IETF Logo Mail Archive

Re: [kitten] considering abandoning CTS mode (Re: I-D Action:draft-ietf-kitten-aes-cts-hmac-sha2-01.txt)

Nico Williams <nico@cryptonector.com> Wed, 14 August 2013 23:57 UTC

Return-Path: <nico@cryptonector.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 874A221E80EB for <kitten@ietfa.amsl.com>; Wed, 14 Aug 2013 16:57:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.977
X-Spam-Level:
X-Spam-Status: No, score=-1.977 tagged_above=-999 required=5 tests=[AWL=-0.000, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id V96f+-gMsIIn for <kitten@ietfa.amsl.com>; Wed, 14 Aug 2013 16:57:30 -0700 (PDT)
Received: from homiemail-a65.g.dreamhost.com (caiajhbdcahe.dreamhost.com [208.97.132.74]) by ietfa.amsl.com (Postfix) with ESMTP id B2C6221E8082 for <kitten@ietf.org>; Wed, 14 Aug 2013 16:57:30 -0700 (PDT)
Received: from homiemail-a65.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a65.g.dreamhost.com (Postfix) with ESMTP id 7200F7E4065 for <kitten@ietf.org>; Wed, 14 Aug 2013 16:57:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h= mime-version:in-reply-to:references:date:message-id:subject:from :to:cc:content-type; s=cryptonector.com; bh=+pYCGIZEkVz5d3wTjvF+ 3iiSy8U=; b=JGFs1YkDQmYKyOgdBS4MbZSPu59o605TzquyeGnFExQHOqM5bKpY h7+Ir6STmdpskPOMUKPbbZSn3GQ3ar4e/ucKEGiy2675KTQ5sR5p+qW//JiEuXHb efsHBrEtg06ifMqx3Lkk434PERU/km+MNyg5dKuMM6Y0HxffidVb8eA=
Received: from mail-we0-f181.google.com (mail-we0-f181.google.com [74.125.82.181]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by homiemail-a65.g.dreamhost.com (Postfix) with ESMTPSA id 204727E405D for <kitten@ietf.org>; Wed, 14 Aug 2013 16:57:29 -0700 (PDT)
Received: by mail-we0-f181.google.com with SMTP id p58so83540wes.40 for <kitten@ietf.org>; Wed, 14 Aug 2013 16:57:28 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=iTbfsUornFkGKiKCVEZ5qCxy0N8CJilXbbqOnXrvpb8=; b=gD6deZK+L2PBH6pA71JTr47GvSrFqomkFe0FEJ75sgcrkPe5jN6y3IZRyeSibXTI0R tPPcudzlYo5HGu0EZbLhlfye2zVTBSGhlzQU5s8BsE4pAr5cABF0ZtLaqE3zhs2Hwg6n uvTg8OMnygZCyVKXKBclh5ZsCklH1Af0vDroleE5/IXv8fmypqcjPonmzv2KIjrVMKGr FZF/z9lUjnkKChxmVtT78AWRJJTq67tu6BG40tEbQ7FPxUst4ONENaLpIEr6VX8EcVyU VxWQcsgd54NmhDAeVO1u1nkLKsiduUs69CMb4sJZDIpg8M/pJ45zqSfxaTPyAulX2AyN gOIA==
MIME-Version: 1.0
X-Received: by 10.194.75.165 with SMTP id d5mr4054236wjw.18.1376524648280; Wed, 14 Aug 2013 16:57:28 -0700 (PDT)
Received: by 10.216.31.193 with HTTP; Wed, 14 Aug 2013 16:57:28 -0700 (PDT)
In-Reply-To: <5674376E76F88641AD3748A64F0996971AAB7DA1@TK5EX14MBXC285.redmond.corp.microsoft.com>
References: <5674376E76F88641AD3748A64F0996971AAA4F35@TK5EX14MBXC285.redmond.corp.microsoft.com> <tsly584dyzt.fsf@mit.edu> <5674376E76F88641AD3748A64F0996971AAB7DA1@TK5EX14MBXC285.redmond.corp.microsoft.com>
Date: Wed, 14 Aug 2013 18:57:28 -0500
Message-ID: <CAK3OfOgRH88DmtAJw=hgd-t7-Sac3xTf-kD+aYOUCDh79AOtkg@mail.gmail.com>
From: Nico Williams <nico@cryptonector.com>
To: Michiko Short <michikos@microsoft.com>
Content-Type: text/plain; charset="UTF-8"
Cc: "kitten@ietf.org" <kitten@ietf.org>, Sam Hartman <hartmans-ietf@mit.edu>
Subject: Re: [kitten] considering abandoning CTS mode (Re: I-D Action:draft-ietf-kitten-aes-cts-hmac-sha2-01.txt)
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Aug 2013 23:57:35 -0000

On Wed, Aug 14, 2013 at 5:55 PM, Michiko Short <michikos@microsoft.com> wrote:
> I am curious why we aren't just using the same AES-CTS as in the current RFC?

The initially proposed AES-CTS-HMAC-SHA-2 enctype didn't confound,
though it did have a random block prefix.  This is an optimization
over confounding: we've mostly convinced ourselves that it merely only
reduces the number of AES block operations required, not the security
of the whole.  But this meant that we can have ciphertexts that are
shorter than one block, which CTS cannot handle.

We then set about using the non-confounded nonce as a source of
"ciphertext" to steal from.  The result was more complex than the CTS
we use today, and shares with CTS the general lack of support in
existing APIs (e.g., PKCS#11).  Tom Yu and others expressed concern
about this and a preference for plain old CBC with nonces.  Ever since
we've been wondering if this would be a problem for Microsoft,
specifically for DCE and SSPI applications.

Nico
--

v2.23.0 | Report a Bug | By Email