Re: [TLS] ChaCha and IVs
Brian Smith <brian@briansmith.org> Tue, 04 March 2014 23:17 UTC
Return-Path: <brian@briansmith.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AABE51A00A8 for <tls@ietfa.amsl.com>; Tue, 4 Mar 2014 15:17:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.278
X-Spam-Level:
X-Spam-Status: No, score=-1.278 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KAyNDAloqvR9 for <tls@ietfa.amsl.com>; Tue, 4 Mar 2014 15:17:26 -0800 (PST)
Received: from mail-qg0-f41.google.com (mail-qg0-f41.google.com [209.85.192.41]) by ietfa.amsl.com (Postfix) with ESMTP id 3E64A1A0090 for <tls@ietf.org>; Tue, 4 Mar 2014 15:17:26 -0800 (PST)
Received: by mail-qg0-f41.google.com with SMTP id i50so690708qgf.0 for <tls@ietf.org>; Tue, 04 Mar 2014 15:17:22 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=Cf7YPE818+YLeJMDcHTVQrVSpcl5kvbPlXPMWwwgINw=; b=QFoSKQT9Z1YtOxEGXQngpz1DFSXBVsS2qgAu2eVvNPEAw6JjJm/H7dwsh8Usa3/96f j6Zay9BfLeUWNjSc5hdh3I8ZsFx7ATjbtGafdYsKePlIeiZrJ2zGBgR8CC8FuHQ4uJo1 ZemREMWy/oMlbeu2cxFkzDb/TYcV+L1i4A8PZhrYmXACe99lfimvfDswq0awzWKF3vXG cO1r4/d71klu/qz1tas/cxadPudgoeScEz3nydiv8ojZN6kSW52GpadpZqQKqewdglAC uYjCAE3dRDer3K5Qb4kzVqkYPQatL+kqrakvP3SzbCeNqCvBycv/fbeF3Acrn/Tk42y6 hYlw==
X-Gm-Message-State: ALoCoQkRofmq5/ZnLl46ntQKEEOyxotEoCgATQQwQbl40dM9Zu70mw3rvso+gGSz8iPl531oV9We
MIME-Version: 1.0
X-Received: by 10.224.60.193 with SMTP id q1mr2788868qah.67.1393975042582; Tue, 04 Mar 2014 15:17:22 -0800 (PST)
Received: by 10.224.37.135 with HTTP; Tue, 4 Mar 2014 15:17:22 -0800 (PST)
In-Reply-To: <53161825.7060409@bbn.com>
References: <53160513.20703@bbn.com> <1393955839.20861.20.camel@dhcp-2-127.brq.redhat.com> <53161825.7060409@bbn.com>
Date: Tue, 04 Mar 2014 15:17:22 -0800
Message-ID: <CAFewVt7Sr2dP08Uqvc0dQ3AFn2xdsYbUfOGOeJXRhJPZyAa6zw@mail.gmail.com>
From: Brian Smith <brian@briansmith.org>
To: Stephen Kent <kent@bbn.com>
Content-Type: multipart/alternative; boundary="001a1133dee63dcfcf04f3d01be7"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/9Q_1RvHz9snzZwL4kJ1jun-MBNE
Cc: "<tls@ietf.org>" <tls@ietf.org>
Subject: Re: [TLS] ChaCha and IVs
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 04 Mar 2014 23:17:27 -0000
On Tue, Mar 4, 2014 at 10:15 AM, Stephen Kent <kent@bbn.com> wrote: > Security evaluation for a crypto alg does not include a protocol like ESP > or > (D)TLS; if focuses only on the alg implementation. Thus a TLS "guarantee" > of uniqueness is not relevant. Anyone who has had a product evaluated will > tell you that the goal is always to minimize the amount of code that is > subject > to review. If one were to use a TLS (or ESP) sequence number for an IV, > all of > the protocol code would be part of the evaluation, and that would make the > evaluation prolonged and very costly. ChaCha20-Poly1304 can't be validated anyway, even if it used explicit IVs, because it isn't an algorithm that has been approved by any agency that requires validation. One can have the crypto component generate the ciphertext and the counter IV in a way that is guaranteed to be a monotonically increasing sequence. This code would be the code that would be validated. Then, have your TLS implementation take that counter IV that was output from the crypto component and verify that it matches the current record number, and fail if there is a mismatch. Certification programs exist, in theory, to ensure that we do good, safe things. In this case, we have a bit of bureaucracy that is getting in the way of doing something that is clearly good and safe. The best solution to that problem is to fix the bureaucracy. If one cannot fix the bureaucracy then one can simply avoid implementing ChaCha20-Poly1304 and implement AES-GCM or other cipher suites instead. Cheers, Brian -- Mozilla Networking/Crypto/Security (Necko/NSS/PSM)
- Re: [TLS] ChaCha and IVs Adam Langley
- [TLS] ChaCha and IVs Stephen Kent
- Re: [TLS] ChaCha and IVs Watson Ladd
- Re: [TLS] ChaCha and IVs Nikos Mavrogiannopoulos
- Re: [TLS] ChaCha and IVs Stephen Kent
- Re: [TLS] ChaCha and IVs Salz, Rich
- Re: [TLS] ChaCha and IVs Dr Stephen Henson
- Re: [TLS] ChaCha and IVs Adam Langley
- Re: [TLS] ChaCha and IVs Adam Langley
- Re: [TLS] ChaCha and IVs Adam Langley
- Re: [TLS] ChaCha and IVs Wan-Teh Chang
- Re: [TLS] ChaCha and IVs Dr Stephen Henson
- Re: [TLS] ChaCha and IVs Dr Stephen Henson
- Re: [TLS] ChaCha and IVs Salz, Rich
- Re: [TLS] ChaCha and IVs Brian Smith
- Re: [TLS] ChaCha and IVs Adam Langley
- Re: [TLS] ChaCha and IVs Brian Smith
- Re: [TLS] ChaCha and IVs Salz, Rich
- Re: [TLS] ChaCha and IVs Nikos Mavrogiannopoulos
- Re: [TLS] ChaCha and IVs Nikos Mavrogiannopoulos
- Re: [TLS] ChaCha and IVs Alyssa Rowan
- Re: [TLS] ChaCha and IVs Adam Langley
- Re: [TLS] ChaCha and IVs Dr Stephen Henson
- Re: [TLS] ChaCha and IVs Sandeep Kumar
- Re: [TLS] ChaCha and IVs Robert Cragie
- Re: [TLS] ChaCha and IVs Dr Stephen Henson
- Re: [TLS] ChaCha and IVs Bodo Moeller
- Re: [TLS] ChaCha and IVs Nico Williams
- Re: [TLS] ChaCha and IVs Andy Lutomirski
- Re: [TLS] ChaCha and IVs Nico Williams
- Re: [TLS] ChaCha and IVs Bodo Moeller
- Re: [TLS] ChaCha and IVs Bodo Moeller
- Re: [TLS] ChaCha and IVs Nico Williams
- Re: [TLS] ChaCha and IVs Dr Stephen Henson
- Re: [TLS] ChaCha and IVs Bodo Moeller