Re: [kitten] Moving forward with draft-ietf-kitten-aes-cts-hmac-sha2
Greg Hudson <ghudson@MIT.EDU> Tue, 07 January 2014 19:54 UTC
Return-Path: <ghudson@mit.edu>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AED711AE156 for <kitten@ietfa.amsl.com>; Tue, 7 Jan 2014 11:54:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.139
X-Spam-Level:
X-Spam-Status: No, score=-3.139 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.538, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Wz7x34ddKfGG for <kitten@ietfa.amsl.com>; Tue, 7 Jan 2014 11:54:33 -0800 (PST)
Received: from dmz-mailsec-scanner-8.mit.edu (dmz-mailsec-scanner-8.mit.edu [18.7.68.37]) by ietfa.amsl.com (Postfix) with ESMTP id 7E2C71ADF98 for <kitten@ietf.org>; Tue, 7 Jan 2014 11:54:33 -0800 (PST)
X-AuditID: 12074425-f79906d000000cf9-b0-52cc5b70c881
Received: from mailhub-auth-1.mit.edu ( [18.9.21.35]) (using TLS with cipher AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-8.mit.edu (Symantec Messaging Gateway) with SMTP id E0.26.03321.07B5CC25; Tue, 7 Jan 2014 14:54:24 -0500 (EST)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-1.mit.edu (8.13.8/8.9.2) with ESMTP id s07JsNrV004674; Tue, 7 Jan 2014 14:54:23 -0500
Received: from [18.101.8.147] (vpn-18-101-8-147.mit.edu [18.101.8.147]) (authenticated bits=0) (User authenticated as ghudson@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id s07JsLnZ001967 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Tue, 7 Jan 2014 14:54:22 -0500
Message-ID: <52CC5B6D.5050502@mit.edu>
Date: Tue, 07 Jan 2014 14:54:21 -0500
From: Greg Hudson <ghudson@MIT.EDU>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.2.0
MIME-Version: 1.0
To: "Peck, Michael A" <mpeck@mitre.org>, "kitten@ietf.org" <kitten@ietf.org>
References: <CED4D260.D7E7%mpeck@mitre.org>
In-Reply-To: <CED4D260.D7E7%mpeck@mitre.org>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: 8bit
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFnrNIsWRmVeSWpSXmKPExsUixCmqrFsQfSbIYHsTl8XRzatYLE7fes7s wOSxZMlPJo+3DVfZA5iiuGxSUnMyy1KL9O0SuDLObWtnLpjLXzH74j6WBsZlPF2MnBwSAiYS b680sUHYYhIX7q0Hsrk4hARmM0mc7r3AAuFsYJSY/38CO4RzmElieu8qpi5GDg5eATWJdU2G IN0sAqoS+98cYQax2QSUJQ6e/cYCYosKhEnc/b+WEcTmFRCUODnzCQtIq4iAj8TDVa4gYWEB X4mOK5eZQGwhAW2Jq1smgB3EKaAjcXnOeTCbWUBPYsf1X6wQtrxE89bZzBMYBWYhmToLSdks JGULGJlXMcqm5Fbp5iZm5hSnJusWJyfm5aUW6Vro5WaW6KWmlG5iBIUpu4vqDsYJh5QOMQpw MCrx8N5QOxMkxJpYVlyZe4hRkoNJSZQ3IgooxJeUn1KZkVicEV9UmpNafIhRgoNZSYRXPAwo x5uSWFmVWpQPk5LmYFES573FYR8kJJCeWJKanZpakFoEk5Xh4FCS4M0CGSpYlJqeWpGWmVOC kGbi4AQZzgM0vBKkhre4IDG3ODMdIn+KUVFKnNcIJCEAksgozYPrhaWRV4ziQK8I8yaDVPEA UxBc9yugwUxAg0PjToEMLklESEk1MLZcDnFrMPAIyvxgemrb38PnQuorPryu17DRi67YO4s3 /vfs9x+fK/xQlXKYlpXi+YLztLVijnf87bD6edPbll+cNKNWoPnk/SMbPjEuz7Qx/Hh/3bNJ p/hYSvpc2pZe2DrxRzf3nr2FXhcCRCo5WF/L/q7WdVRR8vuRzDvdScvpENOzySsn71BiKc5I NNRiLipOBADSn3DV/gIAAA==
Subject: Re: [kitten] Moving forward with draft-ietf-kitten-aes-cts-hmac-sha2
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Jan 2014 19:54:34 -0000
On 01/06/2014 03:26 PM, Peck, Michael A wrote: > A consensus call decided on CBC mode with PKCS7 padding, but immediately > afterwards Paul Miller from Microsoft stated that CBC with PKCS7 padding > could cause compatibility problems. Based on that feedback, I suggest > we go with CTS mode – are there any objections? I think we are only likely to get consensus if we use CTS mode, yes. > Some have indicated interest in sticking with the RFC 3961/3962 > confounder approach. Yes. I would summarize the advantages and disadvantages as follows: + eliminates most of the short input special casing + allows more code reuse with existing RFC 3962 implementations + disguises the state of a compromised PRNG (if the enctype implementation code is not also compromised) - less consistent with SP 800-38A addendum - slightly slower I believe that the first and second advantages outweigh the disadvantages. > I'd like to suggest some options to choose from: I am strongly opposed to defining multiple new enctypes for explicit-IV vs. confounder, or a single enctype which tries to do both. Doing that would have basically all of the disadvantages and none of the advantages. I don't think explicit-IV vs. confounder is a "policy" decision in any reasonable sense. So I favor option 3. Within that option, I would favor a confounder over explicit-IV, but I would rather do explicit-IV than both. > Define the cipherstate to be the next-to-last ciphertext block of the previous message (like in RFC 3961/3962). I am in favor of this change because it allows more code reuse. If we were designing from scratch, I would suggest using the encrypted confounder as the cipherstate. (Realistically, almost nothing uses cipherstate, so while we need a story for it that works as well as RFC 3961/3962, we don't necessarily need to nitpick the fine cryptographic advantages of one approach over another.)
- [kitten] Moving forward with draft-ietf-kitten-ae… Peck, Michael A
- Re: [kitten] Moving forward with draft-ietf-kitte… Greg Hudson