IETF Logo Mail Archive

Re: [Cfrg] RFC 5116 update?

John Mattsson <john.mattsson@ericsson.com> Wed, 29 August 2018 09:22 UTC

Return-Path: <john.mattsson@ericsson.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EF349130DDB for <cfrg@ietfa.amsl.com>; Wed, 29 Aug 2018 02:22:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.311
X-Spam-Level:
X-Spam-Status: No, score=-4.311 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com header.b=dh7AA5rB; dkim=pass (1024-bit key) header.d=ericsson.com header.b=e0pMqBx0
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2a87hw7_Gfpl for <cfrg@ietfa.amsl.com>; Wed, 29 Aug 2018 02:22:55 -0700 (PDT)
Received: from sesbmg22.ericsson.net (sesbmg22.ericsson.net [193.180.251.48]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 09DCB130DE9 for <cfrg@irtf.org>; Wed, 29 Aug 2018 02:22:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; d=ericsson.com; s=mailgw201801; c=relaxed/simple; q=dns/txt; i=@ericsson.com; t=1535534573; h=From:Sender:Reply-To:Subject:Date:Message-ID:To:Cc:MIME-Version:Content-Type: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=ao6udfAKng0Eum+u/yx2+0/6wVf/9kzdCJQheL3Q1zI=; b=dh7AA5rBTmxmqaoaUAgz16hzk05I/mm4DRRhmk5mFycovjkZ5NkcfF/KIFmMXPp6 dvcLrE7lnoU5Ioq9/sDXYCFgRJ2oMTrrfrL2MPPI+z25Ne0DAAhIbx3A6eIpASV1 t9l8LkTRu2r1XDamtBSPC8SEP7pBlfOidBwm/gBlT04=;
X-AuditID: c1b4fb30-3cd869c0000055da-54-5b8665ed26b3
Received: from ESESBMB502.ericsson.se (Unknown_Domain [153.88.183.115]) by sesbmg22.ericsson.net (Symantec Mail Security) with SMTP id 0F.E2.21978.DE5668B5; Wed, 29 Aug 2018 11:22:53 +0200 (CEST)
Received: from ESESBMR506.ericsson.se (153.88.183.202) by ESESBMB502.ericsson.se (153.88.183.115) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1466.3; Wed, 29 Aug 2018 11:22:52 +0200
Received: from ESESSMB501.ericsson.se (153.88.183.162) by ESESBMR506.ericsson.se (153.88.183.202) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1466.3; Wed, 29 Aug 2018 11:22:52 +0200
Received: from EUR03-AM5-obe.outbound.protection.outlook.com (153.88.183.157) by ESESSMB501.ericsson.se (153.88.183.162) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1466.3 via Frontend Transport; Wed, 29 Aug 2018 11:22:52 +0200
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ao6udfAKng0Eum+u/yx2+0/6wVf/9kzdCJQheL3Q1zI=; b=e0pMqBx0y4p967GDCCwrJ6jgq7ioVgxWZT3HtGR/vclOQEHA76fiZLJdnKunNpIxgrSr84eW8pEFRW+0lSd8Y/90xD0ZD1ueppuRh2ryqPBoIsQiy7y+G2/9hNgdYAiNtZVjO7XBnEyP28RVIwgpne8+qvZ28rzQNER0YdaMiyk=
Received: from HE1PR07MB4169.eurprd07.prod.outlook.com (20.176.166.22) by HE1PR07MB3371.eurprd07.prod.outlook.com (10.170.247.22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1101.11; Wed, 29 Aug 2018 09:22:51 +0000
Received: from HE1PR07MB4169.eurprd07.prod.outlook.com ([fe80::a451:7626:5a73:809]) by HE1PR07MB4169.eurprd07.prod.outlook.com ([fe80::a451:7626:5a73:809%5]) with mapi id 15.20.1101.007; Wed, 29 Aug 2018 09:22:51 +0000
From: John Mattsson <john.mattsson@ericsson.com>
To: "David McGrew (mcgrew)" <mcgrew@cisco.com>, "cfrg@irtf.org" <cfrg@irtf.org>
Thread-Topic: RFC 5116 update?
Thread-Index: AQHUHpvDsh40wsBYpE+4U8aCIJzlz6StL0iAgCmovQA=
Date: Wed, 29 Aug 2018 09:22:51 +0000
Message-ID: <E1E2B9B9-574E-46ED-BFD8-AE97151BFE61@ericsson.com>
References: <37F1DDB7-DE91-41E0-98B5-D98A5440FA53@ericsson.com> <BD739FAB-A3FA-4575-8F03-A7187B3DBC59@cisco.com>
In-Reply-To: <BD739FAB-A3FA-4575-8F03-A7187B3DBC59@cisco.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.10.0.180812
authentication-results: spf=none (sender IP is ) smtp.mailfrom=john.mattsson@ericsson.com;
x-originating-ip: [82.214.50.105]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; HE1PR07MB3371; 6:Nsr3EXBstnXREnkVw20dprNdWzcFPu/xsoIu9jR1M/C3hmcHexEBLvbb5mTYDc4I4SvDpP685mM4oJxI9MoA/GrpvTHt1dfer2TZ6S/DtCWumaOlFn9IfjdOb6o8skoL2o03YP0E0HEBiUiHm66nd8rxDmTqy4YQD/EAT7cA+eMRGONw8+klMNdUceGuXPRkzB3C3WZnwc4d7izKtapgEJW3vlHMbTs6s8YF/9wPmo0+2K7hCUJs/dIS1OpSg9W00T33xZZC5KRyuEjR/hOc4u71AFJ1xVpuTRchyT7I16l8ZNqBqqi9mccSlCCKJ4OK1Ef7B1a+rxrUk5c6pZOW2wneISi7lUyHZnKONwF+nv5SFNw8r3LRp0/ivDq7jt5TzBUB/ZWNx9mryt/tXmV6si6BrftBUkbnYCHosm3jTgaBxhqt7bDw/kZnW51ejxnJyKFV0Z7v0X6iMQ5JVQDJ7g==; 5:iPBJjQ0lzwwte1hz/oTMIXwJ343d3IvHvPlX5qxC23D5lz/h6TreM595T3BkFvDTctph/qPY3maHybl2iTFtOFJtSvEcqW2RnnR1MrbYOI9XXKboKKjJMm/XL9mkP6mLUthx7QUmKWBGXM0GexqyrcB8gsinu1hAQzfVlA2fy8c=; 7:Av/2FANvCwdawt/6EsXzx6FZojAjogSDhK+EPYlHOLswhUBftkNF581Jy9jNo9KBfDwXjBBSCov2EETQIjAxfBwrTx6fFvQFyYYI6h8fTtZgrVhbYDVMprF0ZZZQa7u6iZ22mKxWmWpyQ8EbLGUr1P/rZsk3cLVVyeVir8U0PYLJRZMWoxLXVWn+OFeRje60xJ7paNfuMcJoXTDS7xn00Wt4CWHR4WHQ1iNdPrwBp+27bvQ0oDfKFF06O5dv4MeE
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-correlation-id: 965340e1-7684-43f2-5819-08d60d90fe54
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(7020095)(4652040)(8989137)(4534165)(4627221)(201703031133081)(201702281549075)(8990107)(5600074)(711020)(2017052603328)(7153060)(7193020); SRVR:HE1PR07MB3371;
x-ms-traffictypediagnostic: HE1PR07MB3371:
x-microsoft-antispam-prvs: <HE1PR07MB3371CCAACD1E71695BEAF3AE89090@HE1PR07MB3371.eurprd07.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(37575265505322)(192374486261705)(95692535739014)(248295561703944);
x-ms-exchange-senderadcheck: 1
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(8211001083)(6040522)(2401047)(5005006)(8121501046)(93006095)(93001095)(3002001)(10201501046)(3231311)(944501410)(52105095)(149027)(150027)(6041310)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123558120)(20161123562045)(20161123564045)(20161123560045)(201708071742011)(7699016); SRVR:HE1PR07MB3371; BCL:0; PCL:0; RULEID:; SRVR:HE1PR07MB3371;
x-forefront-prvs: 077929D941
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(136003)(366004)(39860400002)(376002)(346002)(396003)(189003)(199004)(99286004)(105586002)(11346002)(106356001)(44832011)(33656002)(446003)(476003)(83716003)(76176011)(2616005)(316002)(486006)(478600001)(86362001)(110136005)(229853002)(966005)(58126008)(6436002)(7736002)(66066001)(14444005)(6486002)(15650500001)(2900100001)(81166006)(14454004)(8676002)(81156014)(36756003)(2906002)(97736004)(82746002)(6246003)(8936002)(6306002)(6116002)(3846002)(6512007)(2501003)(53936002)(6506007)(305945005)(102836004)(26005)(5250100002)(68736007)(7116003)(5660300001)(256004)(186003)(25786009); DIR:OUT; SFP:1101; SCL:1; SRVR:HE1PR07MB3371; H:HE1PR07MB4169.eurprd07.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: ericsson.com does not designate permitted sender hosts)
x-microsoft-antispam-message-info: oGFHbigRg0TbrznZgJGc+oBGbqf2o/BtUcy/Er1y9dSN1spdC0hQF8uaVB7PV88HvA/gCRDrh//HZkWbV5s7bJnkXczFlgavprPg8iwvoJsAy/AW3SPvmvniL9hcPmAJJbJUc90f9pnq6hLYPtmm7Em8ty0D6iFvUZ2o1GmE0X/yqyEwjTj4OWhjUo6TNN6svYv1S0odgd1VsL9qTOzUsLxyKwHPuW6ggXWI0UlZpzukgDx1VW2VKVWo476EmoSvDbY5QeVaxh6/aNPUlNxtHYOgraRas9NHDj9GCch5UN2DAWj1X46snH0CWKpFDHdizm2HiWKWj8dMxCYJUhyT+xEEmQ+aQXheUinlzGS5brg=
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-ID: <04DC5939BA21D440ABF7FB7181F04031@eurprd07.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 965340e1-7684-43f2-5819-08d60d90fe54
X-MS-Exchange-CrossTenant-originalarrivaltime: 29 Aug 2018 09:22:51.1575 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR07MB3371
X-OriginatorOrg: ericsson.com
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFupjleLIzCtJLcpLzFFi42KZGbG9WPdtalu0wYy3rBbdPw4yWVxd9Yfd gcljyu+NrB6TNx5mC2CK4rJJSc3JLEst0rdL4MpontLFVrBCq+LIcssGxjmaXYwcHBICJhLN ZzK7GLk4hASOMkrc7l7EBOF8Y5RovrePHc458/0+C4SzhEniSesNZhCHRWACs0TLxNesEJnJ TBI3vkwHKuMEch4wShzr9gWx2QQMJObuaWADsUUEAiX+7bkGViMsICvR/3ItK0RcTmLXtK1Q tpXEpZvbwOpZBFQl9ky5zg5yLK+AvcS7dxkQ44sk7s2YyAxicwrYSuxdeAOslVFATOL7qTVM IDazgLjErSfzwWwJAQGJJXvOM0PYohIvH/9jBRkpKqAvMe1yAERrrERr63RWiBJFiTczFzNC 2LISl+Z3M4K8KCGwj13i2PV2qCJdiQ9Tp0LN9JU4PecTO0TRcUaJ+4397BAJLYkruy5A2dkS /dvboOwcia5ND5knMBrPQnLrLKCbmAU0Jdbv0ocIe0h8XvGRHcJWlJjS/RDM5hUQlDg58wnL AkbWVYyixanFSbnpRkZ6qUWZycXF+Xl6eaklmxiBqeTglt8GOxhfPnc8xCjAwajEw3vRpy1a iDWxrLgy9xCjBAezkghvkAFQiDclsbIqtSg/vqg0J7X4EKM0B4uSOK+F3+YoIYH0xJLU7NTU gtQimCwTB6dUA2NgiquPyL6bRwqWSzbZfDRfd8T19HLLtFAto3Pmi3dlKO0tPHT65jaR5K0e 9dlHtfr0tj46GfMgef5y7fdN6ZOXccx++iqdL/e6VPbaOPUsgSM3vI/nspb+XRDZuGPd+0lt wipqydHy2YfNJ5/6dtemqnXtrNNcq+Tf3ff1+Ki7fab78+C951iVWIozEg21mIuKEwFVw4q9 IQMAAA==
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/HoNCNGgLghwxNNEuoleOIlimdVU>
Subject: Re: [Cfrg] RFC 5116 update?
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 29 Aug 2018 09:22:58 -0000

Thanks David,

I did not now about https://tools.ietf.org/html/draft-mcgrew-iv-gen-03, I think it contains a lot of good and very useful material that would have a value not only for IETF but also for other SDOs. I quite often see new specifications that refer to NIST 800-38D / RFC 5116 and therefore do not use an Unpredictable IV/Nonce with Randomizer/Salt.

(some more comments inline)

Cheers,
John

On 2018-08-03, 00:12, "David McGrew (mcgrew)" <mcgrew@cisco.com> wrote:

>Hi John,
>
>
>
>On 7/18/18, 9:32 AM, "John Mattsson" <john.mattsson@ericsson.com> wrote:
>
>>The situation we have today is that recent IETF standards
>>
>>- COSE (RFC 8152),
>>- Encrypted Content-Encoding for HTTP (RFC 8188),
>>- TLS 1.3 (draft-ietf-tls-tls13),
>>
>>are not following the recommended nonce formation in Section 3.1 of RFC 5116. Instead they are constructing the nonce as
>> 
>>  NONCE = PRF( Shared secret, Public material ) XOR SEQ
>
>Secure RTP (RFC 3711) does something similar.
>
>
>>
>>and keep the PRF( Shared secret, Public material ) part of the nonce secret. The nonce construction is analyzed in https://eprint.iacr.org/2016/564.pdf showing that it improves the resilience against (passive) mass surveillance. It should also improve the resilience against Grover's algorithm when the effective key length of the shared secret is larger than the AEAD key.
>
Randomized nonces certainly improve security.  We absolutely knew this during the standards process around counter-based modes; see for instance Section 4 of “Counter Mode Security: Analysis and Recommendations”, submission to NIST modes process, 2002, https://pdfs.semanticscholar.org/2c94/f83c8b30bf2da92bf711a73e30c843969199.pdf and the SRTP rationale in https://tools.ietf.org/html/rfc3711#section-7.2.  It is great to see the newer standards choosing security over other considerations like bandwidth and state-minimization, which caused some earlier standards to reject randomized nonces.  
>

A good thing with a Randomizer (using the notation in Section 4.4 of draft-mcgrew-iv-gen-03) does not increase bandwidth and that the implementation has a trade-off between small increases in state or processing.

>>
>>I think RFC 5116 should be updated to describe and recommend the nonce construction used in TLS 1.3. First, it would be good if RFC 5116 and current IETF protocols align. Secondly, I think the new nonce construction should be recommended to new protocols (IETF or non-IETF).
>>
>>Cheers,
>>John
>>
>
>I think you are right, RFC 5116 should be recommending randomized nonces.  It also should be discussing nonce-misuse robustness and encouraging use of AES-GCM-SIV and AES-SIV and nonceless algorithms.  There are real-world implementations that get nonce generation wrong, with negative real-world security consequences, as described by Bock https://www.usenix.org/conference/woot16/workshop-program/presentation/bock.    
>

Yes, I agree that 5116bis should describe nonce-less algorithms and encourage use of nonce-misuse-resistant algorithms.

>I made an earlier attempt to recommend better practices around nonce/iv generation in this draft https://tools.ietf.org/html/draft-mcgrew-iv-gen-03, back in 2013, which could be updated to reflect the three new RFCs that you mention.  It seems funny that a draft on nonce generation could be 26 pages long and yet be incomplete :-)    In any case, the text in this draft could be used to support a new RFC with improved nonce guidance.  
>

I think the information in draft-mcgrew-iv-gen is very good and useful. It should be published somehow. As draft-mcgrew-iv-gen is covering IV construction also not non-AEAD algorithms it might make sense to publish it separately and let RFC5116bis reference it. Alternatively, the information from draft-mcgrew-iv-gen could be included in RFC5116bis.

>I’m interested to hear what others think.
>
>Best
>
>David

v2.23.0 | Report a Bug | By Email