IETF Logo Mail Archive

Re: [IPsec] Two questions about draft-ietf-ipsecme-chacha20-poly1305-00

Yoav Nir <ynir.ietf@gmail.com> Thu, 02 April 2015 10:41 UTC

Return-Path: <ynir.ietf@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9900B1B2C47 for <ipsec@ietfa.amsl.com>; Thu, 2 Apr 2015 03:41:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZBOti9x_1NxA for <ipsec@ietfa.amsl.com>; Thu, 2 Apr 2015 03:41:18 -0700 (PDT)
Received: from mail-wg0-x233.google.com (mail-wg0-x233.google.com [IPv6:2a00:1450:400c:c00::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 969591B2C3F for <ipsec@ietf.org>; Thu, 2 Apr 2015 03:41:18 -0700 (PDT)
Received: by wgra20 with SMTP id a20so80918493wgr.3 for <ipsec@ietf.org>; Thu, 02 Apr 2015 03:41:17 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=htvZYC374pLifmtfGPP6CpxuGuPOzxKe99sOyqY1RQw=; b=RzkCvd6I/7+wUz4E5f+lzA9YboVBMTQsNXdKG/FA0Ad3B2Mu8NlUCcnW540FRpMstT BTytyC7CCyuk4m2o+/E0RNRl+7Ec2WCgOO4f1uaTv5XdNeC6JLdS9epIi/yF1vbXVQp9 zNPMP8Rl9bL8LINtwMPPVj61xpQXQHu37vIA+Ka8aXkZkIevJmgO7LqvwJ12ax4WXwkz uOfqX1tiyB0xLVOIj+IUvYO3JX5wgROaabQu7tXMMd7B3lvihRjjtWi59PSsgi8K3o28 gP4JNTfUb0Axj4kdfHra34EqwsCU1bOgGfshp1yizdPB++IGN7l7K4C5zWTxHRtmFfij 5fMA==
X-Received: by 10.180.221.108 with SMTP id qd12mr23563114wic.41.1427971277325; Thu, 02 Apr 2015 03:41:17 -0700 (PDT)
Received: from [172.24.250.177] (dyn32-131.checkpoint.com. [194.29.32.131]) by mx.google.com with ESMTPSA id ei8sm29439342wib.10.2015.04.02.03.41.15 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Thu, 02 Apr 2015 03:41:16 -0700 (PDT)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2070.6\))
From: Yoav Nir <ynir.ietf@gmail.com>
In-Reply-To: <21786.31700.388695.942729@fireball.kivinen.iki.fi>
Date: Thu, 02 Apr 2015 13:41:14 +0300
Content-Transfer-Encoding: quoted-printable
Message-Id: <AA77E8F4-FDAA-4792-9EDE-778BA1F6C1E0@gmail.com>
References: <20150330133237.21486.80504.idtracker@ietfa.amsl.com> <6E938E70-324A-424E-9D20-7067BD278165@gmail.com> <21786.31700.388695.942729@fireball.kivinen.iki.fi>
To: Tero Kivinen <kivinen@iki.fi>
X-Mailer: Apple Mail (2.2070.6)
Archived-At: <http://mailarchive.ietf.org/arch/msg/ipsec/wK2JJSomjhxdERkCAwyAB7EGI0s>
Cc: ipsec@ietf.org
Subject: Re: [IPsec] Two questions about draft-ietf-ipsecme-chacha20-poly1305-00
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Apr 2015 10:41:21 -0000

> On Mar 31, 2015, at 1:49 PM, Tero Kivinen <kivinen@iki.fi> wrote:
> 
> Yoav Nir writes:
>> First is the nonce/IV question: In the current draft, there is a
>> 64-bit IV with guidance not to repeat them (so use a counter or
>> LFSR). The function itself accepts a 96-bit input nonce, so the
>> nonce is constructed from the 64-bit IV and 32 zero bits. The reason
>> for doing this is so the algorithm could be used in a multi-sender
>> case such as GDOI, where the 32-bit zero can be replaced by a sender
>> ID. Alternatively, we could generate a 32-bit salt value from the
>> key material, but I don’t see a reason why we’d want that.
> 
> Reserving that 32-bits as sender-ID is fine...
> 
>> Another thing we could do is what some people are advocating for
>> TLS: Since a counter is a fine IV (no need for secrecy), we don’t
>> need a 64-bit IV that has the exact same value as the replay
>> counter. We might as well save 8 bytes per packet and just feed the
>> replay counter to the function. The argument against this is that
>> some crypto modules may have the API set up in such a way that the
>> IVs are generated within the module and could be something other
>> than a counter (like an LFSR). The proposal will break such APIs.
> 
> As Kent explained in the meeting, if you move the IV generation out
> from the crypto operation, then that also moves the FIPS boundary,
> i.e. if the uniqueness of the IV generation (counter) is inside the
> IPsec module, not in the ChaCha20 module, then you need to FIPS
> certify whole thing.
> 
> On the other hand with IPsec I think you mostly need to FIPS certify
> quite a lot of stuff anyways...
> 
> On the other hand, I think it would be possible to do things other way
> around, i.e. make cipher to internally generate IV, but define that IV
> MUST be running counter starting from 0, and use that counter as
> sequence number in the ESP and compress sequence number out from the
> packet. I.e. we would still have IV (coming form inside the crypto
> boundary), but we compress the sequence number away, as it would
> always be the same as IV...
> 
> Currently we cannot do that, as we do not define how the IVs are
> generated, thus the IPsec part cannot know for sure that IVs are
> generated in such way.
> 
> On the other hand if we define this cipher in such way that IV MUST be
> generated such way, then we could make sequence number compression
> option in the future, which would compress sequence number away from
> the actual packet... I.e. gain the same effect, but not compressing
> the IV, but compressing the sequence number...
> 
> This would save 32-bits from the packet, as only 32-bits of the
> sequence number is transmitted, not the full 64-bits, but that would
> still be something, and if even more IV compression is needed, there
> would be ways to only transmit smaller part of the IV and then
> reconstruct it before decryption and verification.
> 
> These compression extensions could happen after ESP encryption and
> before ESP decryption, so the actual ESP packets seen by the engine
> would be exactly same, only difference would be that they would need
> to maintain strict requirement that SEQ matches IV…

Such a compression extension would work fine for both ChaCha20-Poly1305 and AES-GCM at least. Probably the other currently-defined AEAD mode. OK, for now I’ll leave the TBD in, but I won’t change the text.

>> Second issue is about UI advice. Some implementations (yes, mine is
>> included) allow the user to configure encryption algorithm, MAC
>> algorithm, and D-H group. There is no setting for PRF since such UIs
>> date back to IKEv1. The PRF is usually just taken from the setting
>> for MAC algorithm. This works fine as long as all supported MAC
>> algorithms are HMAC, XCBC, and CMAC. AES-GCM would have the same
>> issue, but RFC 5282 makes no mention of this issue. I’m wondering if
>> we should recommend to pair this algorithm in IKE with
>> PRF_HMAC_SHA2_256. 
> 
> There is no need in IKEv2 to tie the PRF to other algorithms, so I see
> no reason to do so in this draft.
> 
> On the other hand the other draft making the UI suite for this will of
> course need to select suitable PRF, but that draft might want to wait
> for new EC curves, so we could have complete DJB suite...
> 
> Btw, in the draft introduction you have text which says:
> 
>   weakness in AES, VPN users will be in an unenviable position.  With
>   the only other widely supported cipher being the much slower 3DES, it
>   is not feasible to re-configure IPsec installations to use 3DES.
>   [standby-cipher] describes this issue and the need for a standby
>   cipher in greater detail.
> 
> I do not think the problem with 3DES is the speed, I think the bigger
> problem is the way too short block length of it. As RFC7321 says:
> 
>   The Triple Data Encryption Standard (TDES) is obsolete because of its
>   small block size; as with all 64-bit block ciphers, it SHOULD NOT be
>   used to encrypt more than one gigabyte of data with a single key
>   [M13].  Its key size is smaller than that of the Advanced Encryption
>   Standard (AES), while at the same time its performance and efficiency
>   are worse.  Thus, its use in new implementations is discouraged.
> 
> With gigabit links that would mean rekeying every ten seconds or so... 

The Create Child SA exchange can be efficiently run every ten seconds or so, and most VPN tunnels are not that saturated. So I think the scale argument is the stronger one. But both arguments lead to the conclusion that you can’t tell someone who uses AES to switch to 3DES because their setup may not be able to take it (rekey often enough or encrypt fast enough), and you can’t tell them to switch to ENCR_CAMELIA_CCM or ENCR_BLOWFISH because peers may not support these algorithms.

Yoav

v2.23.0 | Report a Bug | By Email