Re: [TLS] AES-OCB in TLS [New Version Notification for draft-zauner-tls-aes-ocb-03.txt]

Aaron Zauner <azet@azet.org> Mon, 01 June 2015 16:12 UTC

Return-Path: <azet@azet.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DB5661B2C81 for <tls@ietfa.amsl.com>; Mon, 1 Jun 2015 09:12:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hYs9D2JXwANe for <tls@ietfa.amsl.com>; Mon, 1 Jun 2015 09:12:37 -0700 (PDT)
Received: from mail-wg0-f42.google.com (mail-wg0-f42.google.com [74.125.82.42]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9CC091B2C61 for <tls@ietf.org>; Mon, 1 Jun 2015 09:07:02 -0700 (PDT)
Received: by wgv5 with SMTP id 5so118688456wgv.1 for <tls@ietf.org>; Mon, 01 Jun 2015 09:07:01 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to :cc:subject:references:in-reply-to:content-type; bh=Ww8h7Tm2h//S/RSn4RUuzlO46IatuTwjE/YLtCFThm8=; b=D/5MjTqvY7E7quWtgaySqdXcJGjuRJvm1gL5w88HxoUE5NI5gFQzSjiAa32sTzdHWv LR6aVwZOsyQMd1DXEs7ORzBZGMjmhIpKi7r1UoN0ufgVoO3U0RnbtJY7JARpgaQBbAHK IYsF4NiyuYakN2KFoqrOTVCtHZIE+cNtVMQddHj3/BDs++tjg8TFiVaPRVTTg19L0TGi 2RQOjc7veC34ket5NzY1yhZaz82pQJLr/dqsbRAcADQudFG3nWg/kOHFSFXwX/sh8tRm x9P+W4pEscAURlRubU+JftkDZnQLYC58Q+qVvPOkuJLyj8/GKCtPx+Kh/Ao5OjQg10QI boOQ==
X-Gm-Message-State: ALoCoQk9DgMYpD0MtYQmu8QLBmWkYBeRK+tbiHvkiHa3HIuJDnpHl1q2LKxQqpDb+TevsMzu3qXc
X-Received: by 10.180.90.73 with SMTP id bu9mr22268051wib.88.1433174821389; Mon, 01 Jun 2015 09:07:01 -0700 (PDT)
Received: from [10.0.0.142] (chello080108032135.14.11.univie.teleweb.at. [80.108.32.135]) by mx.google.com with ESMTPSA id n1sm17341354wix.0.2015.06.01.09.06.59 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Mon, 01 Jun 2015 09:07:00 -0700 (PDT)
Message-ID: <556C8320.2010705@azet.org>
Date: Mon, 01 Jun 2015 18:06:56 +0200
From: Aaron Zauner <azet@azet.org>
User-Agent: Postbox 3.0.11 (Macintosh/20140602)
MIME-Version: 1.0
To: noloader@gmail.com
References: <556C4ACD.9040002@azet.org> <CABcZeBNsYmto4F-J0mFoxcq-qfL=NJrvDu67fyY9bpBmRp16mQ@mail.gmail.com> <556C51FC.807@azet.org> <5878037.eTrqDl0Ll5@pintsize.usersys.redhat.com> <556C5881.4080902@azet.org> <CAH8yC8nCCNF9B72yNgM-hOkCYJrc2ZU0PmpeBrnbknKO92OZtA@mail.gmail.com>
In-Reply-To: <CAH8yC8nCCNF9B72yNgM-hOkCYJrc2ZU0PmpeBrnbknKO92OZtA@mail.gmail.com>
X-Enigmail-Version: 1.2.3
Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="------------enig44E65CF632907CF32CB41A1D"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/2OgE-Mq4jz9mAmZo30GIdSiL0nk>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] AES-OCB in TLS [New Version Notification for draft-zauner-tls-aes-ocb-03.txt]
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 01 Jun 2015 16:12:39 -0000

Hi,

Jeffrey Walton wrote:
> What do you suggest for resource constrained devices? What are the
> remaining choices?

There're none.

> When the device cannot do public key, they often use PSK.
> 
> PSK also has two desirable properties: channel binding and mutual
> authentication, and most other cipher suites don't provide them.
> 

I agree, but am unsure to what extent they are used in real life. I'm
trying to reduce the number of cipher-suites that would have to be added
to the IANA TLS parameter list; since PSK is unsupported with GCM
cipher-suites it seems only logical to exclude them here as well.
Because I regularly receive off-list mail that PSK is indeed wanted,
I've not yet removed those cipher-suites.

RFC3268 (CBC modes) also excludes TLS-PSK ciphersuites. There seems to
be a seperate document that deals with TLS-PSK namely RFC5487 (defines
GCM and CBC PSK cipher-suites). It might make sense to update this
document in case OCB mode get's accepted by the TLS-WG instead.

BTW: is TLS-SRP in use anywhere?

Aaron