Re: [Cfrg] Salsa20 stream cipher in TLS
Simon Josefsson <simon@josefsson.org> Mon, 18 March 2013 21:17 UTC
Return-Path: <simon@josefsson.org>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E36A321F8FFD; Mon, 18 Mar 2013 14:17:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -99.909
X-Spam-Level:
X-Spam-Status: No, score=-99.909 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, FH_HOST_EQ_D_D_D_D=0.765, HELO_MISMATCH_COM=0.553, HOST_EQ_STATICB=1.372, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8-OU-zyTgi-2; Mon, 18 Mar 2013 14:17:25 -0700 (PDT)
Received: from yxa-v.extundo.com (static-213-115-179-173.sme.bredbandsbolaget.se [213.115.179.173]) by ietfa.amsl.com (Postfix) with ESMTP id BE7C421F897A; Mon, 18 Mar 2013 14:17:24 -0700 (PDT)
Received: from latte.josefsson.org (host-95-192-103-177.mobileonline.telia.com [95.192.103.177]) (authenticated bits=0) by yxa-v.extundo.com (8.14.3/8.14.3/Debian-5+lenny1) with ESMTP id r2ILHIBr010090 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Mon, 18 Mar 2013 22:17:20 +0100
From: Simon Josefsson <simon@josefsson.org>
To: Adam Langley <agl@google.com>
References: <87ppyxhc6y.fsf@latte.josefsson.org> <747787E65E3FBD4E93F0EB2F14DB556B183EB8AD@xmb-rcd-x04.cisco.com> <87ehfc784a.fsf@latte.josefsson.org> <CAL9PXLy=kDHdUUgkReAaJyLfSrHku4om6=YGri2+U+2iRn9rLw@mail.gmail.com>
OpenPGP: id=B565716F; url=http://josefsson.org/key.txt
X-Hashcash: 1:22:130318:agl@google.com::xSV2JNAmIvHd9ZVy:04e4
X-Hashcash: 1:22:130318:tls@ietf.org::GTrw17Fe8VdYV7+F:3GPG
X-Hashcash: 1:22:130318:joachim@secworks.se::IYmT3Ten/6vcIFhL:6Q7u
X-Hashcash: 1:22:130318:cfrg@irtf.org::fbVVFNdpH4psAGGb:INax
Date: Mon, 18 Mar 2013 22:17:12 +0100
In-Reply-To: <CAL9PXLy=kDHdUUgkReAaJyLfSrHku4om6=YGri2+U+2iRn9rLw@mail.gmail.com> (Adam Langley's message of "Mon, 18 Mar 2013 16:45:51 -0400")
Message-ID: <87r4jc5rxj.fsf@latte.josefsson.org>
User-Agent: Gnus/5.130006 (Ma Gnus v0.6) Emacs/24.2 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
Cc: "cfrg@irtf.org" <cfrg@irtf.org>, "joachim@secworks.se" <joachim@secworks.se>, "tls@ietf.org" <tls@ietf.org>
Subject: Re: [Cfrg] Salsa20 stream cipher in TLS
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 18 Mar 2013 21:17:26 -0000
Adam Langley <agl@google.com> writes: > On Mon, Mar 18, 2013 at 4:42 PM, Simon Josefsson <simon@josefsson.org> wrote: >> instead). I don't believe the AEAD mechanism works: there is no field >> to put the MAC in it. > > There's no field for the GHASH tag for AES-GCM either: the > construction of the authentication is opaque to the user of the AEAD > algorithm. If you were to define an AEAD for this then you could > decide where you would like the MAC to know, but it's a property of > the AEAD, not of TLS. Right, agreed. Equally, the content of the ciphertext for a GenericStreamCipher is opaque to TLS, so we could put a nonce in there if that was necessary (but we don't need to). Having stream ciphers expand data is a bit unorthodox, but from a TLS protocol point of view it may work. Some implementation assume there is no message expansion for stream ciphers, but I haven't seen anything in the specification that assumes or require that. >> Yes -- only specifying HMAC-SHA256 was a mistake, and we have included a >> HMAC-SHA1 variant in the working copy. It is not clear to me whether >> keeping HMAC-SHA256 is useful. > > I'm curious why you wouldn't pair Salsa20 with Poly1305, which is the > typical combination. That could be another option. The only reason is that I haven't worked with any implementation of Poly1305, so I'm not that familiar with it. /Simon
- Re: [Cfrg] [TLS] Salsa20 stream cipher in TLS David McGrew (mcgrew)
- Re: [Cfrg] Salsa20 stream cipher in TLS Simon Josefsson
- Re: [Cfrg] Salsa20 stream cipher in TLS Simon Josefsson
- Re: [Cfrg] Salsa20 stream cipher in TLS David McGrew (mcgrew)
- Re: [Cfrg] Salsa20 stream cipher in TLS Simon Josefsson
- Re: [Cfrg] [TLS] Salsa20 stream cipher in TLS David McGrew (mcgrew)
- Re: [Cfrg] Salsa20 stream cipher in TLS Simon Josefsson
- Re: [Cfrg] [TLS] Salsa20 stream cipher in TLS David McGrew (mcgrew)
- Re: [Cfrg] Salsa20 stream cipher in TLS Simon Josefsson
- Re: [Cfrg] Salsa20 stream cipher in TLS Jon Callas
- Re: [Cfrg] Salsa20 stream cipher in TLS David McGrew (mcgrew)
- Re: [Cfrg] Salsa20 stream cipher in TLS Jon Callas
- Re: [Cfrg] [TLS] Salsa20 stream cipher in TLS Peter Gutmann
- Re: [Cfrg] Salsa20 stream cipher in TLS Peter Gutmann
- Re: [Cfrg] Salsa20 stream cipher in TLS Simon Josefsson
- Re: [Cfrg] [TLS] Salsa20 stream cipher in TLS Yoav Nir
- Re: [Cfrg] [TLS] Salsa20 stream cipher in TLS Yoav Nir
- Re: [Cfrg] [TLS] Salsa20 stream cipher in TLS Yoav Nir