[MLS] confirming cipher suites decisions

Sean Turner <sean@sn3rd.com> Thu, 06 February 2020 16:08 UTC

Return-Path: <sean@sn3rd.com>
X-Original-To: mls@ietfa.amsl.com
Delivered-To: mls@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 5BA82120921 for <mls@ietfa.amsl.com>; Thu, 6 Feb 2020 08:08:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=sn3rd.com
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id 7k3t6MK3KjGJ for <mls@ietfa.amsl.com>; Thu, 6 Feb 2020 08:08:06 -0800 (PST)
Received: from mail-qk1-x730.google.com (mail-qk1-x730.google.com [IPv6:2607:f8b0:4864:20::730]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7B66B12089F for <mls@ietf.org>; Thu, 6 Feb 2020 08:08:06 -0800 (PST)
Received: by mail-qk1-x730.google.com with SMTP id b7so6032068qkl.7 for <mls@ietf.org>; Thu, 06 Feb 2020 08:08:06 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sn3rd.com; s=google; h=from:content-transfer-encoding:mime-version:subject:message-id:date :to; bh=+EQyUSB/Qqso8vtBMyhpEKcSGPyGQvaXvD7IaqSAlsw=; b=SPAEWtK2Hul5cud2XCV/kVKGAH7I1iGcsc+YN6i8sIDoVfU1InmeM1O/Zwv6rqj+YY BeZCNjHLygwWfCAWj1N1ezcB2h2W76JMjRZ/ZA90OlXvAdfJ1w2+AqrnKyhWL2T4sX9H UcLOmSxhGqAWj6UTr+moBYhqALRL42u40FbD0=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:content-transfer-encoding:mime-version :subject:message-id:date:to; bh=+EQyUSB/Qqso8vtBMyhpEKcSGPyGQvaXvD7IaqSAlsw=; b=ZQMOkY+J/AgWYBNvLWeMB85Ntbdkr80/hvS/4EM5kNpF/38I/TpzPJ76U9PUxRNA2i zwUYp1IrNnaPnDxmkMJQaqf2D73LuLA89JgOzFCXh7AJBXtKYHEE68pJEe/hAw8HUnek eY9BE3es4prQc1A4PtNsfCIGvwoUTKWVLKA84MytTdvuwng9xDGIvlxAWckYkNkOMgAx 0UrhPtWWplWFxZbinpRcxT2wCCDuLkUzFvjzhbeaGuKlDo3yXnN2V9hDAAbq5MRk2xeH ilr65OyQS8ITXb+y4ZOlsGkpTYkGPK1x/aql2cc9V3Z4Lsat2JjFpEShXAQbNFxY0syS IgCw==
X-Gm-Message-State: APjAAAVdJPhISJeRlTlGwK5x96BmN4AUk2ZEoTpwgYAgmMfzkJ3QVgaK EC4pCDr0a9RjuXqewC8kAkHkv2PD7iibJr52
X-Google-Smtp-Source: APXvYqxHrJk8QSdHiYpyjoUnfXNNRElCyr75lmD14dBfwLREWQzEEiZeFrtacuR8ODgdYQxYEVPXSg==
X-Received: by 2002:a37:a03:: with SMTP id 3mr3173744qkk.336.1581005284984; Thu, 06 Feb 2020 08:08:04 -0800 (PST)
Received: from [] ([]) by smtp.gmail.com with ESMTPSA id h3sm1609375qkk.104.2020. for <mls@ietf.org> (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 06 Feb 2020 08:08:04 -0800 (PST)
From: Sean Turner <sean@sn3rd.com>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
Message-Id: <D107086A-ED6C-48D8-8BC3-B3AE7E424F85@sn3rd.com>
Date: Thu, 6 Feb 2020 17:08:00 +0100
To: Messaging Layer Security WG <mls@ietf.org>
X-Mailer: Apple Mail (2.3445.104.11)
Archived-At: <https://mailarchive.ietf.org/arch/msg/mls/eJ_lQTWzcDmpmx0JXn2pGXgwKy0>
Subject: [MLS] confirming cipher suites decisions
X-BeenThere: mls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Messaging Layer Security <mls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mls>, <mailto:mls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mls/>
List-Post: <mailto:mls@ietf.org>
List-Help: <mailto:mls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mls>, <mailto:mls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Feb 2020 16:08:09 -0000


tl;dr: confirming MTI suite selections and rationale for avoiding proliferation

During the F2F Interim in January, the WG discussed cipher suites-related issues. Namely, whether a per-group signature scheme should be driven by the chosen cipher suite, what were the MTI (Mandatory To Implement) cipher suites, and what the actual algorithm should be.

There was rough agreement that there should be one signature scheme per group and that should be driven by the cipher suite. There are, at least, three things to consider: 1) if a potential group member does not support the algorithm, then they will not become a member or the group will need to downgrade; 2) when the group needs/wants to update, it is a flag day; and, 3) the cipher suites will have a similar combinatorial issues as the TLS cipher suites prior to TLS 1.3. The agreement was “rough” because 1) likely has some important implications.

The MLS cipher suites defined were as follows: 
- MLS10_128_HPKEX25519_AES128GCM_SHA256_Ed25519
- MLS10_128_HPKEP256_AES128GCM_SHA256_P256
- MLS10_128_HPKEX25519_CHACHA20POLY1305_SHA256_Ed25519
- MLS10_256_HPKEX448_AES256GCM_SHA384_Ed448
- MLS10_256_HPKEP521_AES256GCM_SHA384_P521
- MLS10_256_HPKEX448_CHACHA20POLY1305_SHA384_Ed448

At the interim, the consensus was to make the non-NIST suites the MTI.  The rationale was that those implementation that need to be NIST compliant will do so regardless of the choice made by the WG.

In looking at the actual cipher suites, it was noted that the 256-bit schemes the SHA should be SHA-512. The rationale agreed was that SHA-384 is SHA-512 cut in half, so just do SHA-512 because it is one less operation.

To avoid the proliferation of cipher suites, guidance will be provided to be conservative about allocating new code points. The consensus at the interim was that the suites provided were minimal and provided good coverage for the known use cases:
- (X25519, AES-GCM, Ed25519) - Good for desktop
- (P-256, AES-GCM, P-256) - Compliance
- (X25519, ChachaPoly, Ed25519) - Good for mobile

The chairs need to confirm the interim’s consensus on list, so please let the WG know by 2359 UTC 20 February whether you disagree with these choices and why.

NOTE: The final text will obviously be reviewed, but is being composed as part of the following PR:

NOTE: We combined these cipher suite related consensus points, but if we only come to consensus on some of these we can still incorporate what we do agree on.


Nick and Sean