IETF Logo Mail Archive

Re: [IPsec] Please review draft-ietf-ipsecme-chacha20-poly1305

"Valery Smyslov" <svanru@gmail.com> Tue, 21 April 2015 16:19 UTC

Return-Path: <svanru@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EBCF61AD06B for <ipsec@ietfa.amsl.com>; Tue, 21 Apr 2015 09:19:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.909
X-Spam-Level: *
X-Spam-Status: No, score=1.909 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_SORBS_WEB=0.77, SPF_PASS=-0.001, STOX_REPLY_TYPE=0.439] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1BJf8RSZVlSY for <ipsec@ietfa.amsl.com>; Tue, 21 Apr 2015 09:19:44 -0700 (PDT)
Received: from mail-la0-x231.google.com (mail-la0-x231.google.com [IPv6:2a00:1450:4010:c03::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 34EDB1AD069 for <ipsec@ietf.org>; Tue, 21 Apr 2015 09:19:44 -0700 (PDT)
Received: by lagv1 with SMTP id v1so155181727lag.3 for <ipsec@ietf.org>; Tue, 21 Apr 2015 09:19:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:from:to:cc:references:subject:date:mime-version :content-type:content-transfer-encoding; bh=dupyvmM56xkqftjiM2IDvSG8avdKV07qDuzlvTKlfik=; b=y165wH+rtrglIcoFBHH2T/MA3hCpfPWGjSH0xUpRTfYuv/WAK3TtNooH9G/DIwxqkd 5PZ8tVDd3CoUvB24tHB2SufnUW3Kf7ahiXrOeeb1jZs/WxL5K/lKTlRjBjEhAyNcIGXs TIeJFOziOlL3WB1fjuOv+WWGnoWreNvhb1DP0nNIOIpJk2NkQgJjFPnSSGNMITtsa0wz 3sJHLfna3jEpvq49hhBJHthHw/pqM0cWueHiq2Hwv7OISUEU9nhbf1L21lqE9EVSGFyD g1WnvO3ka4PnXh1qXRoQ8SzfcC+mVmS/ngFdBNpSuaCzSm2caDrg2rRT0eAQV1TCSZYi N1Fw==
X-Received: by 10.112.170.166 with SMTP id an6mr9859735lbc.118.1429633182607; Tue, 21 Apr 2015 09:19:42 -0700 (PDT)
Received: from buildpc ([82.138.51.4]) by mx.google.com with ESMTPSA id x2sm509182laj.8.2015.04.21.09.19.41 (version=TLSv1 cipher=RC4-SHA bits=128/128); Tue, 21 Apr 2015 09:19:41 -0700 (PDT)
Message-ID: <74CD54CA4B3441EC829DB0116C7CDB6E@buildpc>
From: Valery Smyslov <svanru@gmail.com>
To: IPsecME WG <ipsec@ietf.org>
References: <4A981ECD-54EE-4C28-93CE-3A138E4AF07F@vpnc.org>
Date: Tue, 21 Apr 2015 19:19:39 +0300
MIME-Version: 1.0
Content-Type: text/plain; format="flowed"; charset="iso-8859-1"; reply-type="original"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.5931
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.6157
Archived-At: <http://mailarchive.ietf.org/arch/msg/ipsec/De46HNR1h4lGXZnxlIVpNSfs5p0>
Cc: Yoav Nir <ynir.ietf@gmail.com>
Subject: Re: [IPsec] Please review draft-ietf-ipsecme-chacha20-poly1305
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 21 Apr 2015 16:19:46 -0000

Hi,

this is my review of draft-ietf-ipsecme-chacha20-poly1305-02.

I think that the draft is in a good shape. A few issues need to be resolved.



Technical issues.

1. For the question raised in the draft:

    TBD: do we want an extra 32 bits as salt for the nonce like
    in GCM, or keep the salt (=SenderID) at zero?

I prefer to follow GCM-like approach, i.e. to take these 32 bits
from the KEYMAT. It is cryptographically sound and is good
from evaluation point of view - you know where these bits come from.

I understand that it would require some adaptation
for multi-sender case, like in RFC6054, but AFAIK currently
Many-to-Many IPsec SAs are rare and look exotic.
And as RFC6054 states, the nonce is not transferred in packet,
so it is not the best place for SenderID (unlike explicit IV).


2. Section 4.

   When negotiating the ChaCha20-Poly1305 algorithm for use in IKE or
   IPsec, the value xxx (TBA by IANA) should be used in the transform
   substructure of the SA payload as the ENCR (type 1) transform ID.  As
   with other AEAD algorithms, INTEG (type 3) transform substructures
   SHOULD NOT be specified unless at least one of the ENCR transforms is
   non-AEAD.

The last sentence is wrong. Section 3.3 of RFC7296 states:

   Combined-mode ciphers include
   both integrity and encryption in a single encryption algorithm, and
   MUST either offer no integrity algorithm or a single integrity
   algorithm of "NONE", with no integrity algorithm being the
   RECOMMENDED method.

So INTEG either MUST NOT be present in the proposal substructure
containing ChaCha20-Poly1305 or MUST be NONE. And RFC7296
requires not to mix AEAD and non-AEAD algorithms in the same proposal:

   If an initiator wants to propose both combined-
   mode ciphers and normal ciphers, it must include two proposals: one
   will have all the combined-mode ciphers, and the other will have all
   the normal ciphers with the integrity algorithms.




Editorial issues.

1. Section 2, first bullet.

   o  The Initialization Vector (IV) is 64-bit, and is used as part of
      the nonce.  The IV MUST be unique for each SA but does not need to
      be unpredictable.  The use of a counter or an LFSR is RECOMMENDED.

The IV MUST be unique for each invocation (ESP packet or IKEv2 message),
not for each SA.


2. Section 2, last but one bullet:

      *  The length of the additional data in octets (as a 64-bit
         little-endian integer).

"additional data" is a bit vague, please use "Authenticated Additional Data"
(or "AAD") for clarity.


3. Informative References

   [FIPS-46]  National Institute of Standards and Technology, "Data
              Encryption Standard", FIPS PUB 46-2, December 1993,
              <http://www.itl.nist.gov/fipspubs/fip46-2.htm>.

The url is incorrect, it leads to the NIST home page.
I believe the correct url is
http://csrc.nist.gov/publications/fips/archive/fips46-3/fips46-3.pdf
(and it is FIPS 46-3, that superceeded FIPS 46-2).




Minor nits (subjective).

1. Section 1.

I think the main problem with 3DES is not that it is significantly slower
than AES, but that it has blocksize of 64 bits, that is considered
loo small for high-speed networks, when the possibility of birthday attack
leads to necessity to frequently rekey.


2. Section 2.

>From the description of how ESP packet is constructed it is not
absolutely clear what parts of the nonce are explicitely included in
the packet, and what aren't. I guess it is 64 bit IV that is included
and the higher 32 bits (SenderID) - that aren't, but it is not explicitely
stated. I'd prefer to it to be spelled out.


3. Section 3.

The last sentence is too long and refers to different sections in different
documents (this draft and RFC5282). That makes it a bit difficult to follow.
Could you, please, split it into several shorter sentences.


4. Section 5.

The terms "64-bit cipher", "128-bit cipher" and "256-bit cipher"
look like a jargon (and could be mixed up with key length by naive reader).
I'd prefer to use "block cipher with 64-bit block" etc.


5. Section 6.

I think it is worth to instruct IANA that tis document must be referenced
in both ESP and IKEv2 columns of IANA registry.
However it is not strictly necessary since IANA will ask this question 
anyway.


Regards,
Valery Smyslov.

v2.46.0 | Report a Bug | By Email | System Status