IETF Logo Mail Archive

Re: [TLS] tales from the TLS interim: TLS 1.3 MTI algorithms

Eric Rescorla <ekr@rtfm.com> Wed, 18 March 2015 23:02 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EAFD11A8908 for <tls@ietfa.amsl.com>; Wed, 18 Mar 2015 16:02:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.977
X-Spam-Level:
X-Spam-Status: No, score=-1.977 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GntjHD47f10L for <tls@ietfa.amsl.com>; Wed, 18 Mar 2015 16:02:05 -0700 (PDT)
Received: from mail-wg0-f51.google.com (mail-wg0-f51.google.com [74.125.82.51]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A02A71A8920 for <tls@ietf.org>; Wed, 18 Mar 2015 16:02:04 -0700 (PDT)
Received: by wgra20 with SMTP id a20so47662931wgr.3 for <tls@ietf.org>; Wed, 18 Mar 2015 16:02:03 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=4rw0vWItWnQCLzMYebcjY9OmPqs3Jg+Zc8b2ziQCPvE=; b=hs2Vk8xBrgJHUIZ3y3aDDxdcyliJvooJB3Yy9lMZZ8pWkMTs/Ibxtl/aAUlROTpK+/ 4m6aZ/VC17g6kBEIPHjv0c66mbIonRvoXBTDWRzuyfH/I+JQl32PXTrrmclP/Cfdp9ww Gps0robL+5Su5k9qikK2K++ilhJ398JqFS/sCdLLxnVl634gQuITv6pAg3nlYiyFFGqW wuAH+tr0oMZcFuzEv3eWXOPtx/TusGaHOStuV5xNaPgazxki13yl35ODjnczZrjCJndu 0uJpPQAnt1l72XM3sL405JJgUwNs5DDID8p1NQkx6h8BDv4b64OwuZFSUxacR6Llc+Ea Nw2g==
X-Gm-Message-State: ALoCoQmsigCQAP2oALckycPR10hoQTNDbYDcT0B6oEcSVoGbgCAPUGxH16JFQg/LcuXNoPBP1oQX
X-Received: by 10.180.208.107 with SMTP id md11mr11375670wic.10.1426719723380; Wed, 18 Mar 2015 16:02:03 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.27.205.198 with HTTP; Wed, 18 Mar 2015 16:01:23 -0700 (PDT)
In-Reply-To: <D7D27758-CB9B-4C40-AD02-5276A49423DE@gmail.com>
References: <7B0B2402-6D04-48B3-BB25-1B6FC6FBC61D@ieca.com> <90A9B6DC-A775-4E4C-BA58-E40260F9BF55@gmail.com> <55094150.2010800@comodo.com> <CABcZeBMa_oCAGNaPaARvGgxVi5PO1JYk_RN+SviVuu674NGRFg@mail.gmail.com> <D7D27758-CB9B-4C40-AD02-5276A49423DE@gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Wed, 18 Mar 2015 16:01:23 -0700
Message-ID: <CABcZeBOMwpUE0gnh6S1ciqEYVRyQc07BctMJSTOdhhdCJYmb4Q@mail.gmail.com>
To: Yoav Nir <ynir.ietf@gmail.com>
Content-Type: multipart/alternative; boundary="001a11c3898e4e803305119812bd"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/1ZLJpu8pgLJ5cBsv7_JyngQEHUU>
Cc: "TLS@ietf.org (tls@ietf.org)" <tls@ietf.org>
Subject: Re: [TLS] tales from the TLS interim: TLS 1.3 MTI algorithms
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Mar 2015 23:02:07 -0000

On Wed, Mar 18, 2015 at 3:55 PM, Yoav Nir <ynir.ietf@gmail.com> wrote:

>
> On Mar 18, 2015, at 11:05 PM, Eric Rescorla <ekr@rtfm.com> wrote:
>
>
> On Wed, Mar 18, 2015 at 2:11 AM, Rob Stradling <rob.stradling@comodo.com>
> wrote:
>
>> On 18/03/15 07:38, Yoav Nir wrote:
>>
>>> On Mar 18, 2015, at 12:11 AM, Sean Turner <TurnerS@ieca.com> wrote:
>>>>
>>> <snip>
>>
>>> Please note that CFRG is already done with ChaCha20-Poly1305. The
>>> document is approved and in the RFC Editor’s queue.
>>>
>>> The ball is not in this working group’s court. It’s time to decide about
>>> draft-mavrogiannopoulos-chacha-tls.
>>
>>
> I await the chair's action on this.
>
> In the meantime, I see that we have developed a conflict between this
> draft and
>
> https://github.com/tlswg/tls13-spec/pull/155
>
> Because this PR prescribes a specific mechanism for generating the nonce
> (left-padding the record sequence number) which conflicts with the one for
> this draft. Assuming that people feel that the approach we arrived at in
> the interim is appropriate, we will probably want to adjust this draft
> prior
> to acceptance.
>
>
> The draft is suitable for TLS 1.2 as well, so I’m not sure it needs to
> comply with the nonce generation procedure of TLS 1.3.  It’s better for it
> to be like other AEADs such as AES-GCM, and then get adapted to TLS 1.3
> just like AES-GCM.
>

Well, it's already not like GCM because the GCM draft uses a partially
explicit nonce (64 bits) that is carried separately in the record whereas
this draft uses the record sequence number in that location. What I am
proposing is that instead of using an IV generated from the master secret
as the upper 32 bits of the nonce, ChaCha20 should just use 0s. This
would make it like TLS 1.3.

Alternately, I suppose you could make it like GCM, but it seems like the
WG is moving towards saving those bits, so that seems odd.

-Ekr

v2.23.0 | Report a Bug | By Email