IETF Logo Mail Archive

Re: [TLS] ChaCha and IVs

Brian Smith <brian@briansmith.org> Tue, 04 March 2014 23:17 UTC

Return-Path: <brian@briansmith.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AABE51A00A8 for <tls@ietfa.amsl.com>; Tue, 4 Mar 2014 15:17:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.278
X-Spam-Level:
X-Spam-Status: No, score=-1.278 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KAyNDAloqvR9 for <tls@ietfa.amsl.com>; Tue, 4 Mar 2014 15:17:26 -0800 (PST)
Received: from mail-qg0-f41.google.com (mail-qg0-f41.google.com [209.85.192.41]) by ietfa.amsl.com (Postfix) with ESMTP id 3E64A1A0090 for <tls@ietf.org>; Tue, 4 Mar 2014 15:17:26 -0800 (PST)
Received: by mail-qg0-f41.google.com with SMTP id i50so690708qgf.0 for <tls@ietf.org>; Tue, 04 Mar 2014 15:17:22 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=Cf7YPE818+YLeJMDcHTVQrVSpcl5kvbPlXPMWwwgINw=; b=QFoSKQT9Z1YtOxEGXQngpz1DFSXBVsS2qgAu2eVvNPEAw6JjJm/H7dwsh8Usa3/96f j6Zay9BfLeUWNjSc5hdh3I8ZsFx7ATjbtGafdYsKePlIeiZrJ2zGBgR8CC8FuHQ4uJo1 ZemREMWy/oMlbeu2cxFkzDb/TYcV+L1i4A8PZhrYmXACe99lfimvfDswq0awzWKF3vXG cO1r4/d71klu/qz1tas/cxadPudgoeScEz3nydiv8ojZN6kSW52GpadpZqQKqewdglAC uYjCAE3dRDer3K5Qb4kzVqkYPQatL+kqrakvP3SzbCeNqCvBycv/fbeF3Acrn/Tk42y6 hYlw==
X-Gm-Message-State: ALoCoQkRofmq5/ZnLl46ntQKEEOyxotEoCgATQQwQbl40dM9Zu70mw3rvso+gGSz8iPl531oV9We
MIME-Version: 1.0
X-Received: by 10.224.60.193 with SMTP id q1mr2788868qah.67.1393975042582; Tue, 04 Mar 2014 15:17:22 -0800 (PST)
Received: by 10.224.37.135 with HTTP; Tue, 4 Mar 2014 15:17:22 -0800 (PST)
In-Reply-To: <53161825.7060409@bbn.com>
References: <53160513.20703@bbn.com> <1393955839.20861.20.camel@dhcp-2-127.brq.redhat.com> <53161825.7060409@bbn.com>
Date: Tue, 04 Mar 2014 15:17:22 -0800
Message-ID: <CAFewVt7Sr2dP08Uqvc0dQ3AFn2xdsYbUfOGOeJXRhJPZyAa6zw@mail.gmail.com>
From: Brian Smith <brian@briansmith.org>
To: Stephen Kent <kent@bbn.com>
Content-Type: multipart/alternative; boundary="001a1133dee63dcfcf04f3d01be7"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/9Q_1RvHz9snzZwL4kJ1jun-MBNE
Cc: "<tls@ietf.org>" <tls@ietf.org>
Subject: Re: [TLS] ChaCha and IVs
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 04 Mar 2014 23:17:27 -0000

On Tue, Mar 4, 2014 at 10:15 AM, Stephen Kent <kent@bbn.com> wrote:

> Security evaluation for a crypto alg does not include a protocol like ESP
> or
> (D)TLS; if focuses only on the alg implementation. Thus a TLS "guarantee"
> of uniqueness is not relevant. Anyone who has had a product evaluated will
> tell you that the goal is always to minimize the amount of code that is
> subject
> to review. If one were to use a TLS (or ESP) sequence number for an IV,
> all of
> the protocol code would be part of the evaluation, and that would make the
> evaluation prolonged and very costly.


ChaCha20-Poly1304 can't be validated anyway, even if it used explicit IVs,
because it isn't an algorithm that has been approved by any agency that
requires validation.

One can have the crypto component generate the ciphertext and the counter
IV in a way that is guaranteed to be a monotonically increasing sequence.
This code would be the code that would be validated. Then, have your TLS
implementation take that counter IV that was output from the crypto
component and verify that it matches the current record number, and fail if
there is a mismatch.

Certification programs exist, in theory, to ensure that we do good, safe
things. In this case, we have a bit of bureaucracy that is getting in the
way of doing something that is clearly good and safe. The best solution to
that problem is to fix the bureaucracy. If one cannot fix the bureaucracy
then one can simply avoid implementing ChaCha20-Poly1304 and implement
AES-GCM or other cipher suites instead.

Cheers,
Brian
-- 
Mozilla Networking/Crypto/Security (Necko/NSS/PSM)

v2.23.0 | Report a Bug | By Email