Re: [TLS] Confirming Consensus on supporting only AEAD ciphers

Ralph Holz <holz@net.in.tum.de> Tue, 29 April 2014 17:32 UTC

Return-Path: <holz@net.in.tum.de>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 949D71A085A for <tls@ietfa.amsl.com>; Tue, 29 Apr 2014 10:32:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.55
X-Spam-Level:
X-Spam-Status: No, score=-1.55 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_DE=0.35] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nMz3ZQdX7Uea for <tls@ietfa.amsl.com>; Tue, 29 Apr 2014 10:32:04 -0700 (PDT)
Received: from smtp.serverkommune.de (serverkommune.de [176.9.61.43]) by ietfa.amsl.com (Postfix) with ESMTP id 80AC91A04AF for <tls@ietf.org>; Tue, 29 Apr 2014 10:32:04 -0700 (PDT)
Received: by smtp.serverkommune.de (Postfix, from userid 5001) id 2DEC080A11; Tue, 29 Apr 2014 19:32:02 +0200 (CEST)
Received: from [192.168.178.23] (ex6.serverkommune.de [176.9.61.43]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by smtp.serverkommune.de (Postfix) with ESMTPSA id 264D080A06 for <tls@ietf.org>; Tue, 29 Apr 2014 19:32:01 +0200 (CEST)
Message-ID: <535FE210.40909@net.in.tum.de>
Date: Tue, 29 Apr 2014 19:32:00 +0200
From: Ralph Holz <holz@net.in.tum.de>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.4.0
MIME-Version: 1.0
To: tls@ietf.org
References: <86E69268-DC0A-43E7-8CF5-0DAE39FD4FD5@cisco.com> <84C4848E-7843-4372-93AA-C1F017C3E088@cisco.com> <535F6684.1040701@azet.sk>
In-Reply-To: <535F6684.1040701@azet.sk>
X-Enigmail-Version: 1.6
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
X-Virus-Scanned: clamav-milter 0.98.1 at ex6
X-Virus-Status: Clean
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/BnUZWD--149btwu3TsMNJjCiahY
Subject: Re: [TLS] Confirming Consensus on supporting only AEAD ciphers
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 29 Apr 2014 17:32:08 -0000

Hi,

On 04/29/2014 10:44 AM, Fedor Brunner wrote:

> The Mandatory Cipher Suite for TLS 1.2 was
> TLS_RSA_WITH_AES_128_CBC_SHA. What is the mandatory cipher in TLS
> 1.3 ?
> 
> Maybe TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 using Curve25519
> for ECDHE ?

For current TLS 1.2, the UTA BCP [1] suggests
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256. It also asks for
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, and
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 to be supported by implementations.

It might be nice to keep the BCP in line with TLS 1.3 suggestions.

As for the symmetric ciphers... I acknowledge there is resistance
against GCM due to sidechannel issues, but really, with the current
combination of encryption and MACs, I see no alternative there bar the
new stream ciphers.

Maybe it's time Peter's draft is finally moved forward - although I
still object to the use of extensions to indicate encrypt-then-mac.

(Part of my reasoning is that using extensions complicates the
protocol, which leads to more complexity in implementations)

Ralph

[1] http://datatracker.ietf.org/doc/draft-ietf-uta-tls-bcp/?include_text=1

[2] http://tools.ietf.org/html/draft-gutmann-tls-encrypt-then-mac-05

> 
> Fedor
> 
> On 26.04.2014 17:24, Joseph Salowey (jsalowey) wrote:
>> The consensus from the IETF-89 meeting holds, TLS 1.3 will only
>> use record layer protection of type
> AEAD. The Editor is requested to make the appropriate changes to
> the draft on github.
> 
>> Joe [For the chairs] On Mar 26, 2014, at 11:43 AM, Joseph Salowey
>> (jsalowey)
> <jsalowey@cisco.com> wrote:
> 
>>> TLS has supported a number of different cipher types for
>>> protecting
> the record layer.   In TLS 1.3 these include Stream Cipher, CBC
> Block Cipher and AEAD Cipher.  The construction of the CBC mode
> within TLS has been shown to be flawed and stream ciphers are not
> generally applicable to DTLS. Using a single mechanism for
> cryptographic transforms would make security analysis easier.
> AEAD ciphers can be constructed from stream ciphers and block
> ciphers and are defined as protocol independent transforms.  The
> consensus in the room at IETF-89 was to only support AEAD ciphers
> in TLS 1.3. If you have concerns about this decision please respond
> on the TLS list by April 11, 2014.
>>> 
>>> Thanks,
>>> 
>>> Joe [Speaking for the TLS chairs] 
>>> _______________________________________________ TLS mailing
>>> list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
> 
>> _______________________________________________ TLS mailing list 
>> TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
> 
> 
> 
> _______________________________________________ TLS mailing list 
> TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
> 

-- 
Ralph Holz
I8 - Network Architectures and Services
Technische Universität München
http://www.net.in.tum.de/de/mitarbeiter/holz/
Phone +49.89.289.18043
PGP: A805 D19C E23E 6BBB E0C4  86DC 520E 0C83 69B0 03EF