Re: [TLS] chacha to replace RC4 (was: Salsa vs. ChaCha)
Nikos Mavrogiannopoulos <nmav@redhat.com> Sat, 07 December 2013 13:19 UTC
Return-Path: <nmav@redhat.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 913721ADFA2 for <tls@ietfa.amsl.com>; Sat, 7 Dec 2013 05:19:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.903
X-Spam-Level:
X-Spam-Status: No, score=-6.903 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GqC0NLuVrqZQ for <tls@ietfa.amsl.com>; Sat, 7 Dec 2013 05:19:51 -0800 (PST)
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by ietfa.amsl.com (Postfix) with ESMTP id A7A401ADF8D for <tls@ietf.org>; Sat, 7 Dec 2013 05:19:51 -0800 (PST)
Received: from int-mx11.intmail.prod.int.phx2.redhat.com (int-mx11.intmail.prod.int.phx2.redhat.com [10.5.11.24]) by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id rB7DJkLv018408 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Sat, 7 Dec 2013 08:19:46 -0500
Received: from [10.10.59.183] (vpn-59-183.rdu2.redhat.com [10.10.59.183]) by int-mx11.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id rB7DJhZn006248 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sat, 7 Dec 2013 08:19:45 -0500
Message-ID: <1386422383.2106.18.camel@aspire.lan>
From: Nikos Mavrogiannopoulos <nmav@redhat.com>
To: Brian Smith <brian@briansmith.org>
Date: Sat, 07 Dec 2013 14:19:43 +0100
In-Reply-To: <CAFewVt5_bu1cr8UoauFSWqyGmR5hTgAnHJVKfcGG1+EnpGFcTw@mail.gmail.com>
References: <CAM_a8JzY8VGq+N-5YbDk_3EdXkKJzof1BtUTVY8pJev2HZ9U6g@mail.gmail.com> <1384850165.2542.13.camel@dhcp-2-127.brq.redhat.com> <5296C6D7.2040509@dei.uc.pt> <1386332388.3430.22.camel@dhcp-2-127.brq.redhat.com> <CABqy+spiBPaGrk7ipeWvC2Z_B=MeDVZAmmEbXL-Pa2Lf-6UA2Q@mail.gmail.com> <1386335697.3430.31.camel@dhcp-2-127.brq.redhat.com> <CAFewVt5_bu1cr8UoauFSWqyGmR5hTgAnHJVKfcGG1+EnpGFcTw@mail.gmail.com>
Organization: Red Hat
Content-Type: text/plain; charset="UTF-8"
Mime-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Scanned-By: MIMEDefang 2.68 on 10.5.11.24
Cc: tls@ietf.org
Subject: Re: [TLS] chacha to replace RC4 (was: Salsa vs. ChaCha)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 07 Dec 2013 13:19:53 -0000
On Fri, 2013-12-06 at 19:44 -0800, Brian Smith wrote: > AFAICT, there's no technical reason to prohibit AEAD in TLS 1.0 or TLS > 1.1. > > Also, I don't think TLS 1.2 is that much code to add to a TLS 1.0 or > TLS 1.1 implementation, especially if you're not supporting any new > cipher suites except the new ChaCha20 ones, and if you're not trying to > support any functionality above what what TLS 1.0 and TLS 1.1 provide. > Consequently, I don't think we should consider the AEAD construction to > be too much of a burden for anybody to implement in order to support > new cipher suites. Hello, I agree that there is no technical reason to prohibit AEAD in TLS 1.x, x<2, but exactly for this prohibition, the old non-TLS 1.2 supporting implementations don't have support for AEAD. Their design is often agile in the sense that a new cipher or MAC can be easily added, but adding an AEAD cipher there is a non-trivial matter. If by AEAD you mean Adam's draft, then there is also the question why replace RC4-HMAC-SHA1 with AEAD-CHACHA-POLY1305 when you only need to fix RC4? (and we have no reasons to believe that HMAC-SHA1 is broken). If you suggestion is to make CHACHA-HMAC-SHA1 an AEAD design, I don't think that this is needed. Unlike AEAD-CHACHA-POLY1305 which is inherently an AEAD design, there is no advantage gained by making CHACHA-HMAC-SHA1 an AEAD cipher - except for saying "cool it is AEAD", and making it more difficult for old implementations to use it. regards, Nikos
- [TLS] Salsa vs. ChaCha Zooko Wilcox-OHearn
- Re: [TLS] Salsa vs. ChaCha Nikos Mavrogiannopoulos
- Re: [TLS] Salsa vs. ChaCha Samuel Neves
- Re: [TLS] Salsa vs. ChaCha Nikos Mavrogiannopoulos
- [TLS] chacha to replace RC4 (was: Salsa vs. ChaCh… Nikos Mavrogiannopoulos
- Re: [TLS] chacha to replace RC4 (was: Salsa vs. C… Robert Ransom
- Re: [TLS] chacha to replace RC4 (was: Salsa vs. C… Nikos Mavrogiannopoulos
- Re: [TLS] chacha to replace RC4 (was: Salsa vs. C… Nikos Mavrogiannopoulos
- Re: [TLS] chacha to replace RC4 (was: Salsa vs. C… Nick Mathewson
- Re: [TLS] chacha to replace RC4 (was: Salsa vs. C… Nikos Mavrogiannopoulos
- Re: [TLS] chacha to replace RC4 (was: Salsa vs. C… Robert Ransom
- Re: [TLS] chacha to replace RC4 Manuel Pégourié-Gonnard
- Re: [TLS] chacha to replace RC4 (was: Salsa vs. C… Samuel Neves
- Re: [TLS] chacha to replace RC4 (was: Salsa vs. C… Brian Smith
- Re: [TLS] chacha to replace RC4 (was: Salsa vs. C… Nikos Mavrogiannopoulos