840993"
Received: from rcdn-core2-1.cisco.com ([173.37.113.188]) by rcdn-iport-3.cisco.com with ESMTP; 18 Mar 2013 21:11:58 +0000
Received: from xhc-rcd-x01.cisco.com (xhc-rcd-x01.cisco.com [173.37.183.75]) by rcdn-core2-1.cisco.com (8.14.5/8.14.5) with ESMTP id r2ILBwih014374 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Mon, 18 Mar 2013 21:11:58 GMT
Received: from xmb-rcd-x04.cisco.com ([169.254.8.112]) by xhc-rcd-x01.cisco.com ([173.37.183.75]) with mapi id 14.02.0318.004; Mon, 18 Mar 2013 16:11:57 -0500
From: "David McGrew (mcgrew)" <mcgrew@cisco.com>
To: Simon Josefsson <simon@josefsson.org>
Thread-Topic: Salsa20 stream cipher in TLS
Thread-Index: AQHOJBkcOgV0xxTq40yuP+6jbt08QpisAv8A
Date: Mon, 18 Mar 2013 21:11:57 +0000
Message-ID: <747787E65E3FBD4E93F0EB2F14DB556B183EB9C5@xmb-rcd-x04.cisco.com>
In-Reply-To: <87ehfc784a.fsf@latte.josefsson.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.2.1.120420
x-originating-ip: [10.117.10.227]
Content-Type: text/plain; charset="us-ascii"
Content-ID: <CE7091BFFCEDB243BB5B940BC0123410@emea.cisco.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "cfrg@irtf.org" <cfrg@irtf.org>, "joachim@secworks.se" <joachim@secworks.se>, "tls@ietf.org" <tls@ietf.org>
Subject: Re: [Cfrg] Salsa20 stream cipher in TLS
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 18 Mar 2013 21:12:04 -0000
Hi Simon, On 3/18/13 4:42 PM, "Simon Josefsson" <simon@josefsson.org> wrote: >"David McGrew (mcgrew)" <mcgrew@cisco.com> writes: > >> Hi Simon, > >Hi David. Thanks for quick review. Thanks for the quick response, more inline: > >> It is not exactly clear what problem is being addressed by this work. >> Would be good to add a problem statement section. > >Good idea, the document now contains this paragraph: > > The purpose of this document is to provide an alternative stream > cipher for both TLS and DTLS that is comparable to RC4 in speed on a > wide range of platforms. > >There are other soft factors too. In general the goal is to offer >something that can replace use of RC4 in TLS. I'm guessing speed is one >reason people use RC4 in TLS today. > >> Some more detailed comments, quoting from the draft: >> >> Recent attacks has indicated problems with CBC-mode cipher suites in >> TLS/DTLS and problems with the only supported stream cipher (RC4) in >> TLS has been known for a long time. While AEAD cipher suites address >> these issues, concerns about performance are sometimes raised. >> >> >> What are the performance concerns? I suggest citing some relevant >> performance data. > >If there are implementations of this, we can benchmark them and compare >them against other cipher suites and include some numbers or pointers to >comparisons. I believe Salsa20 is faster than for example AES GCM on >most platforms. > >> Because the GenericStreamCipher definition in TLS does not provide >> any way to transport the Salsa20 nonce that is required for >> functionality and needed to provide the random access property, we >> let the output from the stream cipher operation be the concatenation >> of the IV and the encrypted data. >> >> >> Please, define a Salsa20-based AEAD mechanism instead of a new TLS >>format! > >That paragraph has been removed from the current work in progress, it >was incorrect (the record sequence number will be used as nonce >instead). I don't believe the AEAD mechanism works: there is no field >to put the MAC in it. I'm not sure what you mean about the lack of a MAC field. It would not be hard to define an AEAD algorithm based on Salsa20; I would be surprised if there is not a submission to CAESAR using that cipher. And using the AEAD in TLSv1.2 is straightforward. (Is the issue a desire to use Salsa20 in older versions?) > >>>Some elements of the draft is still in flux. For example, >>>initial performance benchmarks suggests HMAC-SHA256 was a poor choice >>>for the MAC so we are looking into UMAC and HMAC-SHA1 as alternatives. >>>Still, all comments are appreciated. >> >> If anything other than HMAC-SHA1 is used, that would underscore the >>value >> of defining an AEAD algorithm. If the main motivation for this work is >> encryption that is computationally cheap, then it makes sense to pair >>the >> algorithm with an authentication method with the same characteristics. > >Yes -- only specifying HMAC-SHA256 was a mistake, and we have included a >HMAC-SHA1 variant in the working copy. It is not clear to me whether >keeping HMAC-SHA256 is useful. > >> For security considerations, I suggest citing the analysis of Salsa20, >>and >> adding a sentence or paragraph summarizing the best-known attacks. >> Something like "Salsa20 has been analyzed by X independent teams, and >>the >> best known attack breaks 8 of 20 rounds." > >Good idea, the first paragraph of the security considerations is now: > > The security of Salsa20 is discussed in the Salsa20 security > [SALSA20-SECURITY] paper. The reader must consult cryptographic > research to find out the current security status of Salsa20. At the > time of writing this document, there are no known significant > security problems with Salsa20/12 or Salsa20/20. As of early 2013, > the best cryptanalysis breaks 8 out of 20 rounds to recover the 256- > bit secret key in 2^251 operations, using 2^31 keystream pairs (see > [SALSA20-ATTACK]). For more background, see the eSTREAM report > [ESTREAM]. Looks good. David > >/Simon
- Re: [Cfrg] [TLS] Salsa20 stream cipher in TLS David McGrew (mcgrew)
- Re: [Cfrg] Salsa20 stream cipher in TLS Simon Josefsson
- Re: [Cfrg] Salsa20 stream cipher in TLS Simon Josefsson
- Re: [Cfrg] Salsa20 stream cipher in TLS David McGrew (mcgrew)
- Re: [Cfrg] Salsa20 stream cipher in TLS Simon Josefsson
- Re: [Cfrg] [TLS] Salsa20 stream cipher in TLS David McGrew (mcgrew)
- Re: [Cfrg] Salsa20 stream cipher in TLS Simon Josefsson
- Re: [Cfrg] [TLS] Salsa20 stream cipher in TLS David McGrew (mcgrew)
- Re: [Cfrg] Salsa20 stream cipher in TLS Simon Josefsson
- Re: [Cfrg] Salsa20 stream cipher in TLS Jon Callas
- Re: [Cfrg] Salsa20 stream cipher in TLS David McGrew (mcgrew)
- Re: [Cfrg] Salsa20 stream cipher in TLS Jon Callas
- Re: [Cfrg] [TLS] Salsa20 stream cipher in TLS Peter Gutmann
- Re: [Cfrg] Salsa20 stream cipher in TLS Peter Gutmann
- Re: [Cfrg] Salsa20 stream cipher in TLS Simon Josefsson
- Re: [Cfrg] [TLS] Salsa20 stream cipher in TLS Yoav Nir
- Re: [Cfrg] [TLS] Salsa20 stream cipher in TLS Yoav Nir
- Re: [Cfrg] [TLS] Salsa20 stream cipher in TLS Yoav Nir