IETF Logo Mail Archive

Re: [TLS] AES-CCM ECC Cipher Suites for TLS @ IETF 78

"Brian Smith" <brian@briansmith.org> Fri, 16 July 2010 22:56 UTC

Return-Path: <brian@briansmith.org>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 6AC563A6862 for <tls@core3.amsl.com>; Fri, 16 Jul 2010 15:56:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.338
X-Spam-Level:
X-Spam-Status: No, score=-0.338 tagged_above=-999 required=5 tests=[AWL=0.402, BAYES_20=-0.74]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bzr+JttNOG2C for <tls@core3.amsl.com>; Fri, 16 Jul 2010 15:56:28 -0700 (PDT)
Received: from mxout-07.mxes.net (mxout-07.mxes.net [216.86.168.182]) by core3.amsl.com (Postfix) with ESMTP id 6F3E43A6834 for <tls@ietf.org>; Fri, 16 Jul 2010 15:56:28 -0700 (PDT)
Received: from T60 (unknown [98.200.191.117]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by smtp.mxes.net (Postfix) with ESMTPSA id C9C4722E1F1; Fri, 16 Jul 2010 18:56:33 -0400 (EDT)
From: Brian Smith <brian@briansmith.org>
To: 'David McGrew' <mcgrew@cisco.com>
References: <C9990CC0-A4D7-4519-9DEA-E415F11EBCEB@cisco.com>
In-Reply-To: <C9990CC0-A4D7-4519-9DEA-E415F11EBCEB@cisco.com>
Date: Fri, 16 Jul 2010 17:56:30 -0500
Message-ID: <001b01cb253a$242ad9b0$6c808d10$@briansmith.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 14.0
thread-index: AQIcHj9gn0tksq0yf9jqlQFokpf4lACS+iX1
Content-Language: en-us
Cc: tls@ietf.org
Subject: Re: [TLS] AES-CCM ECC Cipher Suites for TLS @ IETF 78
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 16 Jul 2010 22:56:29 -0000

David McGrew wrote:
> I would like to request a time slot the TLS meeting at IETF78 to describe
"AES-
> CCM ECC Cipher Suites for TLS", draft-mcgrew-tls-aes-ccm- ecc-00, and how
it
> could be useful in TLS.  This work aims to provide a ciphersuite suitable
for
> compact implementations and use in bandwidth-challenged environments.  It
> was developed with input from the Zigbee Smart Energy 2.0 task group.
> 
> A related work-in-progress that I'd like to mention is "The Compressed
> X.509 Certificate Format", draft-pritikin-comp-x509-00, which is intended
for
> similar environments.  I can give a one-slide overview of this work and
how it
> relates.

Some TLS implementions (e.g. Microsoft, and soon OpenSSL and NSS) have
already shipped AES-GCM implementations, specialized CPU instructions for
AES-GCM seem to be on the verge of becoming ubiquitous on end-user systems
(e.g. Intel AES-NI), it is possible to build fast and constant-time AES-GCM
implementations with only SIMD instructions, and AES-GCM is or will be
required for some government applications of TLS (e.g. NSA Suite B profile
for TLS). So, I think every mainstream TLS implementation is going to
implement the AES-GCM cipher suites.

Basically the opposite of all that is true for CCM. So, what are CCM's
advantages over GCM and why can't/shouldn't devices implement the AES-GCM
cipher suites to enhance interoperability with mainstream TLS
implementations? I heard that CCM can be implemented in software with a
smaller number of opcodes, so that is one reason. But, how many fewer
opcodes does it need? Are you expecting that it will become commonplace for
mainstream (e.g. desktop, web server, mobile phone) TLS implementations to
support these CCM cipher suites?

Section 2 tries to impose restrictions on clients and servers which would
reduce interoperability. For example, "The client MUST NOT offer the
elliptic_curves extension nor the ec_point_formats extension.  The server
MUST NOT expect to receive those extensions." I guess this must be an
attempt to limit ECC patent exposure, but IMO that doesn't belong in the
document defining these cipher suites. Surely any TLS client that implements
these cipher suites and indicates support for curves the server supports
should work. After all, some other servers (that implement other
ciphersuites) might be able to use those extensions or even require them.

Why did you define new cipher suites instead of defining an extension like
the Truncated HMAC extension?

Regards,
Brian

v2.23.0 | Report a Bug | By Email