IETF Logo Mail Archive

Re: [kitten] considering abandoning CTS mode (Re: I-D Action:draft-ietf-kitten-aes-cts-hmac-sha2-01.txt)

Nico Williams <nico@cryptonector.com> Thu, 15 August 2013 17:34 UTC

Return-Path: <nico@cryptonector.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C65BB21F85C3 for <kitten@ietfa.amsl.com>; Thu, 15 Aug 2013 10:34:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.677
X-Spam-Level:
X-Spam-Status: No, score=-1.677 tagged_above=-999 required=5 tests=[AWL=0.300, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wFsk1bioHB96 for <kitten@ietfa.amsl.com>; Thu, 15 Aug 2013 10:34:45 -0700 (PDT)
Received: from homiemail-a30.g.dreamhost.com (caiajhbdccac.dreamhost.com [208.97.132.202]) by ietfa.amsl.com (Postfix) with ESMTP id D8B3011E80AD for <kitten@ietf.org>; Thu, 15 Aug 2013 10:34:44 -0700 (PDT)
Received: from homiemail-a30.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a30.g.dreamhost.com (Postfix) with ESMTP id 25F4021DE6A for <kitten@ietf.org>; Thu, 15 Aug 2013 10:34:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h= mime-version:in-reply-to:references:date:message-id:subject:from :to:cc:content-type; s=cryptonector.com; bh=inp0AvwwUysXxruDsf0J Xx372To=; b=nYZ4Diru4LGmTM+zNmQDo1OinlFgjmehchxK5EDJNpLblEOs29Cj JegjVR+k15STqwCLuGKtZU9QWlGZH1/SPkz7nug/O3BK6JXo+svEqZntYFxYA1Sh bxsgEo0C3u1zKRV0LDG3C513IYN1UnUjPNYy3PFwSrD7iPpcFzgY7OA=
Received: from mail-wi0-f169.google.com (mail-wi0-f169.google.com [209.85.212.169]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by homiemail-a30.g.dreamhost.com (Postfix) with ESMTPSA id 8904621DE65 for <kitten@ietf.org>; Thu, 15 Aug 2013 10:34:43 -0700 (PDT)
Received: by mail-wi0-f169.google.com with SMTP id f14so691532wiw.2 for <kitten@ietf.org>; Thu, 15 Aug 2013 10:34:41 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=8Qkb3PGOTGt6Mj0932gHUxJEE3NRBuPr7nWpwCH9m3w=; b=oV1jK7Yar4nbVBavahV8eKl0999uQG/TE9QfuyIpcqnmx7qDIq5sdSWHqfVvE/A00e 1KxtiCaFWqDP0MFcfZUvWg/jbaFu0Z63cPCARQ3ffYewxpyJxExHR9VzfVfZs7c//p6f 7JFrKTfd0XcP/wo/ClyWxdY5nAenuhqdj2NjUz8BBwT/Pv865F1YYE7pP95wVjA5CAsh u/PNQWTAYDQUSEAgVx/ZeU5aTgaOc7/Pqn3XiQMFLKBJiaa88/bpSs4w45Fcn6TyYCZ5 WURXQhvLHVihpR5nFQ5pqczd7/M6S00hpWINYd08Z/J8uArmsIzJMLRAve8+pqZXjXzh EAwg==
MIME-Version: 1.0
X-Received: by 10.180.187.41 with SMTP id fp9mr2479880wic.33.1376588080940; Thu, 15 Aug 2013 10:34:40 -0700 (PDT)
Received: by 10.216.31.193 with HTTP; Thu, 15 Aug 2013 10:34:40 -0700 (PDT)
In-Reply-To: <E0DABA8F-493C-45C1-B909-3383A6B28E25@tycho.ncsc.mil>
References: <5674376E76F88641AD3748A64F0996971AAA4F35@TK5EX14MBXC285.redmond.corp.microsoft.com> <tsly584dyzt.fsf@mit.edu> <5674376E76F88641AD3748A64F0996971AAB7DA1@TK5EX14MBXC285.redmond.corp.microsoft.com> <CAK3OfOgRH88DmtAJw=hgd-t7-Sac3xTf-kD+aYOUCDh79AOtkg@mail.gmail.com> <ldv7gfnfxcv.fsf@cathode-dark-space.mit.edu> <E0DABA8F-493C-45C1-B909-3383A6B28E25@tycho.ncsc.mil>
Date: Thu, 15 Aug 2013 12:34:40 -0500
Message-ID: <CAK3OfOhtZz_O+nJSHbw6YZK=DysZ0LRY5ZSDkAafPpDOt92qJw@mail.gmail.com>
From: Nico Williams <nico@cryptonector.com>
To: Kelley Burgin <kwburgi@tycho.ncsc.mil>
Content-Type: text/plain; charset="UTF-8"
Cc: "kitten@ietf.org" <kitten@ietf.org>, Michiko Short <michikos@microsoft.com>, Sam Hartman <hartmans-ietf@mit.edu>
Subject: Re: [kitten] considering abandoning CTS mode (Re: I-D Action:draft-ietf-kitten-aes-cts-hmac-sha2-01.txt)
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 15 Aug 2013 17:34:49 -0000

On Thu, Aug 15, 2013 at 12:28 PM, Kelley Burgin <kwburgi@tycho.ncsc.mil> wrote:
> GCM will not work in a long-term key environment because of counter rollover issues.

It can be made to work by using a large enough IV from which to derive
a sub-key for encryption and an IV for GCM itself.  This, of course,
would be sub-optimal: it'd increase ciphertext size (by the additional
IV bits) and it'd add key derivation and key setup costs.  It'd also
depend on having strong-enough sources of entropy, good enough clocks,
and so on, with which to ensure non-reuse of {long-term key, IV}.

With lots of care a 128-bit IV could be used safely, but makes me very
uncomfortable: some implementations/deployments will fail to be
careful enough.

In short: I agree, GCM is out.  Would that we had high-performance
AEAD cipher modes without the IV-reuse-destroys-security problem.

v2.23.0 | Report a Bug | By Email