Re: [IPsec] AD review of draft-ietf-ipsecme-chacha20-poly1305-08
Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com> Fri, 12 June 2015 19:08 UTC
Return-Path: <kathleen.moriarty.ietf@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 29E5D1AD05F for <ipsec@ietfa.amsl.com>; Fri, 12 Jun 2015 12:08:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.599
X-Spam-Level:
X-Spam-Status: No, score=-0.599 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KNR_EekB3NWc for <ipsec@ietfa.amsl.com>; Fri, 12 Jun 2015 12:08:21 -0700 (PDT)
Received: from mail-wg0-x22f.google.com (mail-wg0-x22f.google.com [IPv6:2a00:1450:400c:c00::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 174531AD05B for <ipsec@ietf.org>; Fri, 12 Jun 2015 12:08:21 -0700 (PDT)
Received: by wgez8 with SMTP id z8so30335987wge.0 for <ipsec@ietf.org>; Fri, 12 Jun 2015 12:08:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=NVCHsD/f710eiUn6L+p27YgbkkfoCg+yCei7R+Vv1s8=; b=XLQGNFrA0DOP5XBstQzwZQSrNuQYhCtIOmUzD5eA8YcU9/ho9Lyx2H5plE46IZk0vU lEsR4aZH7xUXHF8KScTYtqhjLd9dCMzbNu1yJ94Txa/fifadKI12m+ISV2/b+XO/Bold BWMn9wbLhW9LqIfoLSIahVEGQ87tpWtGzCK64oTGARJeUgO+mEMjeqwRO8R7EdU8nz0r yEhjjpEk7ntWwp+hBYY5vSggxzpDSZUw2jzn1a/bXNtMJqV1ygK5K+E9qeyVyzKbcxFC 5sZDd8HgibUd97XYnLrjW737F/8cnmcbHWluH2eQsJmilN34I3DT0yNoTQ2X3gwEnClD u/3A==
MIME-Version: 1.0
X-Received: by 10.180.86.168 with SMTP id q8mr9408226wiz.80.1434136099795; Fri, 12 Jun 2015 12:08:19 -0700 (PDT)
Received: by 10.28.148.148 with HTTP; Fri, 12 Jun 2015 12:08:19 -0700 (PDT)
In-Reply-To: <BE9390A6-BFF8-469B-833C-983994E18C71@gmail.com>
References: <CAHbuEH7sXEMAcT1m2ntVsKs8BNstK=LCfQgTx1F46gG=KiqgDQ@mail.gmail.com> <BE9390A6-BFF8-469B-833C-983994E18C71@gmail.com>
Date: Fri, 12 Jun 2015 15:08:19 -0400
Message-ID: <CAHbuEH48f8j8Bw+6MKOpoRLAn5gY5r9B9z9GqMuYJTx0ZqCG1A@mail.gmail.com>
From: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
To: Yoav Nir <ynir.ietf@gmail.com>
Content-Type: multipart/alternative; boundary="bcaec5555030c9b810051856d41d"
Archived-At: <http://mailarchive.ietf.org/arch/msg/ipsec/sV-3jEoH4xYU8XrRgSmEiZIlvFs>
Cc: "ipsec@ietf.org" <ipsec@ietf.org>
Subject: Re: [IPsec] AD review of draft-ietf-ipsecme-chacha20-poly1305-08
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Jun 2015 19:08:24 -0000
Hi Yoav, Once again, sorry for the delay! My schedule should start to get better in a couple of weeks. On Sat, Jun 6, 2015 at 6:03 PM, Yoav Nir <ynir.ietf@gmail.com> wrote: > Hi, Kathleen. > > Please see below > > On Jun 6, 2015, at 1:19 AM, Kathleen Moriarty < > kathleen.moriarty.ietf@gmail.com> wrote: > > Hi, > > Sorry this took me a bit of time to get to, I wanted to read through some > of the background materials first and have been a bit swamped lately > (should clear up soon). Anyway, I have a few comments from my review and > also some from a developer. Please don't feel the need to respond over the > weekend as I am sending this late on a Friday. > > First, thank you very much for your work on this draft. Having a standby > cipher n hand is a good thing for algorithm agility. Hopefully we don't > need it for some time. > > > Section 2 talks about AEAD_CHACHA20_POLY1305 and makes the statement that > the initialization vector (part of the nonce) does not have to be > unpredictable. That might be okay for chacha20 as long as you have > uniqueness, but I thought POLY1305 required an unpredictable nonce (section > 2.5 of rfc7539). It is not entirely clear to me where that value comes > from in this description. Please let me know if I am missing something in > section 2. > > > The Poly1305 function does require a unique key. The way that we generate > this unique and unpredictable key is by running the ChaCha20 block function > with the same key and nonce, but with the block counter set to zero and > using the top 256 bits of the result as the one time key. If ChaCha20 is a > valid encryption function that has output indistinguishable from random > data, this makes the one-time Poly1305 key unpredictable, even though the > nonce is not unpredictable. The text for that is at the bottom of page 3: > > The same key and nonce, along with a block counter of zero are passed > to the ChaCha20 block function, and the top 256 bits of the result > are used as the Poly1305 key. > > Right, but the RFC7539 for POLY1305, the nonce must be unpredictable. If you are feeding in the same nonce used for chacha, then it should also be unpredictable. > > > o The Initialization Vector (IV) is 64-bit, and is used as part of > the nonce. The IV MUST be unique for each invocation for a > particular SA but does not need to be unpredictable. The use of a > counter or a linear feedback shift register (LFSR) is RECOMMENDED. > > The IANA considerations list ENCR_CHACHA20_POLY1305 as the name of the > algorithm without explanation in the draft. It appears that this was a WG > decision: > https://www.ietf.org/mail-archive/web/ipsec/current/msg09772.html > An explanation might be helpful. Elsewhere in the draft, you just have > AEAD_CHACHA20_POLY1305. > > > Well AEAD_CHACHA20_POLY1305 is the code point already assigned to RFC 7539 > for the algorithm. > > http://www.iana.org/assignments/aead-parameters/aead-parameters.xhtml#aead-parameters-2 > As a side note, I have no idea what that registry is for. It assigns > numeric IDs to algorithms but those numeric IDs are never stored or > transmitted in any protocol. > > ENCR_CHACHA20_POLY1305 is the identifier we are requesting for use within > IKE. Perhaps I should change the last paragraph of section 2 as follows: > OLD: > > The encryption algorithm transform ID for negotiating this algorithm > in IKE is TBA by IANA. > > > NEW: > > The encryption algorithm transform ID for negotiating this algorithm > in IKE is ENCR_CHACHA20_POLY1305 (number is TBA by IANA). > > That's better. It should appear somewhere to explain what it is before the IANA section, thanks! > > > I had another implementer of AEAD_CHACHA20_POLY1305 (but not for IPsec) > read the draft and he commented that he didn't understand the term 'Standby > cipher'. This was clear to me, but I read a lot of drafts. It might be > helpful to expand on that a bit more since this came from a developer. > > > This is strange to me, because the second paragraph of the introduction > both discusses the need for a standby cipher and links to > draft-mcgrew-standby- > <https://tools.ietf.org/html/draft-mcgrew-standby-cipher>cipher. I don’t > know how to clarify this further. > OK, I was fine with the text. We can leave it and see if it comes up by any other reviewer. > > He also requested that it would be helpful if the packet could be laid out > to explain where the IV, ciphertext and tag go. This seems like a > reasonable request and is from a developer. > > > I guess this can be done. I wanted to keep the draft short by minimizing > copying and pasting diagrams from 4303 and 7296, but it’s no great effort. > Thank you! It just makes the draft have more pages and could be helpful to developers. > > Yoav > > -- Best regards, Kathleen
- [IPsec] AD review of draft-ietf-ipsecme-chacha20-… Kathleen Moriarty
- Re: [IPsec] AD review of draft-ietf-ipsecme-chach… Yoav Nir
- Re: [IPsec] AD review of draft-ietf-ipsecme-chach… Kathleen Moriarty
- Re: [IPsec] AD review of draft-ietf-ipsecme-chach… Yoav Nir
- Re: [IPsec] AD review of draft-ietf-ipsecme-chach… Kathleen Moriarty