Re: [TLS] (offline note) Re: Confirming Consensus on supporting only AEAD ciphers

Manuel Pégourié-Gonnard <mpg@polarssl.org> Tue, 06 May 2014 17:09 UTC

Return-Path: <mpg@polarssl.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EACCE1A01B9 for <tls@ietfa.amsl.com>; Tue, 6 May 2014 10:09:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.394
X-Spam-Level:
X-Spam-Status: No, score=0.394 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HELO_EQ_NL=0.55, HOST_EQ_NL=1.545, MIME_8BIT_HEADER=0.3, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id scpWgRG8RvEz for <tls@ietfa.amsl.com>; Tue, 6 May 2014 10:09:23 -0700 (PDT)
Received: from vps2.brainspark.nl (vps2.brainspark.nl [141.138.204.106]) by ietfa.amsl.com (Postfix) with ESMTP id DB51B1A01C0 for <tls@ietf.org>; Tue, 6 May 2014 10:09:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=polarssl.org; s=exim; h=Subject:Content-Transfer-Encoding:Content-Type:In-Reply-To:References:CC:To:MIME-Version:From:Date:Message-ID; bh=6gKXzUiPrE+hCl71CJt1WGCZwUxIqBBimBczm7pkeHU=; b=Jbyfmbp2b2vY8w2/Y6jDpVKO6jFOuidin5p9YzWicLiN8hx5ljkauTrkrH07zCqwvINx0uAezHQ75DCcnnRqdOwnPH6NHPEB2nK57nrBGUH0SFLpbSwosze2imxfEjgWfDxRRQNZ1pkRarpcXhUgUjxEVWLUnezUvsM/WnCQUAc=;
Received: from thue.elzevir.fr ([88.165.216.11] helo=[192.168.0.124]) by vps2.brainspark.nl with esmtpsa (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <mpg@polarssl.org>) id 1Whir4-0002hQ-Fw; Tue, 06 May 2014 19:08:35 +0200
Message-ID: <5369172F.8090102@polarssl.org>
Date: Tue, 06 May 2014 19:09:03 +0200
From: =?ISO-8859-1?Q?Manuel_P=E9gouri=E9-Gonnard?= <mpg@polarssl.org>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.5.0
MIME-Version: 1.0
To: Michael StJohns <msj@nthpermutation.com>, "Joseph Salowey (jsalowey)" <jsalowey@cisco.com>, Rene Struik <rstruik.ext@gmail.com>
References: <86E69268-DC0A-43E7-8CF5-0DAE39FD4FD5@cisco.com> <84C4848E-7843-4372-93AA-C1F017C3E088@cisco.com> <535FE558.2090306@nthpermutation.com> <C7763F74-94D4-4E18-86FC-F0E70488B5BD@cisco.com> <5368DAED.3020000@gmail.com> <5528AE3F-2483-42EA-949F-E3FC6774A4FC@cisco.com> <53690CB5.1060704@nthpermutation.com>
In-Reply-To: <53690CB5.1060704@nthpermutation.com>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
X-SA-Exim-Connect-IP: 88.165.216.11
X-SA-Exim-Mail-From: mpg@polarssl.org
X-SA-Exim-Version: 4.2.1 (built Mon, 26 Dec 2011 16:24:06 +0000)
X-SA-Exim-Scanned: Yes (on vps2.brainspark.nl)
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/8ai-reYpQrBpXtU-MEqXIc_zjKU
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] (offline note) Re: Confirming Consensus on supporting only AEAD ciphers
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 May 2014 17:09:24 -0000

On 06/05/2014 18:24, Michael StJohns wrote:
> On 5/6/2014 11:11 AM, Joseph Salowey (jsalowey) wrote:
>> On May 6, 2014, at 5:51 AM, Rene Struik <rstruik.ext@gmail.com> wrote:
>>
>>> Hi Joe:
>>>
>>> In general, an AEAD mode takes as input two strings a and m and a key k, and authenticates a and m, while encrypting m. If m is the empty string, this results in an authentication-only mode.
>>>
>>> Thus, AEAD modes can be used to provide suitable combinations of authentication and/or encryption. Examples hereof include the GCM mode and CCM mode.
>>>
>> [Joe] Yes, but I don't think any of the defined cipher suites for AES-GCM or AES-CCM support an authentication-only mode.  If authentication-only support is desired then additional cipher suites would have to be defined.
> 
> If a message consists of 100 bytes of AAD and 0 bytes of plaintext, then the output of an AEAD cipher is the integrity tag over the 100 bytes of AAD and no cipher text.  That's pretty much authentication-only.
> 
Sure, but as Joe said, within TLS you would need new ciphersuites for that.
While AES-GCM and AES-CCM in general can do authentication-only, in TLS
currently they can't because there is no way to include the payload in the AAD
and to send it in the clear.

Manuel.