IETF Logo Mail Archive

Re: [TLS] draft-jay-tls-omit-aead-explicit-nonce-extension

Eric Rescorla <ekr@rtfm.com> Thu, 29 October 2015 06:11 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DE5CD1A21BB for <tls@ietfa.amsl.com>; Wed, 28 Oct 2015 23:11:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.277
X-Spam-Level:
X-Spam-Status: No, score=-1.277 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Noy_MUi6zHQ4 for <tls@ietfa.amsl.com>; Wed, 28 Oct 2015 23:11:17 -0700 (PDT)
Received: from mail-yk0-x235.google.com (mail-yk0-x235.google.com [IPv6:2607:f8b0:4002:c07::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 944771A21B8 for <tls@ietf.org>; Wed, 28 Oct 2015 23:11:17 -0700 (PDT)
Received: by ykft191 with SMTP id t191so32396108ykf.0 for <tls@ietf.org>; Wed, 28 Oct 2015 23:11:17 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm_com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=XsP7LRt2MYFvN9nqoP+swCXy401pBsD8oiaGWFd5Oe4=; b=FtLXJMmb+SnIuW1RegLsh5k+xIiSgBGAeshnPLFnLFaAhSy6GNw3Av4rZ4Z6bf7Upl 4Cch1pWCytgPd9C547Ciq/Pdw5LIHQzXaUWtc7vX/APtmTz4SGp2TPiKNProxp4FyEZK iabxo/5wTxjUEhfkUmFyBT2ESKizc2O4zSCd2BBnfGaZ+HAFGy1L9zQeTuZsWNwA89zb d2rRBB4Nxb+k1oS1y3P3O7Fk0kMxbPzCSJapKbnVXF+eTcYIm3eQ6tclTmrokI+5RL6F fZGwcd0qNQS1xaiHRVqYDzCJfbPYweP1DoDTfrIQTmvAnQOKBZ93p5mhy1DTtyk4ej3L BwYA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=XsP7LRt2MYFvN9nqoP+swCXy401pBsD8oiaGWFd5Oe4=; b=HWewUgJebajKWo9aADqUbfr1RjmRk/GtXXVoYv9hLg9g9xgQ36KneM3+J+Zyrr36/W yVfTvCmlsSMMiC7wc14A/cXQIlMfhBX7cfq/uHU5Ny4kJcYZIWuIQJyah6LXfXNhb+0J kPwJ/cybErM2h11MyfVKL4TGtcFgz/EaGKh8/cRf99Y38dC1b8955SgJU+TvrhU5gWWo 0OXIiRe930IZd81g2joFFPGTXy2cmWBTvK+UMtyVREvJK+0qsM1LLCDHzZSM/E2cld4u sUnrDiZc8TYGLtnuZuosO5mNrhHpkVGrMPXwvtN/nwBw6tGwfcP85dskICQ13IySjSEo 5fPA==
X-Gm-Message-State: ALoCoQn6GPS+djuq9Hr9oSNIrYy8SxK6dX36O0ofgXr5RTG5SB1ClLORjDZBCa/o/IZ746dAgtL/
X-Received: by 10.129.130.6 with SMTP id s6mr37613136ywf.155.1446099076873; Wed, 28 Oct 2015 23:11:16 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.13.221.85 with HTTP; Wed, 28 Oct 2015 23:10:37 -0700 (PDT)
In-Reply-To: <8D925D4C0B78EE41857D407022ECD163BFEE9009@SZXEMI501-MBX.china.huawei.com>
References: <CABcZeBOCuuh=vQ2H-PA3bKFMSTp1duAqhj_thaN0VoCv4NDfEA@mail.gmail.com> <8D925D4C0B78EE41857D407022ECD163BFEE9009@SZXEMI501-MBX.china.huawei.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Thu, 29 Oct 2015 15:10:37 +0900
Message-ID: <CABcZeBPbt+V3JHiED_AjzNT5cgawX3i+f2AQAfeew54cZvvGVQ@mail.gmail.com>
To: Jayaraghavendran k <jayaraghavendran.k@huawei.com>
Content-Type: multipart/alternative; boundary="94eb2c07c35ec9af1c0523382dff"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/2pfKMsaVoHP-7iCRRDu9FEOePeI>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] draft-jay-tls-omit-aead-explicit-nonce-extension
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 29 Oct 2015 06:11:20 -0000

On Thu, Oct 29, 2015 at 3:04 PM, Jayaraghavendran k <
jayaraghavendran.k@huawei.com> wrote:

> Hi Eric,
>
>
>
> Thanks for your response.
>
>
>
> 1. There is already no requirement that you have an explicit nonce. RFC5246
>
> merely requires that you specify the length of the explicit nonce, but that
>
> length can be 0, as it is in the ChaCha/Poly drafts. So, rather than build
>
> an extension it would be better to just define a new cipher suite if you
> think
>
> this is important.
>
> [Jay]: The extension idea was mainly for the already defined ciphers in
> RFC 6655 (for AES_CCM usage in TLS) & RFC 5288 (for AES_GCM usage in TLS).
> Both these RFCs state that an explicit nonce of 8 bytes MUST be carried in
> each record. So, in these cases to avoid the overhead, the options as I
> understand are defining a new extension or a new cipher suite (which
> suggests the new explicit nonce generation mechanism and makes the record
> iv length as 0).
>

Yes, but we're already defining new cipher suites with that
(e.g., ChaCha). So given the small number of AEAD cipher
suites, defining a new cipher suite seems better.



> This new extension is more like a framework for negotiating the type of
> explicit nonce generation mechanisms. If a particular way of generating the
> explicit nonce is found to be exploitable in future, a new mechanism can be
> defined and negotiated through the extension.  Defining  a new cipher for
> each new mechanism of explicit nonce generation may increase the number of
> ciphers that the client has to carry in it’s client hello by a good amount
> (considering, it needs to carry old ciphers also for backward compatibility
> with servers not supporting new ciphers).
>

Defining a whole pile of explicit nonce generation mechanisms seems
bad. If we actually run into a situation where the hardcoded nonce
generation technique is broken, we can define an extension then



>
> 2. TLS 1.3 already omits the explicit nonce entirely.
>
> [Jay]:  My primary goal is for DTLS 1.2 which is used with CoAP in various
> IoT Scenarios. Usage of DTLS 1.2 with CoAP has already started in many
> products I believe and DTLS 1.3 may take some time and will not be
> immediately adapted by products already released.
>

Seems like this gives them an incentive to move to 1.3.

-Ekr

Requesting your suggestions in the above context.
>
>
>
> Thanks Again.
>
>
>
> Best Regards,
>
> Jay
>
>
> ***************************************************************************************
> This e-mail and attachments contain confidential information from HUAWEI,
> which is intended only for the person or entity whose address is listed
> above. Any use of the information contained herein in any way (including,
> but not limited to, total or partial disclosure, reproduction, or
> dissemination) by persons other than the intended recipient's) is
> prohibited. If you receive this e-mail in error, please notify the sender
> by phone or email immediately and delete it!
>
> ***************************************************************************************
>
>
>
> *From:* TLS [mailto:tls-bounces@ietf.org <tls-bounces@ietf.org>] *On
> Behalf Of *Eric Rescorla
> *Sent:* 24 October 2015 01:35
> *To:* tls@ietf.org;
> draft-jay-tls-omit-aead-explicit-nonce-extension@tools.ietf.org
> *Subject:* [TLS] draft-jay-tls-omit-aead-explicit-nonce-extension
>
>
>
> I took a quick look at this draft and IMO it is unnecessary, for two
> reasons:
>
>
>
> 1. There is already no requirement that you have an explicit nonce. RFC5246
>
> merely requires that you specify the length of the explicit nonce, but that
>
> length can be 0, as it is in the ChaCha/Poly drafts. So, rather than build
>
> an extension it would be better to just define a new cipher suite if you
> think
>
> this is important.
>
>
>
> 2. TLS 1.3 already omits the explicit nonce entirely.
>
>
>
> -Ekr
>
>
>
>
>
>
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>
>

v2.23.0 | Report a Bug | By Email