Re: [TLS] What would make TLS cryptographically better for TLS 1.3

["Dan Harkins" <dharkins@lounge.org>]

On Thu, October 31, 2013 4:09 pm, Nico Williams wrote:
[snip]
>  - Many fewer nonce bytes and random IVs where possible.  Nonce payloads
>    should be sent when needed, if needed.  For example, to derive a
>    session key from an DHE shared secret one does not really need
>    nonces.  This means that counter modes are better, for example, than
>    CBC modes.
>
>    <aside>
>
>    Perry Metzger recently proposed (I'm extrapolating a bit) a
>    random-IV-free CBC-like cipher mode where instead of a nonce one
>    sends a [small] counter which must be encryted to recover the IV
>    for use as the first block in the CBC decryption of the ciphertext.
>    I kinda like this.
>
>    CBC has some advantages over counter modes.  However, for this
>    particular application (TLS and DTLS) it's easy enough to avoid (and
>    detect) counter reuse that counter modes' disadvantages are
>    tolerable.
>
>    </aside>

  In the interest of lessening nonce and IV bytes, especially ones that
are security-critical there is always SIV mode (RFC 5297). That provides
authenticated encryption and only expands the packet by the number of
bits equal to the blocksize of the underlying cipher. You can add a
nonce as additional AAD but it's not necessary and security isn't voided
if such a nonce/counter gets reused. You get a mode that is less fragile,
and doesn't expand the frame as much, at the cost of two passes of the
data.

  I'm not sure about Perry's proposed mode, and I'd be interested in
reading more about it, but SIV has a security proof in the paper by
Rogaway and Shrimpton that defined SIV.

  regards,

  Dan.