IETF Logo Mail Archive

Re: [saag] A case against algorithm agility (long)

Nico Williams <nico@cryptonector.com> Mon, 05 May 2014 17:43 UTC

Return-Path: <nico@cryptonector.com>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 12EA71A0411 for <saag@ietfa.amsl.com>; Mon, 5 May 2014 10:43:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.044
X-Spam-Level:
X-Spam-Status: No, score=-1.044 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, IP_NOT_FRIENDLY=0.334] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 14oQWxtwRPc9 for <saag@ietfa.amsl.com>; Mon, 5 May 2014 10:43:07 -0700 (PDT)
Received: from homiemail-a26.g.dreamhost.com (sub4.mail.dreamhost.com [69.163.253.135]) by ietfa.amsl.com (Postfix) with ESMTP id 35DCC1A0413 for <saag@ietf.org>; Mon, 5 May 2014 10:43:06 -0700 (PDT)
Received: from homiemail-a26.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a26.g.dreamhost.com (Postfix) with ESMTP id E1B04B806B for <saag@ietf.org>; Mon, 5 May 2014 10:43:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h= mime-version:in-reply-to:references:date:message-id:subject:from :to:cc:content-type; s=cryptonector.com; bh=OhfBRB2uu5fCgir8pKlM 7Ua9Eo8=; b=Iuv9AZ4trQHVZKWbUPbnTp1bE/T88Z1U8TM78ouuxB2R57eW/k85 pGQS2hviYzC/9lDo9D8IV8sRyf3OMbWJrwpuPvDnIrDwJz5aI189BKUKc13K/lKu CbKe5KOLVD1Q2eONVU6KXXz/V9DrsA8Ff3wDnT63UrAp5cwez1X/uT0=
Received: from mail-wg0-f47.google.com (mail-wg0-f47.google.com [74.125.82.47]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by homiemail-a26.g.dreamhost.com (Postfix) with ESMTPSA id 82D2EB805C for <saag@ietf.org>; Mon, 5 May 2014 10:43:02 -0700 (PDT)
Received: by mail-wg0-f47.google.com with SMTP id x12so5946835wgg.6 for <saag@ietf.org>; Mon, 05 May 2014 10:43:01 -0700 (PDT)
MIME-Version: 1.0
X-Received: by 10.180.108.147 with SMTP id hk19mr16995663wib.42.1399311781478; Mon, 05 May 2014 10:43:01 -0700 (PDT)
Received: by 10.216.29.200 with HTTP; Mon, 5 May 2014 10:43:01 -0700 (PDT)
In-Reply-To: <5367C9DC.10009@iang.org>
References: <53650F27.6040607@iang.org> <CAK3OfOhGCKPrYzhC46EVAnro6_FEsNVt16Gzx3Ds3zfR2wznOA@mail.gmail.com> <5367C9DC.10009@iang.org>
Date: Mon, 5 May 2014 12:43:01 -0500
Message-ID: <CAK3OfOjkVaepdXq0Rzx1hYSR3n5cZLC3tJgY7fzfc4bsd=qhvQ@mail.gmail.com>
From: Nico Williams <nico@cryptonector.com>
To: ianG <iang@iang.org>
Content-Type: text/plain; charset=UTF-8
Archived-At: http://mailarchive.ietf.org/arch/msg/saag/R6h37PFTC3oVjV5s-aGtjmAX2T4
Cc: "saag@ietf.org" <saag@ietf.org>
Subject: Re: [saag] A case against algorithm agility (long)
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 05 May 2014 17:43:08 -0000

On Mon, May 5, 2014 at 12:26 PM, ianG <iang@iang.org> wrote:
> On 5/05/2014 16:15 pm, Nico Williams wrote:
>> On Sat, May 3, 2014 at 10:45 AM, ianG <iang@iang.org> wrote:
>
>> I also agree that cipher and cipher mode MUST be negotiated as
>> registered pairs, not a la carte.  This is pretty clear, and I don't
>> know anyone who is arguing otherwise.
>
>
> Meet the draft:
>
> https://datatracker.ietf.org/doc/draft-iab-crypto-alg-agility/?include_text=1
>
> Especially 2.1:
>
>    Some approaches carry one identifier for each algorithm that is used.
>    Other approaches carry one identifier for a suite of algorithms.
>    Either approach is acceptable; however, designers are encouraged to
>    pick one of these approaches and use it consistently throughout the
>    protocol.
>
> Before we go further, can we just agree on what the above says, and what
> the draft implies?

Not really.  It's not clear that the quoted text means that cipher and
cipher mode can be negotiated separately.  I don't think anyone has
proposed such a thing in recent times (years).

> I think it says that "a la carte" is acceptable, to use your term.

As a term or as a concept?

> ...
>
>> Nonsense.  The CBC IV chaining bugs were exploited against SSHv2.  We
>> were very glad back then to have deployed AES in counter mode as that
>> saved our butts.
>
> Any reference to that?

I don't have one handy.  I was at a vendor at the time and we had
already shipped AES in counter mode (with HMAC for authentication), so
it was easy for us to tell our customers what configuration changes
needed to be done to address the problem.

Nico
--

v2.8.7 | Report a Bug | By Email