IETF Logo Mail Archive

Re: [TLS] AEAD only for TLS1.3 revisit

"Joseph Salowey (jsalowey)" <jsalowey@cisco.com> Tue, 30 September 2014 21:02 UTC

Return-Path: <jsalowey@cisco.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1440B1A9004 for <tls@ietfa.amsl.com>; Tue, 30 Sep 2014 14:02:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -15.287
X-Spam-Level:
X-Spam-Status: No, score=-15.287 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.786, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ftfey7B3TIJi for <tls@ietfa.amsl.com>; Tue, 30 Sep 2014 14:02:37 -0700 (PDT)
Received: from rcdn-iport-6.cisco.com (rcdn-iport-6.cisco.com [173.37.86.77]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A3CD61A900B for <tls@ietf.org>; Tue, 30 Sep 2014 14:01:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=1563; q=dns/txt; s=iport; t=1412110909; x=1413320509; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-id:content-transfer-encoding: mime-version; bh=1hMZ/la1cTN3t0Q16ek66odLFKNQIuJIdjD8GTOvUpA=; b=WTSJOU8YIwxj7RLZUmk50pRok7ocPuOgY71Q/CbpmbRhfSVoC3kQb3Lt T6WrwiC/W46Q1Riwur+84FE1n2GciYYQBEBDmwb9IISqk1UEOQ1RAElXq kHTnh5dsh9q9jJx+3WFIJAj+4zHQn0v2Q+QB7rtbTWQyfBTUi2pqLzPLn g=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AiIFACUZK1StJV2d/2dsb2JhbABggw5TVwTKKIdNAoEPFgF7hAMBAQEDAXkFCwIBCBguMiUCBA4FiDYIDb5GARMEj2szB4MugR0BBJFqhDuHCpVwg2NsgUiBAgEBAQ
X-IronPort-AV: E=Sophos;i="5.04,629,1406592000"; d="scan'208";a="359617506"
Received: from rcdn-core-6.cisco.com ([173.37.93.157]) by rcdn-iport-6.cisco.com with ESMTP; 30 Sep 2014 21:01:49 +0000
Received: from xhc-aln-x03.cisco.com (xhc-aln-x03.cisco.com [173.36.12.77]) by rcdn-core-6.cisco.com (8.14.5/8.14.5) with ESMTP id s8UL1mQt032250 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Tue, 30 Sep 2014 21:01:49 GMT
Received: from xmb-rcd-x09.cisco.com ([169.254.9.15]) by xhc-aln-x03.cisco.com ([173.36.12.77]) with mapi id 14.03.0195.001; Tue, 30 Sep 2014 16:01:48 -0500
From: "Joseph Salowey (jsalowey)" <jsalowey@cisco.com>
To: Michael StJohns <msj@nthpermutation.com>
Thread-Topic: [TLS] AEAD only for TLS1.3 revisit
Thread-Index: AQHP3AJ4lndEwGXmSE2+7AxRf6JNSZwaacsAgAAK6ACAAAqUAA==
Date: Tue, 30 Sep 2014 21:01:48 +0000
Message-ID: <C0A6EF20-9999-45AA-BA6B-8755DCAEB4B9@cisco.com>
References: <542988C5.8050307@nthpermutation.com> <A46BA862-DEE1-46CF-9193-40D1EAAA14BE@cisco.com> <542B1158.4050203@nthpermutation.com>
In-Reply-To: <542B1158.4050203@nthpermutation.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.33.248.136]
Content-Type: text/plain; charset="Windows-1252"
Content-ID: <B8F3978F5578AA4E9D68EEEB97BFD08D@emea.cisco.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/69NRrlUyzGRgMdLc0ZQqH7xvBUQ
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] AEAD only for TLS1.3 revisit
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Sep 2014 21:02:40 -0000

On Sep 30, 2014, at 1:23 PM, Michael StJohns <msj@nthpermutation.com> wrote:

> On 9/30/2014 3:44 PM, Joseph Salowey (jsalowey) wrote:
>>  Allowing for man-in-the-middle and passive monitoring is in opposition to our current mandate.   As an aside, if this becomes a requirement in the future I don't think that AEAD actually limits either of these possibilities, although your choice of cipher may.
> 
> 
> 
> It depends on the cipher mode.  Unfortunately, the restriction/limitation  applies to both CCM and GCM; the only "native" AEAD ciphers in the TLS toolchest.  For CCM, the key used for encryption is the same one used for integrity.  For GCM, the key used for integrity is CIPH[sub K](128 bits of zero) where K is the encryption key - if you have the encryption key, you can generate the integrity key.
> 
> The only other AEAD cipher suite we have in progress is https://datatracker.ietf.org/doc/draft-mcgrew-aead-aes-cbc-hmac-sha2/ which is a constructed AEAD cipher.  That basically splits the input K linearly into two pieces - the HMAC and AES keys, so it would be possible to reveal the AES subkey without revealing the HMAC key.
> 
> So the choice of AEAD effectively limits these possibilities.  For all the non-AEAD suites, the integrity and encryption keys are individually derived.
> 

[Joe] Many may consider this a feature rather than a problem, however, as you state above, you can develop an AEAD ciphersuite with the properties you want.  

> Mike
>

v2.23.0 | Report a Bug | By Email