[Cfrg] WG last call on latest OCB draft.
"Igoe, Kevin M." <kmigoe@nsa.gov> Wed, 12 June 2013 13:48 UTC
Return-Path: <kmigoe@nsa.gov>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6E85D21F9B64 for <cfrg@ietfa.amsl.com>; Wed, 12 Jun 2013 06:48:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.599
X-Spam-Level:
X-Spam-Status: No, score=-10.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Z4Uzmv+PyNnP for <cfrg@ietfa.amsl.com>; Wed, 12 Jun 2013 06:48:05 -0700 (PDT)
Received: from nsa.gov (emvm-gh1-uea09.nsa.gov [63.239.67.10]) by ietfa.amsl.com (Postfix) with ESMTP id 8417F21F9B8C for <cfrg@irtf.org>; Wed, 12 Jun 2013 06:48:03 -0700 (PDT)
X-TM-IMSS-Message-ID: <9812d5d800031fe7@nsa.gov>
Received: from MSHT-GH1-UEA01.corp.nsa.gov ([10.215.227.18]) by nsa.gov ([63.239.67.10]) with ESMTP (TREND IMSS SMTP Service 7.1; TLSv1/SSLv3 AES128-SHA (128/128)) id 9812d5d800031fe7 ; Wed, 12 Jun 2013 09:52:10 -0400
Received: from MSMR-GH1-UEA02.corp.nsa.gov (10.215.227.180) by MSHT-GH1-UEA01.corp.nsa.gov (10.215.227.18) with Microsoft SMTP Server (TLS) id 14.2.342.3; Wed, 12 Jun 2013 09:48:01 -0400
Received: from MSMR-GH1-UEA03.corp.nsa.gov ([10.215.224.3]) by MSMR-GH1-UEA02.corp.nsa.gov ([10.215.227.180]) with mapi id 14.02.0342.003; Wed, 12 Jun 2013 09:48:00 -0400
From: "Igoe, Kevin M." <kmigoe@nsa.gov>
To: "cfrg@irtf.org" <cfrg@irtf.org>
Thread-Topic: WG last call on latest OCB draft.
Thread-Index: AQHOZ3CigdPpXMPFk0SNxcT4Zyso5g==
Date: Wed, 12 Jun 2013 13:48:00 +0000
Message-ID: <3C4AAD4B5304AB44A6BA85173B4675CAB24340B0@MSMR-GH1-UEA03.corp.nsa.gov>
References: <alpine.WNT.2.00.1306031235280.6196@RogawaySamsung9> <810C31990B57ED40B2062BA10D43FBF518BD79@XMB111CNC.rim.net> <20130604190104.GA29597@randombit.net>
In-Reply-To: <20130604190104.GA29597@randombit.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.215.224.46]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "'rogaway@cs.ucdavis.edu'" <rogaway@cs.ucdavis.edu>
Subject: [Cfrg] WG last call on latest OCB draft.
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 12 Jun 2013 13:48:09 -0000
OK, it looks like the debate working the tag length into AEAD encryption has reached either consensus or exhaustion. Here is where I think we stand: 1) Working the tag length into either the KDF or encryption process is a prudent precaution because, at the very least, it simplifies the security analysis and guards against implementation errors. Future AEAD modes should STRONGLY consider doing this. 2) OCB is too widespread to make such a substantive change at this late date. 3) The changes made in the current OCB draft aren't substantive, they merely correct errors in the exposition. Therefore I want to make a RG last call on draft-irtf-cfrg-ocb-02. I'll start of the discussion by putting on the floor a motion that the RG accept draft-irtf-cfrg-ocb-02 as it stands. Discussion? Don't be shy. How do the RG and the authors feel about Dan Brown's suggestion to insert some text explicitly prohibiting using the same key with different OCB lengths? > -----Original Message----- > From: cfrg-bounces@irtf.org [mailto:cfrg-bounces@irtf.org] On Behalf Of > Jack Lloyd > Sent: Tuesday, June 04, 2013 3:01 PM > To: cfrg@irtf.org > Subject: Re: [Cfrg] Attacker changing the tag length in OCB > > On Tue, Jun 04, 2013 at 05:49:06PM +0000, Dan Brown wrote: > > > If the intent of the OCB spec is not to allow variable tag lengths, > then I > > think the spec needs greater emphasis, especially in view of some > IETF > > common practices and viewpoints (**). So, the spec should somewhere > say > [...] > > (**) For example, TLS allows one public key per multiple different > cipher > > suites (not sure if it allows pre-shared key with different cipher > suites). > > To address TLS-PSK specifically - using a single PSK with several > different cipher suites is allowed, though as the actual symmetric > keys are derived from both the PSK and the client and server nonces > (and, optionally, a DH/ECDH key exchange), the actual OCB key would > never be reused in a different context, or even in a different session > with the same parameter set. > > -Jack > _______________________________________________ > Cfrg mailing list > Cfrg@irtf.org > http://www.irtf.org/mailman/listinfo/cfrg
- Re: [Cfrg] Attacker changing the tag length in OCB Phillip Rogaway
- Re: [Cfrg] Attacker changing the tag length in OCB Manger, James H
- Re: [Cfrg] Attacker changing the tag length in OCB David McGrew
- Re: [Cfrg] Attacker changing the tag length in OCB Dan Brown
- Re: [Cfrg] Attacker changing the tag length in OCB Blumenthal, Uri - 0558 - MITLL
- Re: [Cfrg] Attacker changing the tag length in OCB Jack Lloyd
- [Cfrg] WG last call on latest OCB draft. Igoe, Kevin M.
- Re: [Cfrg] WG last call on latest OCB draft. Ted Krovetz
- Re: [Cfrg] WG last call on latest OCB draft. David Jacobson