[Cfrg] problems with draft-josefsson-salsa20-tls-02
David McGrew <mcgrew@cisco.com> Wed, 14 August 2013 20:32 UTC
Return-Path: <mcgrew@cisco.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B09F211E817E for <cfrg@ietfa.amsl.com>; Wed, 14 Aug 2013 13:32:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -110.599
X-Spam-Level:
X-Spam-Status: No, score=-110.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cGdsKq5dBEmj for <cfrg@ietfa.amsl.com>; Wed, 14 Aug 2013 13:32:38 -0700 (PDT)
Received: from rcdn-iport-9.cisco.com (rcdn-iport-9.cisco.com [173.37.86.80]) by ietfa.amsl.com (Postfix) with ESMTP id A926B11E8159 for <cfrg@irtf.org>; Wed, 14 Aug 2013 13:32:38 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=6428; q=dns/txt; s=iport; t=1376512360; x=1377721960; h=message-id:subject:from:to:cc:date:in-reply-to: references:mime-version:content-transfer-encoding; bh=PJIY2iMweEoEQyal5HoPfKwRJucla9vGA8l+EJ/wAdw=; b=FMyWWotEKI4tZG5ep9ixOyTPefVxho9dzzKgw8jxVlSdXgOZ/tTdWcX1 e8fooGCPK9eZys36axB33qQ1DkZ8nQ8ZGU9KUYjS4RiKyC6IoEwa/7SB4 j92g3Kiq6YoplVyLVve3YXluaUhkSZagVVR3QnLKpY5hEzsSslYBULbH2 o=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AqoGABvoC1KtJV2b/2dsb2JhbABbgwY1g2moBwGTdYEkFm0HgiQBAQEBAQIBAQEgBAsBOwsQHgUCAiYCAicwBhMJiAcMp0aRPYEpjB6BMYFYB4JogSoDmRGEfIYFhSSDNyA
X-IronPort-AV: E=Sophos;i="4.89,879,1367971200"; d="scan'208";a="244401175"
Received: from rcdn-core-4.cisco.com ([173.37.93.155]) by rcdn-iport-9.cisco.com with ESMTP; 14 Aug 2013 20:32:38 +0000
Received: from [10.0.2.15] (rtp-mcgrew-8913.cisco.com [10.117.10.228]) by rcdn-core-4.cisco.com (8.14.5/8.14.5) with ESMTP id r7EKWaLs011518; Wed, 14 Aug 2013 20:32:36 GMT
Message-ID: <1376512356.16950.360.camel@darkstar>
From: David McGrew <mcgrew@cisco.com>
To: "cfrg@irtf.org" <cfrg@irtf.org>
Date: Wed, 14 Aug 2013 16:32:36 -0400
In-Reply-To: <3C4AAD4B5304AB44A6BA85173B4675CAB247161D@MSMR-GH1-UEA03.corp.nsa.gov>
References: <3C4AAD4B5304AB44A6BA85173B4675CAB247161D@MSMR-GH1-UEA03.corp.nsa.gov>
Content-Type: text/plain; charset="UTF-8"
X-Mailer: Evolution 3.4.4-3
Mime-Version: 1.0
Content-Transfer-Encoding: 8bit
Subject: [Cfrg] problems with draft-josefsson-salsa20-tls-02
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Aug 2013 20:32:42 -0000
This draft lists two motivations: RC4 security is inadequate, and the performance of the symmetric cryptography in other ciphersuites is inadequate. I agree with the first premise, and the authors deserve kudos for raising and starting to address the issue. However, the second premise is questionable. The draft cites [AEAD-PERFORMANCE], and that reference shows that the performance of AES-GCM and AES-CCM are suboptimal in some scenarios, not that they are inadequate. The draft ought to cite some other work such as [1] to provide a broader viewpoint on ciphersuite performance and deployment considerations of new ciphersuites. If it is the case that SALSA20 and UMAC (or POLY1305) compellingly outperform existing ciphersuites on some particular client environments and server environments, the draft should document the particulars. The security question that we should be considering is: are the authenticated encryption schemes defined in this draft sound? The strategy used in this draft is to rely on the "generic composition" framework provided by TLS: a new GenericStreamCipher is defined and is used at the same time as a TLS MAC algorithm, which is either the conventional TLS HMAC or the new TLS UMAC algorithm defined in this draft. Thus, there is a merely a loose binding between authentication and encryption, and a potential opportunity for a side channel attack like the ones described in [CBC-ATTACK]. The draft recognizes the value of resisting side channel attacks, but the loose binding approach works against that goal. Instead of defining a GenericStreamCipher, the draft should define an AEAD algorithm, which would close the door on that sort of vulnerability. One of the motivations for not using the TLS GenericAEADCipher mechanism is that it appears only in TLSv1.2. However, the draft proposes extensions to both the GenericStreamCipher and MAC algorithms used by TLSv1.0 and TLSv1.1, and it would be no more intrusive to those protocols to define the use of GenericAEADCipher in them. Using the same AEAD mechanism for versions 1.0, 1.1, and 1.2 would result in smaller and less complex implementation. There is ongoing work on authenticated encryption which this draft is not taking advantage of, e.g. [2]. This could be a missed opportunity; if the IETF is publishing new authenticated encryption schemes for TLS, they should improve on the existing schemes. For instance, the ciphersuites in the draft do not provide any misuse resistance; they have the same properties with respect to IV/nonce misuse as does AES-GCM. Granted that many GCM implementations successfully avoid misuse, but several observers have identified misuse resistance as a desirable property for future AEAD methods. (See for instance [3] and RFC 5297.) A draft using an AEAD method based on SALSA20 that provides misuse resistance of some kind would be more useful, and would be less likely to become obsolete in the near future. Some more minor points below: The draft has no mechanism to allow multiple encrypters to work in parallel, such as is provided in Section 6.2 of RFC5288. Previous AEAD work has chosen to not use the sequence number provided by TLS (and other protocols) because of a lack of assurance that those values will be unique. This draft does use those sequence numbers, which enables its ciphersuites to have less data overhead, but introducing a potential vulnerability through mismanagement of sequence numbers by TLS implementations. Slide 16 shown at IETF87 presents the shorter MAC size as having less data overhead as compared with existing ciphersuites. This is true, but if compactness is a goal, AEAD schemes with less overhead could be used instead. (Some are defined already at [3].) I don't have anything against SALSA20, nor am I the best person to assess its quality as a pseudorandom function. David, speaking as a research group member and not a research group co-chair [1] Gueron, S. AES-GCM for Efficient Authenticated Encryption - Ending the Reign of HMAC-SHA-1? Workshop on Real-World Cryptography, 2013. [2] http://2013.diac.cr.yp.to/ [3] http://hyperelliptic.org/DIAC/slides/DIAC-mcgrew.pdf [4] IANA AEAD Registry, http://www.iana.org/assignments/aead-parameters/aead-parameters.xhtml On Thu, 2013-08-08 at 19:45 +0000, Igoe, Kevin M. wrote: > The TLS WG has asked the CFRG for their opinion for a stream cipher, > eSTREAM-SALSA20, and two MAC algorithms, UMAC and POLY1305, that have > been suggested for use in TLS (draft-josefsson-salsa20-tls-02). This > was presented to the TLS WG at IETF-87, slides can be found at > http://www.ietf.org/proceedings/87/slides/slides-87-tls-2.pdf. > The SALSA family works on blocks of 512 bits, and forms a key stream > in 512-bit blocks by applying a fixed map V^{512}->V^{512} to an input > consisting of the key (either 16 octets or 32 octets), an 8-octet > block counter, an 8-octet IV, and 16 constant octets. > > SALSA20 was one of the five finalists for a software stream cipher in > the eSTREAM contest run by ECRYPTII (see > http://www.ecrypt.eu.org/stream/). > > UMAC has been around since 1999 and is described in RFC 4418. > > POLY1305 first showed up as POLY1305-AES, but all it needs from AES is > a 16 byte block of output. Adapting this to SALSA is straightforward. > The 1305 in the name reflects the fact that it uses arithmetic modulo > 2^{130} – 5. See http://cr.yp.to/mac/poly1305-20050329.pdf > for a description of poly1305-AES. > > Off the top of my head, the only objection I can see is that SALSA may > be difficult to implement efficiently in hardware. Hardware TLS > acceleration can be useful at heavily utilized servers. > > The most current attempt to attack SALSA that I could find is a 2012 > paper on the IACR > e-print server. > > ----------------+-------------------------------------------------- > Kevin M. Igoe | "We can't solve problems by using the same kind > kmigoe@nsa.gov | of thinking we used when we created them." > | - Albert Einstein - > ----------------+-------------------------------------------------- > > > > _______________________________________________ > Cfrg mailing list > Cfrg@irtf.org > http://www.irtf.org/mailman/listinfo/cfrg
- Re: [Cfrg] Task for the CFRG zooko
- [Cfrg] Task for the CFRG Igoe, Kevin M.
- Re: [Cfrg] Task for the CFRG Ted Krovetz
- Re: [Cfrg] Task for the CFRG Blumenthal, Uri - 0558 - MITLL
- [Cfrg] theoretical question ... RE: Task for the … Dan Brown
- Re: [Cfrg] Task for the CFRG David McGrew
- [Cfrg] problems with draft-josefsson-salsa20-tls-… David McGrew
- Re: [Cfrg] Task for the CFRG Ben Laurie
- Re: [Cfrg] Task for the CFRG Paul Hoffman
- Re: [Cfrg] Task for the CFRG Joachim Strömbergson
- Re: [Cfrg] problems with draft-josefsson-salsa20-… Nikos Mavrogiannopoulos
- Re: [Cfrg] problems with draft-josefsson-salsa20-… zooko
- Re: [Cfrg] problems with draft-josefsson-salsa20-… David McGrew
- Re: [Cfrg] problems with draft-josefsson-salsa20-… Nikos Mavrogiannopoulos