Re: [Cfrg] Salsa20 stream cipher in TLS
Simon Josefsson <simon@josefsson.org> Thu, 21 March 2013 10:27 UTC
Return-Path: <simon@josefsson.org>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D7BF321F8DE5; Thu, 21 Mar 2013 03:27:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -99.909
X-Spam-Level:
X-Spam-Status: No, score=-99.909 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FH_HOST_EQ_D_D_D_D=0.765, HELO_MISMATCH_COM=0.553, HOST_EQ_STATICB=1.372, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HHS2cYP-hdFw; Thu, 21 Mar 2013 03:27:17 -0700 (PDT)
Received: from yxa-v.extundo.com (static-213-115-179-173.sme.bredbandsbolaget.se [213.115.179.173]) by ietfa.amsl.com (Postfix) with ESMTP id 6892221F883E; Thu, 21 Mar 2013 03:27:15 -0700 (PDT)
Received: from latte.josefsson.org (host-95-192-103-177.mobileonline.telia.com [95.192.103.177]) (authenticated bits=0) by yxa-v.extundo.com (8.14.3/8.14.3/Debian-5+lenny1) with ESMTP id r2LAQalv018265 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Thu, 21 Mar 2013 11:26:42 +0100
From: Simon Josefsson <simon@josefsson.org>
To: Peter Gutmann <pgut001@cs.auckland.ac.nz>
References: <9A043F3CF02CD34C8E74AC1594475C7343D25628@uxcn10-2.UoA.auckland.ac.nz>
OpenPGP: id=B565716F; url=http://josefsson.org/key.txt
X-Hashcash: 1:22:130321:cfrg@irtf.org::AXEYTUj7t32Jh4bg:HU7E
X-Hashcash: 1:22:130321:tls@ietf.org::zxMPnT91mWG2m9Xz:PrUv
X-Hashcash: 1:22:130321:pgut001@cs.auckland.ac.nz::dvlkWYeuAD6jsyyj:K/Jt
Date: Thu, 21 Mar 2013 11:26:31 +0100
In-Reply-To: <9A043F3CF02CD34C8E74AC1594475C7343D25628@uxcn10-2.UoA.auckland.ac.nz> (Peter Gutmann's message of "Thu, 21 Mar 2013 05:36:24 +0000")
Message-ID: <87ppytqca0.fsf@latte.josefsson.org>
User-Agent: Gnus/5.130006 (Ma Gnus v0.6) Emacs/24.2 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
X-Virus-Scanned: clamav-milter 0.97.3 at yxa-v
X-Virus-Status: Clean
Cc: "cfrg@irtf.org" <cfrg@irtf.org>, "tls@ietf.org" <tls@ietf.org>
Subject: Re: [Cfrg] Salsa20 stream cipher in TLS
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Mar 2013 10:27:18 -0000
Peter Gutmann <pgut001@cs.auckland.ac.nz> writes: > It's also a killer roadblock to any new changes in 1.3. Since even the most > trivial change (to get to 1.3) will involve implementing and deploying all of > 1.2, people will keep adding stuff to 1.1 rather than have to go through the > pain of 1.2 in order to add new features. So in that sense you're right, > we're going to keep seeing changes to 1.1 rather than having them added in > 1.3. 1.2 is too big a hurdle for too small a gain. Are people adding stuff to 1.1? My impression is that all serious problems (including renegotiation and the explicit IV problem) are solved in TLS 1.0 too. The problems are solved through specification (think renegotiation) or through implementation fixes (think empty fragments to mimic explicit IVs). For TLS 1.0 and SSL 3.0 to go away, there needs to be a serious enough security problem that is not fixable in TLS 1.0 implementations. I'm not convinced that will happen. We have seen that people will try hard to resolve protocol security problems within TLS 1.0. Thinking about this, perhaps we need a document explaining how to implement TLS 1.0 securely. TLS 1.0 as implemented by RFC 2246 is not secure. The document could say that you need to send bad_record_mac in case of MAC verification failures, and to send empty fragments to combat CBC attacks, and implement renegotiation, and discuss how to combat CBC timing attacks, and something about RC4. And other things I may have forgotten. Right now it seems the knowledge about fixing TLS 1.0 are found in TLS implementations and not discussed in IETF documents. /Simon
- Re: [Cfrg] [TLS] Salsa20 stream cipher in TLS David McGrew (mcgrew)
- Re: [Cfrg] Salsa20 stream cipher in TLS Simon Josefsson
- Re: [Cfrg] Salsa20 stream cipher in TLS Simon Josefsson
- Re: [Cfrg] Salsa20 stream cipher in TLS David McGrew (mcgrew)
- Re: [Cfrg] Salsa20 stream cipher in TLS Simon Josefsson
- Re: [Cfrg] [TLS] Salsa20 stream cipher in TLS David McGrew (mcgrew)
- Re: [Cfrg] Salsa20 stream cipher in TLS Simon Josefsson
- Re: [Cfrg] [TLS] Salsa20 stream cipher in TLS David McGrew (mcgrew)
- Re: [Cfrg] Salsa20 stream cipher in TLS Simon Josefsson
- Re: [Cfrg] Salsa20 stream cipher in TLS Jon Callas
- Re: [Cfrg] Salsa20 stream cipher in TLS David McGrew (mcgrew)
- Re: [Cfrg] Salsa20 stream cipher in TLS Jon Callas
- Re: [Cfrg] [TLS] Salsa20 stream cipher in TLS Peter Gutmann
- Re: [Cfrg] Salsa20 stream cipher in TLS Peter Gutmann
- Re: [Cfrg] Salsa20 stream cipher in TLS Simon Josefsson
- Re: [Cfrg] [TLS] Salsa20 stream cipher in TLS Yoav Nir
- Re: [Cfrg] [TLS] Salsa20 stream cipher in TLS Yoav Nir
- Re: [Cfrg] [TLS] Salsa20 stream cipher in TLS Yoav Nir