Re: [TLS] Comments/Questions on draft-gutmann-tls-encrypt-then-mac-00.txt

[Dr Stephen Henson <lists@drh-consultancy.co.uk>]

On 20/09/2013 17:10, Christian Kahlo wrote:
> 
> Even some other standards bodies like ISO, CEN, BSI, etc. agreed on CBC-modes
> 
> (with or without EtM) as a lowest common factor with TLS.
> 
> So CBC WILL(!) exist regardless what you're specifying here. ;-)
> 
> There also at least implementations in our Federal project, OpenSSL, Bouncy
> 
> Castle and as I heard CyaSSL, too.
> 

This has some interesting parallels with FIPS 140-2. Currently the only approved
symmetric algorithms for FIPS 140-2 and TLS are AES-GCM, AES-CBC and DES3-CBC.
If you can't deploy TLS 1.2 you're then stuck with CBC.

Getting new algorithms approved by a standards body wont happen overnight and
might not happen at all. Algorithms tests and implementation guidance,
discussion periods etc will be needed all of which takes time.

On top of that adding new algorithms to an existing module requires retesting,
typically on every platform affected. That is expensive and laborious but wont
dent larger corporations budgets much. What will hurt more is that getting a new
validation done might take 9 months to a year after submission (more in some
cases) to get final approval.

What that means in practice is that when ciphersuites using new algorithms are
approved for TLS expect a delay of 1-2 years before they can be deployed with
FIPS 140-2 and they may not even get approved at all.

By contrast Peter's ETM spec, as it doesn't need any new algorithms, could be
deployed as soon as it is approved.

I'm not saying that we don't approve new algorithms and ciphers suites. I'm
saying we need ETM as well.

Steve.
-- 
Dr Stephen N. Henson.
Core developer of the   OpenSSL project: http://www.openssl.org/
Freelance consultant see: http://www.drh-consultancy.co.uk/
Email: shenson@drh-consultancy.co.uk, PGP key: via homepage.