Re: [TLS] Pull Request: Removing the AEAD explicit IV

Eric Rescorla <ekr@rtfm.com> Thu, 19 March 2015 19:59 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B65AB1A8F3E for <tls@ietfa.amsl.com>; Thu, 19 Mar 2015 12:59:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.977
X-Spam-Level:
X-Spam-Status: No, score=-1.977 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id z-usiasMnzUZ for <tls@ietfa.amsl.com>; Thu, 19 Mar 2015 12:59:12 -0700 (PDT)
Received: from mail-we0-f180.google.com (mail-we0-f180.google.com [74.125.82.180]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BB9EC1A8881 for <tls@ietf.org>; Thu, 19 Mar 2015 12:59:11 -0700 (PDT)
Received: by wegp1 with SMTP id p1so66167502weg.1 for <tls@ietf.org>; Thu, 19 Mar 2015 12:59:10 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=1fPtgCSfW5fsYioeQBBmxwCB4YmAFtG1z7g8+Cs/h5w=; b=QcJyMmm2/WuOivy6mHN5xdjjT1EGoHNoUKm+RNTi7ZU7tghOCl7bbWmOgErVnKE+4F HSNkMo/Tuxs/AbwcxA9S0e8nN42goICKBrqC6nS8FY3T/OUMZBwdhVcXzyJ7nMiRyMOb +GZc0J+mMwQ3jp/sPLX3wit3VOQpkcDUcyanongPtR0Zu8NeYaomhBOVHtCcDUWLSi7g lBFiAHfG128mIyyNHflo3E4vQbg4UeEwi+OBBbMkbZEUtekEHn9x8l80y+UMlhiDSKCx wSsB1eUtnZKtdJyVeXBw2nnXc+S5zR2l8xkbFHyY9r3imN3yKTalgbqsusXMEjHpKx+h LLGA==
X-Gm-Message-State: ALoCoQmE3IThx3D9Oc+L3PTYZ+bzphSq9nFIQeS2kH7DK52xoghVpk0o2qZIgRNbSXt50Ip6mATm
X-Received: by 10.194.185.68 with SMTP id fa4mr151925176wjc.111.1426795150469; Thu, 19 Mar 2015 12:59:10 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.27.205.198 with HTTP; Thu, 19 Mar 2015 12:58:30 -0700 (PDT)
In-Reply-To: <CAFewVt7_+oqy0EczdaxVpgS9gkzp8EMjLCgjXj+DE7S-e94Q7A@mail.gmail.com>
References: <CABcZeBPfasM5HmJaATLUHQKRgiSGCreJt1T=UoDBGCbcuzyW8Q@mail.gmail.com> <CAFewVt7_+oqy0EczdaxVpgS9gkzp8EMjLCgjXj+DE7S-e94Q7A@mail.gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Thu, 19 Mar 2015 12:58:30 -0700
Message-ID: <CABcZeBMN=0GUsqDMnLM5eTg54t6Sn0ME9213ts75OXLKZxr9+w@mail.gmail.com>
To: Brian Smith <brian@briansmith.org>
Content-Type: multipart/alternative; boundary=047d7bacb11e1cb5db0511a9a26a
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/5mXskkpxY2ygfe0FTEWmshE8C80>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Pull Request: Removing the AEAD explicit IV
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Mar 2015 19:59:13 -0000

On Thu, Mar 19, 2015 at 12:53 PM, Brian Smith <brian@briansmith.org>; wrote:

> Eric Rescorla <ekr@rtfm.com>; wrote:
> > PR: https://github.com/tlswg/tls13-spec/pull/155
> > Target merge date: 3/21
>
> My concern about this is the same one already raised on the CFRG mailing
> list:
>    http://www.ietf.org/mail-archive/web/cfrg/current/msg04867.html
> in response to:
>    http://www.ietf.org/mail-archive/web/cfrg/current/msg04820.html
>
> In particular, massively parallel attacks on many keys at once seem
> like the most promising way to break AES-128. It seems bad to have
> popular endpoints encrypting the same plaintext block (e.g. "GET /
> HTTP/1.1\r\n") with the same nonce (1) with different keys. That seems
> like exactly the recipe for making such attacks succeed.
>

Are other people concerned about this issue? I seem to remember this
being discussed in the interim and AGL being opposed to this change.



> It seems like it would be better, instead, to require that the initial
> nonces to be calculated from the keyblock established during key
> agreement,


Is there any reason why these should be derived from the keyblock
as opposed to from purely public information such as the random
values?



> and then have them incremented as counters (with
> wraparound) in the same fashion as being proposed.


Can you explain why you think they need to change? I note that TLS 1.2
currently does not behave in this fashion.

-Ekr