IETF Logo Mail Archive

Re: [Cfrg] Salsa20 stream cipher in TLS

Jon Callas <jon@callas.org> Wed, 20 March 2013 23:54 UTC

Return-Path: <jon@callas.org>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DCE7421F8CA3 for <cfrg@ietfa.amsl.com>; Wed, 20 Mar 2013 16:54:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id V2s5QoHNvjOr for <cfrg@ietfa.amsl.com>; Wed, 20 Mar 2013 16:54:13 -0700 (PDT)
Received: from mail.merrymeet.com (merrymeet.com [173.164.244.100]) by ietfa.amsl.com (Postfix) with ESMTP id 3901621F8620 for <cfrg@irtf.org>; Wed, 20 Mar 2013 16:54:13 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mail.merrymeet.com (Postfix) with ESMTP id 8211024EDA69 for <cfrg@irtf.org>; Wed, 20 Mar 2013 16:54:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at merrymeet.com
Received: from mail.merrymeet.com ([127.0.0.1]) by localhost (merrymeet.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lCFxZRuD-SPG for <cfrg@irtf.org>; Wed, 20 Mar 2013 16:54:12 -0700 (PDT)
Received: from keys.merrymeet.com (keys.merrymeet.com [173.164.244.97]) by mail.merrymeet.com (Postfix) with ESMTPSA id 8D61224EDA4B for <cfrg@irtf.org>; Wed, 20 Mar 2013 16:54:05 -0700 (PDT)
Received: from mab.hardwired ([66.241.70.254]) by keys.merrymeet.com (PGP Universal service); Wed, 20 Mar 2013 16:54:05 -0700
X-PGP-Universal: processed; by keys.merrymeet.com on Wed, 20 Mar 2013 16:54:05 -0700
Mime-Version: 1.0 (Mac OS X Mail 6.3 \(1503\))
From: Jon Callas <jon@callas.org>
In-Reply-To: <747787E65E3FBD4E93F0EB2F14DB556B183EC751@xmb-rcd-x04.cisco.com>
Date: Wed, 20 Mar 2013 16:53:55 -0700
Message-Id: <B94EA423-2CD6-4D38-97EA-CFED7299C19C@callas.org>
References: <747787E65E3FBD4E93F0EB2F14DB556B183EC751@xmb-rcd-x04.cisco.com>
To: David McGrew <mcgrew@cisco.com>
X-Mailer: Apple Mail (2.1503)
X-PGP-Encoding-Format: Partitioned
X-PGP-Encoding-Version: 2.0.2
X-Content-PGP-Universal-Saved-Content-Transfer-Encoding: quoted-printable
X-Content-PGP-Universal-Saved-Content-Type: text/plain; charset=us-ascii
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Cc: Simon Josefsson <simon@josefsson.org>, Jon Callas <jon@callas.org>, "cfrg@irtf.org" <cfrg@irtf.org>, "joachim@secworks.se" <joachim@secworks.se>, Adam Langley <agl@google.com>, "tls@ietf.org" <tls@ietf.org>, Wan-Teh Chang <wtc@google.com>
Subject: Re: [Cfrg] Salsa20 stream cipher in TLS
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Mar 2013 23:54:18 -0000

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Mar 20, 2013, at 2:55 AM, David McGrew (mcgrew) <mcgrew@cisco.com> wrote:

> TLSv1.2 barely mentions either GCM or ECC, much less requires their use.
> RFC 5246 says: in the absence of an application profile standard
> specifying otherwise, a TLSv1.2-compliant application MUST implement the
> cipher suite TLS_RSA_WITH_AES_128_CBC_SHA.  No ECC or GCM ciphersuites are
> mentioned in that RFC.  On the flip side, there are benefits in using that
> version; v1.2 allows to use SHA256 in key derivation (PRF) and message
> authentication (HMAC), allows the use of AEAD, and adds other fixes.
> 
> GCM does require a distinct nonce for each encryption operation, which
> makes it vulnerable to "nonce misuse", or makes it tetchy as you say.
> However, this property is a non-issue in TLS, since it is easy to use a
> sequence number as a nonce, and session keys don't persist between
> sessions.   For comparison, Salsa20 and UMAC, both recently mentioned on
> this thread, would also have exactly the same distinct-nonce requirement,
> and essentially RC4 does as well (in the sense that an application that
> mis-manages the RC4 state would likely cause a loss of confidentiality).

I apologize for note being organized in my typing. Let me try again.

Rightly or wrongly, there's a perception both on the implementation end and the deployment end that TLS 1.2 is the "Suite B" version of TLS, that it's mandatory to implement and mandatory to deploy. That this is a misperception is in fact what part of the problem is. I've held many of these misperceptions myself, and if someone as expert as I doesn't grok TLS 1.2, then how is the average developer or sysadmin going to understand?

TLS 1.2 needs some marketing that explains why people want it, and that needs to include reassurance that it doesn't require you to commit to ECC and GCM. Many people out there believe precisely this.

	Jon


-----BEGIN PGP SIGNATURE-----
Version: PGP Universal 3.2.0 (Build 1672)
Charset: us-ascii

wj8DBQFRSkwdsTedWZOD3gYRAkWSAKCxRRMWVhNq2NF1ihkX17sFU4hqGACgjo/9
RJSto/qI8hZe5T6wz9YBrNQ=
=6tCp
-----END PGP SIGNATURE-----

v2.23.0 | Report a Bug | By Email