IETF Logo Mail Archive

Re: [Cfrg] Salsa20 stream cipher in TLS

"David McGrew (mcgrew)" <mcgrew@cisco.com> Mon, 18 March 2013 21:12 UTC

Return-Path: <mcgrew@cisco.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A81AB21F914C for <cfrg@ietfa.amsl.com>; Mon, 18 Mar 2013 14:12:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -110.599
X-Spam-Level:
X-Spam-Status: No, score=-110.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BnKsNNiigq9a for <cfrg@ietfa.amsl.com>; Mon, 18 Mar 2013 14:12:03 -0700 (PDT)
Received: from rcdn-iport-3.cisco.com (rcdn-iport-3.cisco.com [173.37.86.74]) by ietfa.amsl.com (Postfix) with ESMTP id A880221F9146 for <cfrg@irtf.org>; Mon, 18 Mar 2013 14:12:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=4226; q=dns/txt; s=iport; t=1363641123; x=1364850723; h=from:to:cc:subject:date:message-id:in-reply-to: content-id:content-transfer-encoding:mime-version; bh=YHFhIrKFdBhAXh/7aHgA1Pr31JADzxXnkwFK6nSfbxg=; b=D7UxWsI+WkcEkdFmERdv0xZn/gVhBfaQKY0lav+oA8QesmajbLmQ+R4b c/gtl47/yquy7ZvmdxqV2QVkzLHy8If7niIe8YMfgCqbTrFiYwGguuvUw m6NRu2dfaenHJpH8GOK7LzjrXOGXQbO07wzLSRM0zrf35GO7exPGziVAi s=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: Av8EAIeAR1GtJXG8/2dsb2JhbABDxS6BVhZ0giQBAQEDATo/EgEIIhRCJQIEDgUIiAYGwieOXzEHgl9hA4t6kVOKE4MKgig
X-IronPort-AV: E=Sophos;i="4.84,867,1355097600"; d="scan'208";a="188840993"
Received: from rcdn-core2-1.cisco.com ([173.37.113.188]) by rcdn-iport-3.cisco.com with ESMTP; 18 Mar 2013 21:11:58 +0000
Received: from xhc-rcd-x01.cisco.com (xhc-rcd-x01.cisco.com [173.37.183.75]) by rcdn-core2-1.cisco.com (8.14.5/8.14.5) with ESMTP id r2ILBwih014374 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Mon, 18 Mar 2013 21:11:58 GMT
Received: from xmb-rcd-x04.cisco.com ([169.254.8.112]) by xhc-rcd-x01.cisco.com ([173.37.183.75]) with mapi id 14.02.0318.004; Mon, 18 Mar 2013 16:11:57 -0500
From: "David McGrew (mcgrew)" <mcgrew@cisco.com>
To: Simon Josefsson <simon@josefsson.org>
Thread-Topic: Salsa20 stream cipher in TLS
Thread-Index: AQHOJBkcOgV0xxTq40yuP+6jbt08QpisAv8A
Date: Mon, 18 Mar 2013 21:11:57 +0000
Message-ID: <747787E65E3FBD4E93F0EB2F14DB556B183EB9C5@xmb-rcd-x04.cisco.com>
In-Reply-To: <87ehfc784a.fsf@latte.josefsson.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.2.1.120420
x-originating-ip: [10.117.10.227]
Content-Type: text/plain; charset="us-ascii"
Content-ID: <CE7091BFFCEDB243BB5B940BC0123410@emea.cisco.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "cfrg@irtf.org" <cfrg@irtf.org>, "joachim@secworks.se" <joachim@secworks.se>, "tls@ietf.org" <tls@ietf.org>
Subject: Re: [Cfrg] Salsa20 stream cipher in TLS
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 18 Mar 2013 21:12:04 -0000

Hi Simon,

On 3/18/13 4:42 PM, "Simon Josefsson" <simon@josefsson.org> wrote:

>"David McGrew (mcgrew)" <mcgrew@cisco.com> writes:
>
>> Hi Simon,
>
>Hi David.  Thanks for quick review.

Thanks for the quick response, more inline:

>
>> It is not exactly clear what problem is being addressed by this work.
>> Would be good to add a problem statement section.
>
>Good idea, the document now contains this paragraph:
>
>   The purpose of this document is to provide an alternative stream
>   cipher for both TLS and DTLS that is comparable to RC4 in speed on a
>   wide range of platforms.
>
>There are other soft factors too.  In general the goal is to offer
>something that can replace use of RC4 in TLS.  I'm guessing speed is one
>reason people use RC4 in TLS today.
>
>> Some more detailed comments, quoting from the draft:
>>
>>    Recent attacks has indicated problems with CBC-mode cipher suites in
>>    TLS/DTLS and problems with the only supported stream cipher (RC4) in
>>    TLS has been known for a long time.  While AEAD cipher suites address
>>    these issues, concerns about performance are sometimes raised.
>>
>>
>> What are the performance concerns?   I suggest citing some relevant
>> performance data.
>
>If there are implementations of this, we can benchmark them and compare
>them against other cipher suites and include some numbers or pointers to
>comparisons.  I believe Salsa20 is faster than for example AES GCM on
>most platforms.
>
>>   Because the GenericStreamCipher definition in TLS does not provide
>>    any way to transport the Salsa20 nonce that is required for
>>    functionality and needed to provide the random access property, we
>>    let the output from the stream cipher operation be the concatenation
>>    of the IV and the encrypted data.
>>
>>
>> Please, define a Salsa20-based AEAD mechanism instead of a new TLS
>>format!
>
>That paragraph has been removed from the current work in progress, it
>was incorrect (the record sequence number will be used as nonce
>instead).  I don't believe the AEAD mechanism works: there is no field
>to put the MAC in it.

I'm not sure what you mean about the lack of a MAC field.  It would not be
hard to define an AEAD algorithm based on Salsa20; I would be surprised if
there is not a submission to CAESAR using that cipher.  And using the AEAD
in TLSv1.2 is straightforward.   (Is the issue a desire to use Salsa20 in
older versions?)

>
>>>Some elements of the draft is still in flux.  For example,
>>>initial performance benchmarks suggests HMAC-SHA256 was a poor choice
>>>for the MAC so we are looking into UMAC and HMAC-SHA1 as alternatives.
>>>Still, all comments are appreciated.
>>
>> If anything other than HMAC-SHA1 is used, that would underscore the
>>value
>> of defining an AEAD algorithm.   If the main motivation for this work is
>> encryption that is computationally cheap, then it makes sense to pair
>>the
>> algorithm with an authentication method with the same characteristics.
>
>Yes -- only specifying HMAC-SHA256 was a mistake, and we have included a
>HMAC-SHA1 variant in the working copy.  It is not clear to me whether
>keeping HMAC-SHA256 is useful.
>
>> For security considerations, I suggest citing the analysis of Salsa20,
>>and
>> adding a sentence or paragraph summarizing the best-known attacks.
>> Something like "Salsa20 has been analyzed by X independent teams, and
>>the
>> best known attack breaks 8 of 20 rounds."
>
>Good idea, the first paragraph of the security considerations is now:
>
>   The security of Salsa20 is discussed in the Salsa20 security
>   [SALSA20-SECURITY] paper.  The reader must consult cryptographic
>   research to find out the current security status of Salsa20.  At the
>   time of writing this document, there are no known significant
>   security problems with Salsa20/12 or Salsa20/20.  As of early 2013,
>   the best cryptanalysis breaks 8 out of 20 rounds to recover the 256-
>   bit secret key in 2^251 operations, using 2^31 keystream pairs (see
>   [SALSA20-ATTACK]).  For more background, see the eSTREAM report
>   [ESTREAM].

Looks good.

David

>
>/Simon

v2.23.0 | Report a Bug | By Email