Re: [TLS] EXTERNAL: TLS 1.3 Authentication and Integrity only Cipher Suites

Jack Visoky <jmvisoky@ra.rockwell.com> Tue, 09 February 2021 18:26 UTC

From: Jack Visoky <jmvisoky@ra.rockwell.com>
To: Ben Schwartz <bemasc@google.com>, Peter Gutmann <pgut001@cs.auckland.ac.nz>
CC: "<tls@ietf.org>" <tls@ietf.org>
Thread-Topic: [TLS] EXTERNAL: TLS 1.3 Authentication and Integrity only Cipher Suites
Thread-Index: AQHW+wE3huDmMJ6r1kGGgyEbw2a4D6pKKEMQgARwQICAAGoAgIAA/+oAgAAo25A=
Date: Tue, 09 Feb 2021 18:26:53 +0000
Message-ID: <DM5PR2201MB16438A7382F7665D33C4E6EE998E9@DM5PR2201MB1643.namprd22.prod.outlook.com>
References: <CA+_8xu03uCNW+TAgbkL2f0pfredw21Kam5c6UdAGbdQE6a+d_w@mail.gmail.com> <DM5PR2201MB1643A9CE6A15BC5C5B8FA4B399B29@DM5PR2201MB1643.namprd22.prod.outlook.com> <CAHbrMsA5wyaAfsHrOjQmw89KhZAQCvut4aw=temu5d+TOsby4Q@mail.gmail.com> <1612831271487.22543@cs.auckland.ac.nz> <CAHbrMsA_RngkJcFgJfBVdXOaYtR-k0690TN1Q670-z-8AJ+H+w@mail.gmail.com>
In-Reply-To: <CAHbrMsA_RngkJcFgJfBVdXOaYtR-k0690TN1Q670-z-8AJ+H+w@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
Content-Type: multipart/alternative; boundary="_000_DM5PR2201MB16438A7382F7665D33C4E6EE998E9DM5PR2201MB1643_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: a2602e86-68f3-4f87-1bd8-08d8cd28466f
X-MS-Exchange-CrossTenant-originalarrivaltime: 09 Feb 2021 18:26:53.5988 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 855b093e-7340-45c7-9f0c-96150415893e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 2o9NUGwKkAdC6YMZQDv0fD3XDf/DbPRhDCo8NBDvRC1gIZy3blMYrEn1AwcG5/aaD1lhQvfCdjQ4dbDfZeIWxVPsFmFNYkNVt6IHRd+9EqA=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR22MB1914
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/ub0YS3Vx6VUcgQ6n7LbsB5GG0KE>
Subject: Re: [TLS] EXTERNAL: TLS 1.3 Authentication and Integrity only Cipher Suites
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Feb 2021 18:26:57 -0000

Hi,

I think we discussed this in a previous thread, but I’d prefer to keep this part of the draft as is. Since IoT hardware is really diverse there are some platforms where this would be a performance gain (and others where it is not). We don’t make strong claims in this area in the draft so I think it is appropriate as is. That said, if you’d like we can add some “disclaimer” text saying this won’t apply in all cases, but I don’t think it’s appropriate to remove it completely.

Thanks,

--Jack

From: Ben Schwartz <bemasc@google.com>
Sent: Tuesday, February 9, 2021 10:57 AM
To: Peter Gutmann <pgut001@cs.auckland.ac.nz>
Cc: Jack Visoky <jmvisoky@ra.rockwell.com>; <tls@ietf.org> <tls@ietf.org>
Subject: Re: [TLS] EXTERNAL: TLS 1.3 Authentication and Integrity only Cipher Suites

Hardware support for AES but not SHA2 is extremely common.  For devices without acceleration, ChaCha20-Poly1305 is likely to be faster than SHA256 (e.g. according to https://www.bearssl.org/speed.html).

Unless your device has hardware offload for SHA256 but _not_ for AES (a rare combination), you can likely do AEAD faster than these integrity-only ciphersuites.  The draft implies that performance ("latency", "processing power") is a motivation for using these ciphers.  (It also mentions "runtime memory footprint" and "the need to minimize the number of cryptographic algorithms used", which are separate considerations.)

On Mon, Feb 8, 2021 at 7:41 PM Peter Gutmann <pgut001@cs.auckland.ac.nz<mailto:pgut001@cs.auckland.ac.nz>> wrote:
Ben Schwartz <bemasc=40google.com@dmarc.ietf.org<mailto:40google.com@dmarc.ietf.org>> writes:

>If you are updating the text, I would recommend removing the claim about
>performance.  In general, the ciphersuites specified in the text are likely
>to be slower than popular AEAD ciphersuites like AES-GCM.

Uhh... when is AES-GCM faster than SHA2, except on systems with hardware
support for AES-GCM and no hardware support for SHA2?

Peter.

[TLS] TLS 1.3 Authentication and Integrity only C… Ben Smyth
Re: [TLS] EXTERNAL: TLS 1.3 Authentication and In… Jack Visoky
Re: [TLS] EXTERNAL: TLS 1.3 Authentication and In… Ben Schwartz
Re: [TLS] EXTERNAL: TLS 1.3 Authentication and In… Peter Gutmann
Re: [TLS] EXTERNAL: TLS 1.3 Authentication and In… Ben Schwartz
Re: [TLS] EXTERNAL: TLS 1.3 Authentication and In… Jack Visoky
Re: [TLS] EXTERNAL: TLS 1.3 Authentication and In… John Mattsson
Re: [TLS] EXTERNAL: TLS 1.3 Authentication and In… Stephen Farrell
Re: [TLS] EXTERNAL: TLS 1.3 Authentication and In… Jack Visoky
Re: [TLS] EXTERNAL: TLS 1.3 Authentication and In… Jack Visoky
Re: [TLS] EXTERNAL: TLS 1.3 Authentication and In… Salz, Rich
Re: [TLS] EXTERNAL: TLS 1.3 Authentication and In… Stephen Farrell
Re: [TLS] EXTERNAL: TLS 1.3 Authentication and In… Rob Sayre
Re: [TLS] EXTERNAL: TLS 1.3 Authentication and In… Jack Visoky
Re: [TLS] EXTERNAL: TLS 1.3 Authentication and In… Salz, Rich
Re: [TLS] EXTERNAL: TLS 1.3 Authentication and In… Viktor Dukhovni
Re: [TLS] EXTERNAL: TLS 1.3 Authentication and In… Stephen Farrell
Re: [TLS] EXTERNAL: TLS 1.3 Authentication and In… Benjamin Kaduk
Re: [TLS] EXTERNAL: TLS 1.3 Authentication and In… John Mattsson
Re: [TLS] EXTERNAL: TLS 1.3 Authentication and In… Bill Frantz
Re: [TLS] EXTERNAL: TLS 1.3 Authentication and In… Ira McDonald
Re: [TLS] EXTERNAL: TLS 1.3 Authentication and In… Eric Rescorla
Re: [TLS] EXTERNAL: TLS 1.3 Authentication and In… Jack Visoky
Re: [TLS] EXTERNAL: TLS 1.3 Authentication and In… Jack Visoky
Re: [TLS] EXTERNAL: TLS 1.3 Authentication and In… Eric Rescorla
Re: [TLS] EXTERNAL: TLS 1.3 Authentication and In… Jack Visoky
Re: [TLS] EXTERNAL: TLS 1.3 Authentication and In… Eric Rescorla
Re: [TLS] EXTERNAL: TLS 1.3 Authentication and In… Blumenthal, Uri - 0553 - MITLL
Re: [TLS] EXTERNAL: TLS 1.3 Authentication and In… Jack Visoky
Re: [TLS] EXTERNAL: TLS 1.3 Authentication and In… John Mattsson