IETF Logo Mail Archive

[IPsec] Two questions about draft-ietf-ipsecme-chacha20-poly1305-00

Yoav Nir <ynir.ietf@gmail.com> Mon, 30 March 2015 14:39 UTC

Return-Path: <ynir.ietf@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B083C1A877A; Mon, 30 Mar 2015 07:39:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.101
X-Spam-Level:
X-Spam-Status: No, score=-0.101 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AJ3Ecac-d8K3; Mon, 30 Mar 2015 07:39:54 -0700 (PDT)
Received: from mail-wi0-x236.google.com (mail-wi0-x236.google.com [IPv6:2a00:1450:400c:c05::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1EBE41A1EEE; Mon, 30 Mar 2015 07:39:54 -0700 (PDT)
Received: by wicne17 with SMTP id ne17so34207337wic.0; Mon, 30 Mar 2015 07:39:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=TJCqEykSf0agogng3IQ1ykkWtRFZViBWKsUCW4iDzo0=; b=mpn775ep4h9FoGGoqLDOx/oKlQ+YLFUR4bQsPN9VKVSez2tMLcvg5ZEObnBVVgq1Ws ZMQkt0H0QrHTRtaNkVvL/tgVjzY1EPFZLDCdDLP0G2mHvDYzIQlQNoU/csNcLm2AX0VY XLq8A3t/St9ODXMG8mLWUAjN1gn5BApXjMDQUrcnYLgRKkEschGmVjtAkxAuUQ9yQpwj YP7PJkiBtVmfnLa0cQHDkTCu3QOGPZdi61awXypbhkZQX5tTYkFXs10yrC2l5expn61x hZ1P+47+JUlHfuoyy31tWafN/TUrIl8t4e2sSG9r4jjbbbKjNwgCkAJ2ffVMEo8FFAPy 9DnA==
X-Received: by 10.180.24.233 with SMTP id x9mr23767050wif.9.1427726392790; Mon, 30 Mar 2015 07:39:52 -0700 (PDT)
Received: from [172.24.250.177] (dyn32-131.checkpoint.com. [194.29.32.131]) by mx.google.com with ESMTPSA id ch6sm16049304wjc.3.2015.03.30.07.39.50 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Mon, 30 Mar 2015 07:39:51 -0700 (PDT)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2070.6\))
From: Yoav Nir <ynir.ietf@gmail.com>
In-Reply-To: <20150330133237.21486.80504.idtracker@ietfa.amsl.com>
Date: Mon, 30 Mar 2015 17:39:48 +0300
Content-Transfer-Encoding: quoted-printable
Message-Id: <6E938E70-324A-424E-9D20-7067BD278165@gmail.com>
References: <20150330133237.21486.80504.idtracker@ietfa.amsl.com>
To: internet-drafts@ietf.org
X-Mailer: Apple Mail (2.2070.6)
Archived-At: <http://mailarchive.ietf.org/arch/msg/ipsec/VT7rSD50KK-e79drmqhp-ZHhAqA>
Cc: ipsec@ietf.org, i-d-announce@ietf.org
Subject: [IPsec] Two questions about draft-ietf-ipsecme-chacha20-poly1305-00
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 30 Mar 2015 14:39:58 -0000

Hi,

There is two questions I would like guidance from the group about.

First is the nonce/IV question: In the current draft, there is a 64-bit IV with guidance not to repeat them (so use a counter or LFSR). The function itself accepts a 96-bit input nonce, so the nonce is constructed from the 64-bit IV and 32 zero bits. The reason for doing this is so the algorithm could be used in a multi-sender case such as GDOI, where the 32-bit zero can be replaced by a sender ID. Alternatively, we could generate a 32-bit salt value from the key material, but I don’t see a reason why we’d want that. Another thing we could do is what some people are advocating for TLS: Since a counter is a fine IV (no need for secrecy), we don’t need a 64-bit IV that has the exact same value as the replay counter. We might as well save 8 bytes per packet and just feed the replay counter to the function.  The argument against this is that some crypto modules may have the API set up in such a way that the IVs are generated within the module and could be something other than a counter (like an LFSR). The proposal will break such APIs.


Second issue is about UI advice. Some implementations (yes, mine is included) allow the user to configure encryption algorithm, MAC algorithm, and D-H group. There is no setting for PRF since such UIs date back to IKEv1. The PRF is usually just taken from the setting for MAC algorithm. This works fine as long as all supported MAC algorithms are HMAC, XCBC, and CMAC. AES-GCM would have the same issue, but RFC 5282 makes no mention of this issue. I’m wondering if we should recommend to pair this algorithm in IKE with PRF_HMAC_SHA2_256.

Thanks

Yoav

v2.23.0 | Report a Bug | By Email