Re: [TLS] Counter structure
Russ Housley <housley@vigilsec.com> Wed, 20 December 2006 19:28 UTC
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1Gx77M-00044p-0a; Wed, 20 Dec 2006 14:28:44 -0500
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1Gx77L-00042q-Dm for tls@ietf.org; Wed, 20 Dec 2006 14:28:43 -0500
Received: from woodstock.binhost.com ([66.150.120.2]) by ietf-mx.ietf.org with smtp (Exim 4.43) id 1Gx77J-0002Bs-5A for tls@ietf.org; Wed, 20 Dec 2006 14:28:43 -0500
Received: (qmail 12392 invoked by uid 0); 20 Dec 2006 19:28:33 -0000
Received: from unknown (HELO THINKPADR52.vigilsec.com) (71.246.224.157) by woodstock.binhost.com with SMTP; 20 Dec 2006 19:28:33 -0000
Message-Id: <7.0.0.16.2.20061220142408.073c5008@vigilsec.com>
X-Mailer: QUALCOMM Windows Eudora Version 7.0.0.16
Date: Wed, 20 Dec 2006 14:28:32 -0500
To: Eric Rescorla <ekr@networkresonance.com>, tls@ietf.org
From: Russ Housley <housley@vigilsec.com>
Subject: Re: [TLS] Counter structure
In-Reply-To: <20061219211357.942575C089@laser.networkresonance.com>
References: <20061219211357.942575C089@laser.networkresonance.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format="flowed"
X-Spam-Score: 0.1 (/)
X-Scan-Signature: 082a9cbf4d599f360ac7f815372a6a15
Cc: kent@bbn.com
X-BeenThere: tls@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/tls>
List-Post: <mailto:tls@lists.ietf.org>
List-Help: <mailto:tls-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
Errors-To: tls-bounces@lists.ietf.org
[ SECURITY AD HAT OFF ] We had a very similar discussion when we were trying to figure out what structure to use for Counter Mode in the context of IPsec. The possibility of multiple modules was a very real concern in that context. This might be in the future for TLS too. TLS is used to provide hop-by-hop protections for SIP, and it seems to me that a media gateway may need enough hardware support for this to be an issue. I support the use of a few more bits to ensure that support for such a capability is straightforward. Russ At 04:10 PM 12/19/2006, Eric Rescorla wrote: >Currently, the (D)TLS Counter draft uses the sequence number to >generate the per-record IV. Recently, Steve Kent pointed out >a drawback of this mode which mau motivate a different counter >structure. I was hoping we could discuss this on the list >and try to reach consensus. > >Here's the issue as I understand it (Steve, please correct >me if I screw something up): > > The CTR IV is security critical in a way that the CBC IV is > not. Accordingly, for evaluated products the IV must be generated > inside the evaluation boundary where it can be insured that it's not > reused. As the IV is currently designed, this would mean that the > record sequence number was also maintained inside the security > boundary. > > Ordinarily, this isn't an issue but in implementations where you are > doing hardware record processing you might have multiple parallel > hardware modules. Synchronizing the sequence number between those > modules could be quite problematic. > > An alternate approach is to use an explicit per-record IV which can > be maintained independently by each encryption module. This IV > doesn't need to be the full block width, just long enough to prevent > collisions. If the modules use a counter or LFSR (with a few bits > reserved for module ID) to generate the IV, then you can get by with > 64 bits of IV. [0] > >So, the question is: is enabling this kind of parallel hardware >implementation a good tradeoff for 8 more bytes of record size? > >Please discuss. > >Thanks, >-Ekr > > >[0] Note that this IV size more or less precludes random IVs because of >birthday statistics. > >_______________________________________________ >TLS mailing list >TLS@lists.ietf.org >https://www1.ietf.org/mailman/listinfo/tls _______________________________________________ TLS mailing list TLS@lists.ietf.org https://www1.ietf.org/mailman/listinfo/tls
- [TLS] Counter structure Eric Rescorla
- RE: [TLS] Counter structure Blumenthal, Uri
- Re: [TLS] Counter structure Russ Housley