IETF Logo Mail Archive

Re: [Cfrg] Salsa20 stream cipher in TLS

Jon Callas <jon@callas.org> Tue, 19 March 2013 23:30 UTC

Return-Path: <jon@callas.org>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EF1DE21F8DB7 for <cfrg@ietfa.amsl.com>; Tue, 19 Mar 2013 16:30:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.98
X-Spam-Level:
X-Spam-Status: No, score=-1.98 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_SORBS_WEB=0.619]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JSTLkNj7HcyM for <cfrg@ietfa.amsl.com>; Tue, 19 Mar 2013 16:30:59 -0700 (PDT)
Received: from mail.merrymeet.com (merrymeet.com [173.164.244.100]) by ietfa.amsl.com (Postfix) with ESMTP id 8295B21F8DBB for <cfrg@irtf.org>; Tue, 19 Mar 2013 16:30:59 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mail.merrymeet.com (Postfix) with ESMTP id BD49224C3679 for <cfrg@irtf.org>; Tue, 19 Mar 2013 16:30:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at merrymeet.com
Received: from mail.merrymeet.com ([127.0.0.1]) by localhost (merrymeet.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Yd03Rkt-fQv7 for <cfrg@irtf.org>; Tue, 19 Mar 2013 16:30:49 -0700 (PDT)
Received: from keys.merrymeet.com (keys.merrymeet.com [173.164.244.97]) by mail.merrymeet.com (Postfix) with ESMTPSA id 6FE5F24C365B for <cfrg@irtf.org>; Tue, 19 Mar 2013 16:30:49 -0700 (PDT)
Received: from [192.168.66.100] ([207.239.114.206]) by keys.merrymeet.com (PGP Universal service); Tue, 19 Mar 2013 16:30:49 -0700
X-PGP-Universal: processed; by keys.merrymeet.com on Tue, 19 Mar 2013 16:30:49 -0700
Mime-Version: 1.0 (Mac OS X Mail 6.3 \(1503\))
From: Jon Callas <jon@callas.org>
In-Reply-To: <87fvzrktqr.fsf@latte.josefsson.org>
Date: Tue, 19 Mar 2013 16:30:16 -0700
Message-Id: <DFD6D239-7754-4CA7-A2FD-3735A0D500AB@callas.org>
References: <514862C6.4070809@secworks.se> <747787E65E3FBD4E93F0EB2F14DB556B183EBFA6@xmb-rcd-x04.cisco.com> <CAL9PXLyRn82DCOE3DR+O+t-dAOuynLazcceAtAzM-HdX3O18yw@mail.gmail.com> <CALTJjxG+nobTrSiM2H60-=oJa6Jva-oC29HjkgZmngtMfXM=Qw@mail.gmail.com> <87fvzrktqr.fsf@latte.josefsson.org>
To: Simon Josefsson <simon@josefsson.org>
X-Mailer: Apple Mail (2.1503)
X-PGP-Encoding-Format: Partitioned
X-PGP-Encoding-Version: 2.0.2
X-Content-PGP-Universal-Saved-Content-Transfer-Encoding: quoted-printable
X-Content-PGP-Universal-Saved-Content-Type: text/plain; charset=us-ascii
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Cc: Jon Callas <jon@callas.org>, "cfrg@irtf.org" <cfrg@irtf.org>, "joachim@secworks.se" <joachim@secworks.se>, Adam Langley <agl@google.com>, "tls@ietf.org" <tls@ietf.org>, Wan-Teh Chang <wtc@google.com>
Subject: Re: [Cfrg] Salsa20 stream cipher in TLS
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Mar 2013 23:31:00 -0000

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Mar 19, 2013, at 1:41 PM, Simon Josefsson <simon@josefsson.org> wrote:

> I'm not sure why TLS 1.2 isn't negotiated more often by browsers.  If it
> is an implementation issue, I'm not convinced specifying AEAD ciphers
> for TLS 1.0 and TLS 1.1 will help: they just get another implementation
> issue to implement that instead.  Admittedly, it is a different
> implementation task, so it may be fixed earlier than the other issue,
> but that is difficult to predict.  Generally, it might be better to push
> browsers vendors to switch to TLS 1.2 more quickly, then the problem is
> also solved.

There are two reasons. Uncertainty about ECC, and uncertainty about GCM.

We can debate how much the ECC uncertainty is warranted, but lots of people have it. We can also debate the GCM issues, but GCM is tetchy to use properly. And yes, you could always use CCM instead. But most people don't know that CCM is part of TLS 1.2. I didn't know it I discovered it while writing this note.

The general opinion about TLS 1.2 is that that's the version for Suite B. That's not precisely true. I had that opinion for a while until I learned I was mistaken. However, if you have concerns about either ECC or GCM, then you have concerns about TLS 1.2. I don't know if you can do 1.2 without ECC or GCM.

	Jon


-----BEGIN PGP SIGNATURE-----
Version: PGP Universal 3.2.0 (Build 1672)
Charset: us-ascii

wj8DBQFRSPUpsTedWZOD3gYRAimEAJ0V1eXYxUqRHxWWNaX1GzZJIIz0ZgCfRBXF
48rWFyQymJ1znyyvWCKO4MY=
=Jh5v
-----END PGP SIGNATURE-----

v2.23.0 | Report a Bug | By Email