Re: [TLS] What would make TLS cryptographically better for TLS 1.3

"Dan Harkins" <> Fri, 01 November 2013 19:00 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 1969C21E8547 for <>; Fri, 1 Nov 2013 12:00:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.965
X-Spam-Status: No, score=-4.965 tagged_above=-999 required=5 tests=[AWL=1.300, BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_MED=-4]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id U4UT2DqzVeUY for <>; Fri, 1 Nov 2013 12:00:53 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id E2C8021E8279 for <>; Fri, 1 Nov 2013 12:00:53 -0700 (PDT)
Received: from (localhost []) by (Postfix) with ESMTP id DF90D10224008; Fri, 1 Nov 2013 12:00:52 -0700 (PDT)
Received: from (SquirrelMail authenticated user by with HTTP; Fri, 1 Nov 2013 12:00:53 -0700 (PDT)
Message-ID: <>
In-Reply-To: <>
References: <> <>
Date: Fri, 1 Nov 2013 12:00:53 -0700 (PDT)
From: "Dan Harkins" <>
To: "Nico Williams" <>
User-Agent: SquirrelMail/1.4.14 [SVN]
MIME-Version: 1.0
Content-Type: text/plain;charset=iso-8859-1
Content-Transfer-Encoding: 8bit
X-Priority: 3 (Normal)
Importance: Normal
Cc: "" <>
Subject: Re: [TLS] What would make TLS cryptographically better for TLS 1.3
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 01 Nov 2013 19:00:59 -0000

On Thu, October 31, 2013 4:09 pm, Nico Williams wrote:
>  - Many fewer nonce bytes and random IVs where possible.  Nonce payloads
>    should be sent when needed, if needed.  For example, to derive a
>    session key from an DHE shared secret one does not really need
>    nonces.  This means that counter modes are better, for example, than
>    CBC modes.
>    <aside>
>    Perry Metzger recently proposed (I'm extrapolating a bit) a
>    random-IV-free CBC-like cipher mode where instead of a nonce one
>    sends a [small] counter which must be encryted to recover the IV
>    for use as the first block in the CBC decryption of the ciphertext.
>    I kinda like this.
>    CBC has some advantages over counter modes.  However, for this
>    particular application (TLS and DTLS) it's easy enough to avoid (and
>    detect) counter reuse that counter modes' disadvantages are
>    tolerable.
>    </aside>

  In the interest of lessening nonce and IV bytes, especially ones that
are security-critical there is always SIV mode (RFC 5297). That provides
authenticated encryption and only expands the packet by the number of
bits equal to the blocksize of the underlying cipher. You can add a
nonce as additional AAD but it's not necessary and security isn't voided
if such a nonce/counter gets reused. You get a mode that is less fragile,
and doesn't expand the frame as much, at the cost of two passes of the

  I'm not sure about Perry's proposed mode, and I'd be interested in
reading more about it, but SIV has a security proof in the paper by
Rogaway and Shrimpton that defined SIV.