Re: [TLS] Pull Request: Removing the AEAD explicit IV

Ilari Liusvaara <ilari.liusvaara@elisanet.fi> Sat, 21 March 2015 19:54 UTC

Return-Path: <ilari.liusvaara@elisanet.fi>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 95F2F1A0193 for <tls@ietfa.amsl.com>; Sat, 21 Mar 2015 12:54:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.901
X-Spam-Level:
X-Spam-Status: No, score=-0.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, J_BACKHAIR_51=1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xEQZfD__SBR8 for <tls@ietfa.amsl.com>; Sat, 21 Mar 2015 12:54:00 -0700 (PDT)
Received: from emh04.mail.saunalahti.fi (emh04.mail.saunalahti.fi [62.142.5.110]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DE4381A001C for <tls@ietf.org>; Sat, 21 Mar 2015 12:53:59 -0700 (PDT)
Received: from LK-Perkele-VII (a88-112-44-140.elisa-laajakaista.fi [88.112.44.140]) by emh04.mail.saunalahti.fi (Postfix) with ESMTP id B32C71A25CF; Sat, 21 Mar 2015 21:53:56 +0200 (EET)
Date: Sat, 21 Mar 2015 21:53:56 +0200
From: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
To: Eric Rescorla <ekr@rtfm.com>
Message-ID: <20150321195356.GA5190@LK-Perkele-VII>
References: <CABcZeBPfasM5HmJaATLUHQKRgiSGCreJt1T=UoDBGCbcuzyW8Q@mail.gmail.com> <CAFewVt7_+oqy0EczdaxVpgS9gkzp8EMjLCgjXj+DE7S-e94Q7A@mail.gmail.com> <CABcZeBMN=0GUsqDMnLM5eTg54t6Sn0ME9213ts75OXLKZxr9+w@mail.gmail.com> <CAMfhd9Xckw9s=5OxC_Cv7YSoZ4bxu4Xe59ZhmkUFuYcJNawEiA@mail.gmail.com> <CABcZeBNpV7qQSpUESEn64xr8_RjDboPsS9CHupkP5OAQfPkD-A@mail.gmail.com> <CAMfhd9UN6ZjCpg5LhWh+zMd5m55N-MiP9-qcVviSJKOr--tZaw@mail.gmail.com> <CABcZeBNYKuvg5VVQK9TLUKqhoiz2+bupuQfFBfGS08oHrYoc1w@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
In-Reply-To: <CABcZeBNYKuvg5VVQK9TLUKqhoiz2+bupuQfFBfGS08oHrYoc1w@mail.gmail.com>
User-Agent: Mutt/1.5.23 (2014-03-12)
Sender: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/C4y10YjPfQc88tmuaLsHuiI_BYA>
Cc: Adam Langley <agl@imperialviolet.org>, "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Pull Request: Removing the AEAD explicit IV
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 21 Mar 2015 19:54:01 -0000

On Sat, Mar 21, 2015 at 12:22:44PM -0700, Eric Rescorla wrote:
> On Sat, Mar 21, 2015 at 12:20 PM, Adam Langley <agl@imperialviolet.org>;
> wrote:
> 
> > On Sat, Mar 21, 2015 at 11:58 AM, Eric Rescorla <ekr@rtfm.com>; wrote:
> > > Adam, Brian, what would you think of XOR rather than addition?
> > >
> > > E.g., generate a per-connection value V and then do:
> > >
> > > Nonce = Seq XOR V?
> >
> > It's invertable so can't break uniqueness. So that would be ok too. Is
> > V a 12-byte (or whatever) value and thus fixes the upper 4 (or
> > whatever) bytes of the nonce?
> >
> 
> I was thinking that we would generate an N_MIN long V and XOR
> it with Seq. So, yes, N_MAX - 8 bytes would be effectively fixed.

A few thing to note:

- RFC5116 allows N_MIN=0, which means the scheme can operate without
  nonces, but there doesn't seem to be any such registered algorithms.
- There are registred AEAD algorithms with N_MIN<8, N_MAX>8.
- Some registered algorithms have huge N_MAX.


-Ilari