Re: [IPsec] AD review of draft-ietf-ipsecme-chacha20-poly1305-08
Yoav Nir <ynir.ietf@gmail.com> Fri, 12 June 2015 19:33 UTC
Return-Path: <ynir.ietf@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A1B081AD1BA for <ipsec@ietfa.amsl.com>; Fri, 12 Jun 2015 12:33:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.999
X-Spam-Level:
X-Spam-Status: No, score=-0.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, FREEMAIL_REPLY=1, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id G8yFUFCZf7yk for <ipsec@ietfa.amsl.com>; Fri, 12 Jun 2015 12:33:44 -0700 (PDT)
Received: from mail-wg0-x242.google.com (mail-wg0-x242.google.com [IPv6:2a00:1450:400c:c00::242]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 72A5D1AD1DB for <ipsec@ietf.org>; Fri, 12 Jun 2015 12:33:43 -0700 (PDT)
Received: by wggx12 with SMTP id x12so2474048wgg.1 for <ipsec@ietf.org>; Fri, 12 Jun 2015 12:33:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :message-id:references:to; bh=FRlbQh9iev3N7giR251LLWlehO/neFmTYQ5sQLo2/cg=; b=ZejqF6uqRd7Cw6ZB+IcK71s8UV8+DiWYaC6zbNFFW+3a4QpQVIRuiJdwp4QfihK81w vwDMN/8aqkPzAJrGvhENUtI6kUHtKWC4kpLQ6tYcoesESOxc/3Stsqfnef+kqShstnRp bdPsdmQInRIBWCeJIdAbhQSur+f20qLRFFtIuCoe4X+VrcOVFyx9gS1GOD25pr0Ok+PA RuGEVcpMKaj4xVi5yj3ZCJrMjFWHdmknaafQ5QFjM2+89PA7ajvwrBRje9x/bHDmcY2I XDAwlGeZczG8XoB9qet7v/VzpTUiMuWIr9ehlDLi7MAQ354zl7ZLZObbJ2RQkQNhFkcE RRiA==
X-Received: by 10.194.172.130 with SMTP id bc2mr29651728wjc.85.1434137622191; Fri, 12 Jun 2015 12:33:42 -0700 (PDT)
Received: from [192.168.1.17] ([46.120.13.132]) by mx.google.com with ESMTPSA id i6sm7178381wjf.29.2015.06.12.12.33.40 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Fri, 12 Jun 2015 12:33:41 -0700 (PDT)
Content-Type: multipart/alternative; boundary="Apple-Mail=_B85C4A4F-2A2F-4B90-86F9-AC9FBE909113"
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2098\))
From: Yoav Nir <ynir.ietf@gmail.com>
In-Reply-To: <CAHbuEH48f8j8Bw+6MKOpoRLAn5gY5r9B9z9GqMuYJTx0ZqCG1A@mail.gmail.com>
Date: Fri, 12 Jun 2015 22:33:38 +0300
Message-Id: <FCD1E008-9172-4D97-A811-9D909DD9D7B5@gmail.com>
References: <CAHbuEH7sXEMAcT1m2ntVsKs8BNstK=LCfQgTx1F46gG=KiqgDQ@mail.gmail.com> <BE9390A6-BFF8-469B-833C-983994E18C71@gmail.com> <CAHbuEH48f8j8Bw+6MKOpoRLAn5gY5r9B9z9GqMuYJTx0ZqCG1A@mail.gmail.com>
To: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
X-Mailer: Apple Mail (2.2098)
Archived-At: <http://mailarchive.ietf.org/arch/msg/ipsec/ZnWW5Fvl01SkBFrd5iBnHp8sL78>
Cc: "ipsec@ietf.org" <ipsec@ietf.org>
Subject: Re: [IPsec] AD review of draft-ietf-ipsecme-chacha20-poly1305-08
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Jun 2015 19:33:45 -0000
> On Jun 12, 2015, at 10:08 PM, Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com> wrote: > > Hi Yoav, > > Once again, sorry for the delay! My schedule should start to get better in a couple of weeks. > > On Sat, Jun 6, 2015 at 6:03 PM, Yoav Nir <ynir.ietf@gmail.com <mailto:ynir.ietf@gmail.com>> wrote: > Hi, Kathleen. > > Please see below > >> On Jun 6, 2015, at 1:19 AM, Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com <mailto:kathleen.moriarty.ietf@gmail.com>> wrote: >> >> Hi, >> >> Sorry this took me a bit of time to get to, I wanted to read through some of the background materials first and have been a bit swamped lately (should clear up soon). Anyway, I have a few comments from my review and also some from a developer. Please don't feel the need to respond over the weekend as I am sending this late on a Friday. >> >> First, thank you very much for your work on this draft. Having a standby cipher n hand is a good thing for algorithm agility. Hopefully we don't need it for some time. >> >> >> Section 2 talks about AEAD_CHACHA20_POLY1305 and makes the statement that the initialization vector (part of the nonce) does not have to be unpredictable. That might be okay for chacha20 as long as you have uniqueness, but I thought POLY1305 required an unpredictable nonce (section 2.5 of rfc7539). It is not entirely clear to me where that value comes from in this description. Please let me know if I am missing something in section 2. > > The Poly1305 function does require a unique key. The way that we generate this unique and unpredictable key is by running the ChaCha20 block function with the same key and nonce, but with the block counter set to zero and using the top 256 bits of the result as the one time key. If ChaCha20 is a valid encryption function that has output indistinguishable from random data, this makes the one-time Poly1305 key unpredictable, even though the nonce is not unpredictable. The text for that is at the bottom of page 3: > > The same key and nonce, along with a block counter of zero are passed > to the ChaCha20 block function, and the top 256 bits of the result > are used as the Poly1305 key. > > Right, but the RFC7539 for POLY1305, the nonce must be unpredictable. If you are feeding in the same nonce used for chacha, then it should also be unpredictable. Ah, I see the source of the confusion. Poly1305 does not get a nonce at all. It gets a one-time key. You could generate this one-time (unpredictable) key in many ways, but the way we do it here is by encrypting the (predictable) nonce using ChaCha20. This is similar to the practice of generating a random 128-bit value, and using that as an AES key, and encrypting a counter to generate unpredictable values (such as initialization vectors). So it’s fine for the nonce to be predictable as long as the encrypted nonce is not. I’ll make the rest of the changes soon. Yoav
- [IPsec] AD review of draft-ietf-ipsecme-chacha20-… Kathleen Moriarty
- Re: [IPsec] AD review of draft-ietf-ipsecme-chach… Yoav Nir
- Re: [IPsec] AD review of draft-ietf-ipsecme-chach… Kathleen Moriarty
- Re: [IPsec] AD review of draft-ietf-ipsecme-chach… Yoav Nir
- Re: [IPsec] AD review of draft-ietf-ipsecme-chach… Kathleen Moriarty