RE: [TLS] NIST TLS recomendations (IV generation)
<Pasi.Eronen@nokia.com> Tue, 21 November 2006 16:39 UTC
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1GmYey-00061r-0Y; Tue, 21 Nov 2006 11:39:48 -0500
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1GmYex-00061a-4V for tls@lists.ietf.org; Tue, 21 Nov 2006 11:39:47 -0500
Received: from mgw-ext11.nokia.com ([131.228.20.170]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1GmYev-0001JM-Ex for tls@lists.ietf.org; Tue, 21 Nov 2006 11:39:47 -0500
Received: from esebh108.NOE.Nokia.com (esebh108.ntc.nokia.com [172.21.143.145]) by mgw-ext11.nokia.com (Switch-3.1.10/Switch-3.1.10) with ESMTP id kALGdd5m001064; Tue, 21 Nov 2006 18:39:42 +0200
Received: from esebh104.NOE.Nokia.com ([172.21.143.34]) by esebh108.NOE.Nokia.com with Microsoft SMTPSVC(6.0.3790.1830); Tue, 21 Nov 2006 18:39:38 +0200
Received: from esebe105.NOE.Nokia.com ([172.21.143.53]) by esebh104.NOE.Nokia.com with Microsoft SMTPSVC(6.0.3790.1830); Tue, 21 Nov 2006 18:39:37 +0200
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Subject: RE: [TLS] NIST TLS recomendations (IV generation)
Date: Tue, 21 Nov 2006 18:34:19 +0200
Message-ID: <B356D8F434D20B40A8CEDAEC305A1F24036EA402@esebe105.NOE.Nokia.com>
In-Reply-To: <279DDDAFA85EC74C9300A0598E704056FE6957@hdsmsx412.amr.corp.intel.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [TLS] NIST TLS recomendations (IV generation)
Thread-Index: Acb9wgSf1EKVbyKaR12QoVxxwPw3hAPwCs4wAAFWovAAAJYLoA==
From: Pasi.Eronen@nokia.com
To: uri.blumenthal@intel.com, ray.perlner@nist.gov, tls@lists.ietf.org
X-OriginalArrivalTime: 21 Nov 2006 16:39:37.0506 (UTC) FILETIME=[A2216020:01C70D8B]
X-Nokia-AV: Clean
X-Spam-Score: 0.2 (/)
X-Scan-Signature: 92df29fa99cf13e554b84c8374345c17
Cc:
X-BeenThere: tls@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/tls>
List-Post: <mailto:tls@lists.ietf.org>
List-Help: <mailto:tls-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
Errors-To: tls-bounces@lists.ietf.org
Uri, I'd like to align the text with NIST SP 800-38A, which doesn't require uniqueness for CBC mode (and for other modes where uniqueness is required, generating the IV randomly is not usually acceptable). So how about "The Initialization Vector (IV) SHOULD be chosen at random, and MUST be unpredictable" ? (This text is in section titled "CBC block cipher", so no need to consider OFB or CTR here...) Best regards, Pasi > -----Original Message----- > From: ext Blumenthal, Uri [mailto:uri.blumenthal@intel.com] > Sent: 21 November, 2006 18:12 > To: Eronen Pasi (Nokia-NRC/Helsinki); ray.perlner@nist.gov; > tls@lists.ietf.org > Subject: RE: [TLS] NIST TLS recomendations (IV generation) > > Pasi, > > For the 1st statement how about: > > The IV SHOULD be chosen at random, and MUST be > unique and unpredictable. > > (based on crypto wisdom :-) > > -----Original Message----- > From: Pasi.Eronen@nokia.com [mailto:Pasi.Eronen@nokia.com] > Sent: Tuesday, November 21, 2006 10:37 AM > To: ray.perlner@nist.gov; tls@lists.ietf.org > Subject: RE: [TLS] NIST TLS recomendations (IV generation) > > Ray Perlner wrote: > > Page 20-21: Section 6.2.3.2 under IV The document specifies that the > > IV SHOULD be generated by method (1) or (2) and MAY be generated by > > an alternate method. There is, however, no language forbidding the > > generation of IVs by a fourth unlisted method. If a fourth method is > > used, the protocol will not fail but may be insecure. Therefore we > > recommend adding language forbidding the use of an unlisted method > > for IV generation. > > Actually the whole text about IVs is quite long, and contains > implementation details that IMHO are likely to confuse rather than > help an implementer. > > How about just replacing the whole text about IVs with something > like this? > > IV > > The Initialization Vector (IV) MUST be chosen at random, and > MUST be unpredictable. See [SP800-38A] Appendix C for > RECOMMENDED methods for generating unpredictable IVs. > > It is critical that the IV is not sent before the entire > plaintext of the record is known; otherwise it is possible for > the attacker to mount the attack described in [CBCATT]. > > Note: In versions of TLS prior to 1.1, there was no IV field, > and the last ciphertext block of the previous record (the "CBC > residue") was used as the IV. This was changed to prevent the > attacks described in [CBCATT]. > > Best regards, > Pasi _______________________________________________ TLS mailing list TLS@lists.ietf.org https://www1.ietf.org/mailman/listinfo/tls
- RE: [TLS] NIST TLS recomendations (IV generation) Blumenthal, Uri
- RE: [TLS] NIST TLS recomendations (IV generation) Pasi.Eronen
- RE: [TLS] NIST TLS recomendations (IV generation) Blumenthal, Uri
- Re: [TLS] NIST TLS recomendations (IV generation) Bodo Moeller
- RE: [TLS] NIST TLS recomendations (IV generation) Blumenthal, Uri
- Re: [TLS] NIST TLS recomendations (IV generation) Ray Perlner
- Re: [TLS] NIST TLS recomendations (IV generation) Eric Rescorla
- Re: [TLS] NIST TLS recomendations (IV generation) Ray Perlner