IETF Logo Mail Archive

Re: [Cfrg] [TLS] Salsa20 stream cipher in TLS

"David McGrew (mcgrew)" <mcgrew@cisco.com> Tue, 19 March 2013 13:36 UTC

Return-Path: <mcgrew@cisco.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D860821F8AC8 for <cfrg@ietfa.amsl.com>; Tue, 19 Mar 2013 06:36:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -110.599
X-Spam-Level:
X-Spam-Status: No, score=-110.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uOPClAEbChl9 for <cfrg@ietfa.amsl.com>; Tue, 19 Mar 2013 06:36:08 -0700 (PDT)
Received: from rcdn-iport-1.cisco.com (rcdn-iport-1.cisco.com [173.37.86.72]) by ietfa.amsl.com (Postfix) with ESMTP id DCC7021F8A38 for <cfrg@irtf.org>; Tue, 19 Mar 2013 06:36:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=2494; q=dns/txt; s=iport; t=1363700168; x=1364909768; h=from:to:cc:subject:date:message-id:in-reply-to: content-id:content-transfer-encoding:mime-version; bh=jijjCFzkWEvgUJ1ArkwuLuvh/hoCLM7YDvmm6QNb7og=; b=A9IH+22WYiAFBu9WdkV4E1sJ7gefdI7OrjGcDmnsO/tL5+v99bRqtQGG nhqQgUa6k6Lfu+iixc0xmPFYNaB6oLpjQB+7Mxbg2DHQ2nUwDgi9bIoKL KHY9BU9Dssixn8w920OacdTnEHTR/VWu4SUHj1IbCGUHKrA42xGDQDPod 4=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: Av8EAOBoSFGtJV2a/2dsb2JhbABDxSCBXhZ0giQBAQEEeRIBCBgKViUCBAENBQiIDLI9kB2NX3wCMQeCX2EDiD+PP49jgwqCKA
X-IronPort-AV: E=Sophos;i="4.84,872,1355097600"; d="scan'208";a="188845794"
Received: from rcdn-core-3.cisco.com ([173.37.93.154]) by rcdn-iport-1.cisco.com with ESMTP; 19 Mar 2013 13:36:07 +0000
Received: from xhc-aln-x12.cisco.com (xhc-aln-x12.cisco.com [173.36.12.86]) by rcdn-core-3.cisco.com (8.14.5/8.14.5) with ESMTP id r2JDa7fN004556 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Tue, 19 Mar 2013 13:36:07 GMT
Received: from xmb-rcd-x04.cisco.com ([169.254.8.112]) by xhc-aln-x12.cisco.com ([173.36.12.86]) with mapi id 14.02.0318.004; Tue, 19 Mar 2013 08:36:07 -0500
From: "David McGrew (mcgrew)" <mcgrew@cisco.com>
To: "joachim@secworks.se" <joachim@secworks.se>, Adam Langley <agl@google.com>
Thread-Topic: [TLS] Salsa20 stream cipher in TLS
Thread-Index: AQHOJBkcOgV0xxTq40yuP+6jbt08QpisPsaAgAER6wD//8VGgA==
Date: Tue, 19 Mar 2013 13:36:06 +0000
Message-ID: <747787E65E3FBD4E93F0EB2F14DB556B183EBFA6@xmb-rcd-x04.cisco.com>
In-Reply-To: <514862C6.4070809@secworks.se>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.2.1.120420
x-originating-ip: [10.117.10.227]
Content-Type: text/plain; charset="iso-8859-1"
Content-ID: <BD153DF77120EE46B3D52155EDB63EE6@emea.cisco.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: Simon Josefsson <simon@josefsson.org>, "cfrg@irtf.org" <cfrg@irtf.org>, "tls@ietf.org" <tls@ietf.org>
Subject: Re: [Cfrg] [TLS] Salsa20 stream cipher in TLS
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Mar 2013 13:36:09 -0000

Hi Joachim,

On 3/19/13 9:06 AM, "Joachim Strömbergson" <joachim@secworks.se> wrote:

>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>Aloha!
>
>On 2013-03-18 21:45 , Adam Langley wrote:
>> I'm curious why you wouldn't pair Salsa20 with Poly1305, which is
>> the typical combination.
>
>Is poly1305 widely used?

I think that's the wrong question to ask when considering a MAC based on
universal hashing, since the security of such constructs is well
understood.  

>Would it be advantageous for adoption and
>approval of Salsa20 in TLS to also introduce poly1305?

If one of the motivations for adopting Salsa20 is that it is
computationally cheap (fast in software, small circuit, low power
consumption) then it definitely makes sense to pair it with an
authenticator with the same properties.  It will be important to make sure
that the performance is adequate on all of the processors under
consideration.   Many universal hash functions have a performance that is
closely linked to that of the 32,64, or 128-bit multiplication operation,
which varies widely across CPUs.

>
>My gut feeling is/was that trying to just provide a really good
>alternative to RC4 would be easiest to do and get adoption for.

Well, AES-GCM is certainly a good alternative to RC4 and CBC.  It is
security-conservative, already specified in TLSv1.2 and implemented in
many places, performs very well on dedicated hardware and performs
adequately otherwise, and is approved for use in FIPS-140.

David

>
>- -- 
>Med vänlig hälsning, Yours
>
>Joachim Strömbergson - Alltid i harmonisk svängning.
>========================================================================
> Joachim Strömbergson          Secworks AB          joachim@secworks.se
>========================================================================
>-----BEGIN PGP SIGNATURE-----
>Version: GnuPG/MacGPG2 v2.0.18 (Darwin)
>Comment: GPGTools - http://gpgtools.org
>Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
>iEYEARECAAYFAlFIYsYACgkQZoPr8HT30QEavwCg04uHLG2XSgTRHt2fL9NZdMft
>FM4AoIlRvzHPPzwnjHe4yKkYOjm9q6Bo
>=ddOd
>-----END PGP SIGNATURE-----

v2.23.0 | Report a Bug | By Email