IETF Logo Mail Archive

Re: [TLS] Comments on

Adam Langley <agl@google.com> Fri, 14 February 2014 17:45 UTC

Return-Path: <agl@google.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C3E6D1A0214 for <tls@ietfa.amsl.com>; Fri, 14 Feb 2014 09:45:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.627
X-Spam-Level:
X-Spam-Status: No, score=-1.627 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, MIME_8BIT_HEADER=0.3, RP_MATCHES_RCVD=-0.548, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NeV8Y5Q2YcJe for <tls@ietfa.amsl.com>; Fri, 14 Feb 2014 09:45:43 -0800 (PST)
Received: from mail-ve0-x236.google.com (mail-ve0-x236.google.com [IPv6:2607:f8b0:400c:c01::236]) by ietfa.amsl.com (Postfix) with ESMTP id 3C8C11A02A5 for <tls@ietf.org>; Fri, 14 Feb 2014 09:45:43 -0800 (PST)
Received: by mail-ve0-f182.google.com with SMTP id jy13so10202365veb.27 for <tls@ietf.org>; Fri, 14 Feb 2014 09:45:41 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type:content-transfer-encoding; bh=g3xaSd4rcfeh/skc0LI47GgBwqWmO8u9AfNboxPwf54=; b=kjLYmv0TLemWPfgDxAotdS/Tpmm4bjK0Pxt8xMFGSAbthGmUmX5Fw0LyQrA+ZX/3VT vpfYBDbmwD/7ywfQa0xqWg36Ibue8D2Y6GQKaPvUvIgcgphLym9ydDB4vdQfpwCO3Gwa B3hbKQ0w1wfto700R00I1Rh0EPjL+UIG/UcoIUT/bYwV8nYBk2Z3gYvGtYUqL3wRWyOd PpKADVYy3a4VMGa98ArBjFXRgURPOPc5f6ajK39Lw8ci7kERMzgIqCPFU7IX18upUkEK jyxh4AiBYTTn0uKgB/tjlckUI5dVqxcNl7lMxJHTevkHGj2e0AIVAYskhzUyuhCsbalZ 2kLQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type:content-transfer-encoding; bh=g3xaSd4rcfeh/skc0LI47GgBwqWmO8u9AfNboxPwf54=; b=PcWwaFnsTzSe1dfIuqsSiDhx6AQqM2VL3mTi4OaY07Ht+HfYpbDxY8UkApynRgH82d FPnUQyNmdaWuM5I8JI8FWUzyX79Zvjq80a20ow9NQjk4YMba/LlFNug3wR0+HPLzs+nb XTKvybWkvL29mK5kLr17xPzYQmJ5N7lgrEC74Jp8t1A93BBsJp9zHvt76ybXieVVxdRa Xe3m3hg6Sqo2pd/oZNmvUynL1/gsSsDkukjL+W2SMrirFRUXglCRvCc6lSw+Zhdv0eaA VvzCGdtiuRNswlw3ojv7HIQ7CO0Sk07ilytC0q2jan4gIf7TyygAwYO6Kph86jqw4PC8 zeGg==
X-Gm-Message-State: ALoCoQl3DPGgODvM5sG3DtQzYIsmXOS6lCWtBJVKlegdzHhhx766gsSWLRRMKTbM2vuQZdC5Bi/jTAUeq3VTsHHRnbOKRuYhQE8OjSmIcHkum5G6bWpHCoqpVSN75nA4/ypkESD7cImcAol/epBQ1eEErM+IDaQgFhVcVoEqIVV4UI45C8h68aGcqiAt0HfjAOFGTleBmy0D
X-Received: by 10.52.30.167 with SMTP id t7mr1622212vdh.36.1392399941385; Fri, 14 Feb 2014 09:45:41 -0800 (PST)
MIME-Version: 1.0
Received: by 10.52.104.37 with HTTP; Fri, 14 Feb 2014 09:45:21 -0800 (PST)
In-Reply-To: <nna9dum6fk.fsf@bacon.lysator.liu.se>
References: <nnha83nwy9.fsf@bacon.lysator.liu.se> <CAL9PXLyWhqSdG5YRyrOprW5wgCYCwHn7_a=R2sb+mN-irkMYbA@mail.gmail.com> <nna9dum6fk.fsf@bacon.lysator.liu.se>
From: Adam Langley <agl@google.com>
Date: Fri, 14 Feb 2014 12:45:21 -0500
Message-ID: <CAL9PXLyC98rc73x7o4gDeu-UBz1k0VP_qTdbCqgSSObuKf9+LA@mail.gmail.com>
To: Niels Möller <nisse@lysator.liu.se>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/BQXaDD1LT2xjmr9MmJDQRorBO6Y
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Comments on
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 14 Feb 2014 17:45:45 -0000

On Fri, Feb 14, 2014 at 3:42 AM, Niels Möller <nisse@lysator.liu.se> wrote:
> Thanks for the pointer. This specifies a 96-bit nonce, both for chacha
> and chacha20-poly1305. I'm a bit confused by the different definition
> of chacha, with a 32-bit counter and 96-bit nonce, rather than 64 bits
> each like in the chacha spec.

It appears that IPSec wants the extra 32 bits of nonce. Although this
is an important change in definition it doesn't actually change the
wire-format for TLS because the record-length limit means that those
bits are always zero anyway in both cases.

> I agree that most applications shouldn't use streaming operation, at
> least for decryption. But I also think there are valid usecases for
> streaming operation, e.g., processing a large file where you really want
> a single indication of autenticity for the complete file. In GNU Nettle,
> which is a general purpose but pretty low level crypto library, I'd like
> to support aead streaming operation whenever possible.

Keep in mind that it affects more than just your users. By making
streaming designs easy you allow people to make bad designs (like CMS)
that force streaming designs on others in order to handle large files.
The point of AEADs is that it's an easier primitive to use. It would
be doubly unfortunate if they ended up with a sharp edge by returning
unauthenticated plaintext.

> For some numbers, my current implementation is 101 non-comment lines of
> C (on top of chacha and poly1305 building blocks). Of those, 20% of the
> lines and 80% of the if statements are for the insertion of the ad
> length.

Thanks. I understand why omitting the length would be easier for you
and it doesn't deeply bother me either way. The WG can figure it out.

However, my preference would be to leave it as is because I've already
got code that does it that way and I don't believe that streaming is
something that should be made easy.

> I see. Vaguely related question: Do you see any need for 128-bit chacha
> keys? They're not really in the very short chacha paper, but they are in
> the reference implementation.

Since they are no faster I don't believe that anyone will want to
support them. However, I may be wrong about that.


Cheers

AGL

v2.23.0 | Report a Bug | By Email