IETF Logo Mail Archive

Re: [Cfrg] [TLS] Salsa20 stream cipher in TLS

"David McGrew (mcgrew)" <mcgrew@cisco.com> Mon, 18 March 2013 21:23 UTC

Return-Path: <mcgrew@cisco.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9F67621F85D6 for <cfrg@ietfa.amsl.com>; Mon, 18 Mar 2013 14:23:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -110.599
X-Spam-Level:
X-Spam-Status: No, score=-110.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2UiXjjf3nZg0 for <cfrg@ietfa.amsl.com>; Mon, 18 Mar 2013 14:23:55 -0700 (PDT)
Received: from rcdn-iport-6.cisco.com (rcdn-iport-6.cisco.com [173.37.86.77]) by ietfa.amsl.com (Postfix) with ESMTP id D7BDE21F85C6 for <cfrg@irtf.org>; Mon, 18 Mar 2013 14:23:55 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=2379; q=dns/txt; s=iport; t=1363641835; x=1364851435; h=from:to:cc:subject:date:message-id:in-reply-to: content-id:content-transfer-encoding:mime-version; bh=78zxLcE7EmVZ3fRwkyZGFsGvor0zwiDRbXmd2OD+xsw=; b=NSOm089OPByomFByyJW7JzM4Dj3SILTVPVQndbxU6dlTMTj/ICgw7e1x MLULpWIV6y2G9kKnJre09NokgZdFFh/XJohsDgZETq9I2mSb1N0LL2DZ6 CQZIgSTw4egeXDDG8TvLi//U9h9gFWSl4fld+mDcypeMVKD9tpgcmWVMD 8=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AgAFAHOFR1GtJV2b/2dsb2JhbABDxTSBWxZ0giQBAQEDATo/EgEIGAoUQiUCBA4FCAyHegYMwiWOXzECBYJfYQOXfY9jgwqCKA
X-IronPort-AV: E=Sophos;i="4.84,867,1355097600"; d="scan'208";a="188811719"
Received: from rcdn-core-4.cisco.com ([173.37.93.155]) by rcdn-iport-6.cisco.com with ESMTP; 18 Mar 2013 21:23:55 +0000
Received: from xhc-rcd-x01.cisco.com (xhc-rcd-x01.cisco.com [173.37.183.75]) by rcdn-core-4.cisco.com (8.14.5/8.14.5) with ESMTP id r2ILNtug021336 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Mon, 18 Mar 2013 21:23:55 GMT
Received: from xmb-rcd-x04.cisco.com ([169.254.8.112]) by xhc-rcd-x01.cisco.com ([173.37.183.75]) with mapi id 14.02.0318.004; Mon, 18 Mar 2013 16:23:55 -0500
From: "David McGrew (mcgrew)" <mcgrew@cisco.com>
To: Nikos Mavrogiannopoulos <nmav@gnutls.org>
Thread-Topic: [TLS] Salsa20 stream cipher in TLS
Thread-Index: AQHOI2IRfwT9uKfaFUuf1DQlms1pvpir5i+AgABN3wD//9O3AA==
Date: Mon, 18 Mar 2013 21:23:54 +0000
Message-ID: <747787E65E3FBD4E93F0EB2F14DB556B183EB9F6@xmb-rcd-x04.cisco.com>
In-Reply-To: <514772CE.4060300@gnutls.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.2.1.120420
x-originating-ip: [10.117.10.227]
Content-Type: text/plain; charset="us-ascii"
Content-ID: <49DA04091F6369498BEF1352C3192BA4@emea.cisco.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: Simon Josefsson <simon@josefsson.org>, "cfrg@irtf.org" <cfrg@irtf.org>, "joachim@secworks.se" <joachim@secworks.se>, "tls@ietf.org" <tls@ietf.org>
Subject: Re: [Cfrg] [TLS] Salsa20 stream cipher in TLS
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 18 Mar 2013 21:23:57 -0000

Hi Nikos,

On 3/18/13 4:02 PM, "Nikos Mavrogiannopoulos" <nmav@gnutls.org> wrote:

>On 03/18/2013 08:23 PM, David McGrew (mcgrew) wrote:
>
>> Hi Simon,
>> 
>> On 3/17/13 6:51 PM, "Simon Josefsson" <simon@josefsson.org> wrote:
>> 
>>> All,
>>>
>>> FYI, we have published -00 of a draft that describes how the Salsa20
>>> stream cipher can be added to TLS and DTLS, see:
>>>
>>> http://tools.ietf.org/html/draft-josefsson-salsa20-tls
>>>
>>> While we are not asking for WG adoption of this draft now, we are at a
>>> point where we would like to invite external review and solicit
>>> feedback.  
>> 
>> Some early feedback; copied CFRG.  It would be good to have review from
>> that community.
>> It is not exactly clear what problem is being addressed by this work.
>
>
>As I understand, the requirement, is a fast stream cipher that can be
>used for TLS and DTLS, and doesn't have the issues RC4 has [0].
>
>[0]. http://home.hiroshima-u.ac.jp/ohigashi/rc4/index.html

Yes, I'm well aware of the RC4 issues and I support its deprecation.

>
>> Some more detailed comments, quoting from the draft:
>
>> What are the performance concerns?   I suggest citing some relevant
>> performance data.
>
>
>The GCM mode does require special instructions to achieve performance
>close (but often not better) to RC4 in general purpose CPUs. The stream
>ciphers from the eStream competition outperform RC4 without any hw
>assistance.

The appropriate comparison would include both authentication and
encryption, so comparisons to "naked" stream ciphers are misleading.  And
I strongly encourage actual performance comparisons on target platforms.

>
>>   Because the GenericStreamCipher definition in TLS does not provide
>>    any way to transport the Salsa20 nonce that is required for
>>    functionality and needed to provide the random access property, we
>>    let the output from the stream cipher operation be the concatenation
>>    of the IV and the encrypted data.
>> Please, define a Salsa20-based AEAD mechanism instead of a new TLS
>>format!
>
>
>The GenericStreamCipher mode is sufficient for this mode. It just
>requires to define how to set the nonce. I think using the AEAD would
>complicate things rather than provide any practical advantage.

I respectfully disagree.

David

>
>regards,
>Nikos

v2.23.0 | Report a Bug | By Email