IETF Logo Mail Archive

Re: [Cfrg] matching AES security

"Dan Harkins" <dharkins@lounge.org> Fri, 01 August 2014 16:21 UTC

Return-Path: <dharkins@lounge.org>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2C8301B27A6 for <cfrg@ietfa.amsl.com>; Fri, 1 Aug 2014 09:21:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.867
X-Spam-Level:
X-Spam-Status: No, score=-3.867 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3DI9IKa9nyrW for <cfrg@ietfa.amsl.com>; Fri, 1 Aug 2014 09:21:45 -0700 (PDT)
Received: from colo.trepanning.net (colo.trepanning.net [69.55.226.174]) by ietfa.amsl.com (Postfix) with ESMTP id 6AD961A04F6 for <cfrg@irtf.org>; Fri, 1 Aug 2014 09:21:45 -0700 (PDT)
Received: from www.trepanning.net (localhost [127.0.0.1]) by colo.trepanning.net (Postfix) with ESMTP id C7D3310224008; Fri, 1 Aug 2014 09:21:44 -0700 (PDT)
Received: from 199.127.104.10 (SquirrelMail authenticated user dharkins@lounge.org) by www.trepanning.net with HTTP; Fri, 1 Aug 2014 09:21:45 -0700 (PDT)
Message-ID: <d1df688a6a2ef663b216ddb4e0fd60cd.squirrel@www.trepanning.net>
In-Reply-To: <CAFewVt4jNUVK5PBDUoMJ0y4YzZ1e5okztV3qpT6J5aK0KmC0wg@mail.gmail.com>
References: <20140730123336.29011.qmail@cr.yp.to> <CAFewVt4jNUVK5PBDUoMJ0y4YzZ1e5okztV3qpT6J5aK0KmC0wg@mail.gmail.com>
Date: Fri, 01 Aug 2014 09:21:45 -0700
From: Dan Harkins <dharkins@lounge.org>
To: Brian Smith <brian@briansmith.org>
User-Agent: SquirrelMail/1.4.14 [SVN]
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
X-Priority: 3 (Normal)
Importance: Normal
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/H-JJBtK2skHIV-kZkWyn_ccZtk4
Cc: cfrg@irtf.org
Subject: Re: [Cfrg] matching AES security
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 01 Aug 2014 16:21:47 -0000

On Thu, July 31, 2014 8:57 am, Brian Smith wrote:
> On Wed, Jul 30, 2014 at 5:33 AM, D. J. Bernstein <djb@cr.yp.to> wrote:
>> These attacks assume that the attacker sees ciphertext for, e.g., an
>> all-zero block encrypted under all of the keys. Sometimes protocols
>> randomize their blocks to try to stop these attacks---but putting
>> complications into protocols to compensate for a cipher's deficient
>> security is _not_ a smart way to design a cryptographic system.
>
> I agree that it would be better to not need to randomize blocks to
> avoid the attacks you alluded to. However, it seems like randomizing
> the blocks is often easy; for example, I think it would be pretty easy
> to define AES-GCM and ChaCaa20-Poly1305 cipher suites for TLS in a way
> where the initial nonce is comes from the PRF and then incremented.

  That's basically the SIV mode of AES (RFC 5297). Perhaps that
deserves another look (I tried interesting the TLS WG in that mode
ages ago).

  Dan.

v2.23.0 | Report a Bug | By Email