Re: [TLS] WG adoption + early code point assignment: draft-mavrogiannopoulos-chacha-tls

Eric Rescorla <ekr@rtfm.com> Tue, 19 May 2015 22:15 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9D8EA1B3459 for <tls@ietfa.amsl.com>; Tue, 19 May 2015 15:15:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.977
X-Spam-Level:
X-Spam-Status: No, score=-1.977 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1R2sdlOMC_8M for <tls@ietfa.amsl.com>; Tue, 19 May 2015 15:15:14 -0700 (PDT)
Received: from mail-wi0-f179.google.com (mail-wi0-f179.google.com [209.85.212.179]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8B5A51A1EF2 for <tls@ietf.org>; Tue, 19 May 2015 15:15:14 -0700 (PDT)
Received: by wicmx19 with SMTP id mx19so134142247wic.0 for <tls@ietf.org>; Tue, 19 May 2015 15:15:13 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=v+6Ijp6tbwjlSMiSjNiBPtE28ySVj89t1YPo6Y13fRs=; b=P8N4l9uZW8qNmfBGfVs9nYqf6gkBuXXTSt5xQ1YN4ntbxZXlamCuImn7fQ5Tta40FV V/MXpzeLKqLPLi7AEG3DbaSJAJr+Rq8o/foxOlie7ql9es30qN/h1L6E33FwnrcEwlPE I6AIjlgLZUSd75/LTlBlNOYz7lhq/el8UzcIuqgzZLabSKb4QjE5dx6JJ4TX+GxvBWvh YSVtwFINkEo1c48o9K3VBUE02JlFUrQfFTOjmDap9UEXpeTHyiKzCZ43HoY4X+IenGfx EAycU4zz2sn1NEvbqmhJ9OXP0efaJg0InHToeHZBl5ycXWNlvkZx23Q/e6RGLJzOGQeM WYlg==
X-Gm-Message-State: ALoCoQkXMzC4IKW+T+rj0uos43tIiGYYtbhnoNGF0yQj6oOwAqh8hGNsTnV90jaLIIsCcQ+pLlwG
X-Received: by 10.194.79.225 with SMTP id m1mr5247683wjx.8.1432073713370; Tue, 19 May 2015 15:15:13 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.27.205.87 with HTTP; Tue, 19 May 2015 15:14:32 -0700 (PDT)
In-Reply-To: <FD8B7C3F-C3DD-4367-B84D-26B9907F1B9D@ieca.com>
References: <FD8B7C3F-C3DD-4367-B84D-26B9907F1B9D@ieca.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Tue, 19 May 2015 15:14:32 -0700
Message-ID: <CABcZeBOqnyXS5kp=ZiN2PpKYt_dOg1+L4_S__h-+YP=n6sHk3A@mail.gmail.com>
To: Sean Turner <turners@ieca.com>
Content-Type: multipart/alternative; boundary=047d7b10c903fa5d8d051676a4c5
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/5lsrx7NM6ugoWO5hn_HToMeq6o0>
Cc: IETF TLS Working Group <tls@ietf.org>
Subject: Re: [TLS] WG adoption + early code point assignment: draft-mavrogiannopoulos-chacha-tls
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 May 2015 22:15:16 -0000

On Tue, May 19, 2015 at 2:31 PM, Sean Turner <turners@ieca.com>; wrote:

> All,
>
> This message serves two purposes:
>
> 1) It is the WG call for adoption of:
>
> http://datatracker.ietf.org/doc/draft-mavrogiannopoulos-chacha-tls/
>
> This draft specifies the use of the ChaCha stream cipher with Poly1305 in
> the TLS and DTLS protocols.  The WG needs this draft to specify code points
> in support of the recent MTI consensus call (see
> http://www.ietf.org/mail-archive/web/tls/current/msg16343.html).  If you
> object to the adoption of this draft as a WG item, please respond to the
> list indicating why by 20150602.
>
> 2) It is a request for an early code point assignment:
>
> We have a request for an early code point assignment for the cipher suites
> listed in the draft.  If you have a concern with an early code point
> assignment for the ciphers listed in this draft, please respond to the list
> indicating why by 20150602.
>

I am in favor of this draft.

Prior to doing the code point assignment, however, we should resolve
the question of the per-record nonce algorithm. The current draft uses
an algorithm that is not consistent either with the algorithm we use for
GCM or TLS 1.3.

- TLS 1.2 GCM: 32-bit fixed salt || 64-bit explicit per-record IV
- TLS 1.3: fixed mask XORed with the record sequence number
- ChaCha: 32-bit fixed salt || record sequence number

On another thread, people have expressed the opinion that ChaCha should
be consistent with GCM for both 1.2 and 1.3, but if we're going to do that
we minimally need to change the algorithm for 1.2 (at the cost of 8 bytes
per record).

I don't have a strong opinion about this, but we should resolve it now.

-Ekr


Thanks,
>
> J&S
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>