Re: [TLS] Pull Request: Removing the AEAD explicit IV
Eric Rescorla <ekr@rtfm.com> Mon, 23 March 2015 03:21 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B729D1A87A4 for <tls@ietfa.amsl.com>; Sun, 22 Mar 2015 20:21:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.977
X-Spam-Level:
X-Spam-Status: No, score=-1.977 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id K1XB5RHP7WWc for <tls@ietfa.amsl.com>; Sun, 22 Mar 2015 20:21:10 -0700 (PDT)
Received: from mail-wi0-f175.google.com (mail-wi0-f175.google.com [209.85.212.175]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 23CA51A87A6 for <tls@ietf.org>; Sun, 22 Mar 2015 20:21:10 -0700 (PDT)
Received: by wibgn9 with SMTP id gn9so48884452wib.1 for <tls@ietf.org>; Sun, 22 Mar 2015 20:21:08 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=f8RusdPan0N58VahWdJCKnzVo3aCgcUAraRFXTsYIjw=; b=M7iVYZ3MauaQVu1PSx1B2P4zP2ZB/jsfbtVAMc08VPpUPZyEX7HOA3hqmaYjp/wDzM WqLwOgp3jfyo5f9/Zz7mx5XmaLtD5ukiPUeynPMwcX19J7XoN3UTWU57Eh7x7SgLxX4R Zj5PP27St4A7tj0aMAg509nijy1NwGTFpOjujXW8plEzJjbAjbKIjMlko7SeMerPL0Dl jo1sZz6ogYPSdiZrgHGEAvlkLGUdurlsRTy7ayBoH+CZWBtFFxjskJ+YHkEp1MnlOUrr sj3ziJpQTYm7//H0GGXZcW5SEyEal0YprC3PxFmXBhc+Xk3/Hufgf1O+OqWoAN842JmC 6Siw==
X-Gm-Message-State: ALoCoQmyl+VgbYRoKHa9SUocQSeMTCGpeuEbY8mfWFTMNJtxh65nie53JvgP5SDRzg96ZBOi1PEk
X-Received: by 10.180.80.164 with SMTP id s4mr7963868wix.78.1427080868911; Sun, 22 Mar 2015 20:21:08 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.27.205.198 with HTTP; Sun, 22 Mar 2015 20:20:27 -0700 (PDT)
In-Reply-To: <CAFewVt66vLEHSUMvnZ2N+uT0542vL27T4VQSYe1SSRhZpyOKLQ@mail.gmail.com>
References: <CABcZeBPfasM5HmJaATLUHQKRgiSGCreJt1T=UoDBGCbcuzyW8Q@mail.gmail.com> <CAFewVt7_+oqy0EczdaxVpgS9gkzp8EMjLCgjXj+DE7S-e94Q7A@mail.gmail.com> <CABcZeBMN=0GUsqDMnLM5eTg54t6Sn0ME9213ts75OXLKZxr9+w@mail.gmail.com> <CAMfhd9Xckw9s=5OxC_Cv7YSoZ4bxu4Xe59ZhmkUFuYcJNawEiA@mail.gmail.com> <CABcZeBNpV7qQSpUESEn64xr8_RjDboPsS9CHupkP5OAQfPkD-A@mail.gmail.com> <CAFewVt66vLEHSUMvnZ2N+uT0542vL27T4VQSYe1SSRhZpyOKLQ@mail.gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Sun, 22 Mar 2015 20:20:27 -0700
Message-ID: <CABcZeBPFwM4NjFCk96k3L8ngW9y2-00Gnm0g9y33rCqE_Gpi8A@mail.gmail.com>
To: Brian Smith <brian@briansmith.org>
Content-Type: multipart/alternative; boundary="14dae9cc9f9e41f07f0511ec2820"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/CHHMc5-d5mrhh0sVAb-UQ5yAvBA>
Cc: Adam Langley <agl@imperialviolet.org>, "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Pull Request: Removing the AEAD explicit IV
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 23 Mar 2015 03:21:11 -0000
On Sun, Mar 22, 2015 at 7:10 PM, Brian Smith <brian@briansmith.org> wrote: > Eric Rescorla <ekr@rtfm.com> wrote: > > Adam, Brian, what would you think of XOR rather than addition? > > > > E.g., generate a per-connection value V and then do: > > > > Nonce = Seq XOR V? > > Would the sequence number be logically the same size as the nonce (128 > bits or 256 bits), or would the spec will forbid sending 2^64 or more > records under the same key? What I had in mind was the latter. -Ekr > Either solution prevents the need to worry > about the record number overflowing, but my answer depends on which > approach is chosen. > > The advantage of XOR is that it is easy to implement correctly, > because mutli-machine-word XOR is easier to implement than > multi-machine-word unsigned integer addition with wraparound during > overflow. However, XOR is also easier to implement *wrongly* without > anybody noticing, by only doing the XOR for a single machine word > (e.g. only the lower 32 bits on a 32-bit machine). It's not so > practical to do a conformance test that sends/receives 2^32+1 or > 2^64+1 records.. > > It seems harder to implement addition wrongly without anybody noticing > because all of the overflow cases should be triggered during interop > testing and thus any bugs found and corrected. So, without knowing the > answer to my question above, I prefer addition. > > Cheers, > Brian >
- [TLS] Pull Request: Removing the AEAD explicit IV Eric Rescorla
- Re: [TLS] Pull Request: Removing the AEAD explici… Eric Rescorla
- Re: [TLS] Pull Request: Removing the AEAD explici… Adam Langley
- Re: [TLS] Pull Request: Removing the AEAD explici… Michael StJohns
- Re: [TLS] Pull Request: Removing the AEAD explici… Yoav Nir
- Re: [TLS] Pull Request: Removing the AEAD explici… Michael StJohns
- Re: [TLS] Pull Request: Removing the AEAD explici… Michael StJohns
- Re: [TLS] Pull Request: Removing the AEAD explici… Eric Rescorla
- Re: [TLS] Pull Request: Removing the AEAD explici… Watson Ladd
- Re: [TLS] Pull Request: Removing the AEAD explici… Watson Ladd
- Re: [TLS] Pull Request: Removing the AEAD explici… Colm MacCárthaigh
- Re: [TLS] Pull Request: Removing the AEAD explici… Martin Thomson
- Re: [TLS] Pull Request: Removing the AEAD explici… Colm MacCárthaigh
- Re: [TLS] Pull Request: Removing the AEAD explici… Michael StJohns
- Re: [TLS] Pull Request: Removing the AEAD explici… Eric Rescorla
- Re: [TLS] Pull Request: Removing the AEAD explici… Brian Smith
- Re: [TLS] Pull Request: Removing the AEAD explici… Watson Ladd
- Re: [TLS] Pull Request: Removing the AEAD explici… Eric Rescorla
- Re: [TLS] Pull Request: Removing the AEAD explici… Watson Ladd
- Re: [TLS] Pull Request: Removing the AEAD explici… Ilari Liusvaara
- Re: [TLS] Pull Request: Removing the AEAD explici… Eric Rescorla
- Re: [TLS] Pull Request: Removing the AEAD explici… Watson Ladd
- Re: [TLS] Pull Request: Removing the AEAD explici… Eric Rescorla
- Re: [TLS] Pull Request: Removing the AEAD explici… Ilari Liusvaara
- Re: [TLS] Pull Request: Removing the AEAD explici… Eric Rescorla
- Re: [TLS] Pull Request: Removing the AEAD explici… Brian Smith
- Re: [TLS] Pull Request: Removing the AEAD explici… Eric Rescorla
- Re: [TLS] Pull Request: Removing the AEAD explici… Brian Smith
- Re: [TLS] Pull Request: Removing the AEAD explici… Ilari Liusvaara
- Re: [TLS] Pull Request: Removing the AEAD explici… Adam Langley
- Re: [TLS] Pull Request: Removing the AEAD explici… Eric Rescorla
- Re: [TLS] Pull Request: Removing the AEAD explici… Ilari Liusvaara
- Re: [TLS] Pull Request: Removing the AEAD explici… Eric Rescorla
- Re: [TLS] Pull Request: Removing the AEAD explici… Adam Langley
- Re: [TLS] Pull Request: Removing the AEAD explici… Eric Rescorla
- Re: [TLS] Pull Request: Removing the AEAD explici… Brian Smith
- Re: [TLS] Pull Request: Removing the AEAD explici… Eric Rescorla
- Re: [TLS] Pull Request: Removing the AEAD explici… Martin Thomson