Re: [TLS] Pull Request: Removing the AEAD explicit IV

Eric Rescorla <ekr@rtfm.com> Mon, 23 March 2015 03:21 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B729D1A87A4 for <tls@ietfa.amsl.com>; Sun, 22 Mar 2015 20:21:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.977
X-Spam-Level:
X-Spam-Status: No, score=-1.977 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id K1XB5RHP7WWc for <tls@ietfa.amsl.com>; Sun, 22 Mar 2015 20:21:10 -0700 (PDT)
Received: from mail-wi0-f175.google.com (mail-wi0-f175.google.com [209.85.212.175]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 23CA51A87A6 for <tls@ietf.org>; Sun, 22 Mar 2015 20:21:10 -0700 (PDT)
Received: by wibgn9 with SMTP id gn9so48884452wib.1 for <tls@ietf.org>; Sun, 22 Mar 2015 20:21:08 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=f8RusdPan0N58VahWdJCKnzVo3aCgcUAraRFXTsYIjw=; b=M7iVYZ3MauaQVu1PSx1B2P4zP2ZB/jsfbtVAMc08VPpUPZyEX7HOA3hqmaYjp/wDzM WqLwOgp3jfyo5f9/Zz7mx5XmaLtD5ukiPUeynPMwcX19J7XoN3UTWU57Eh7x7SgLxX4R Zj5PP27St4A7tj0aMAg509nijy1NwGTFpOjujXW8plEzJjbAjbKIjMlko7SeMerPL0Dl jo1sZz6ogYPSdiZrgHGEAvlkLGUdurlsRTy7ayBoH+CZWBtFFxjskJ+YHkEp1MnlOUrr sj3ziJpQTYm7//H0GGXZcW5SEyEal0YprC3PxFmXBhc+Xk3/Hufgf1O+OqWoAN842JmC 6Siw==
X-Gm-Message-State: ALoCoQmyl+VgbYRoKHa9SUocQSeMTCGpeuEbY8mfWFTMNJtxh65nie53JvgP5SDRzg96ZBOi1PEk
X-Received: by 10.180.80.164 with SMTP id s4mr7963868wix.78.1427080868911; Sun, 22 Mar 2015 20:21:08 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.27.205.198 with HTTP; Sun, 22 Mar 2015 20:20:27 -0700 (PDT)
In-Reply-To: <CAFewVt66vLEHSUMvnZ2N+uT0542vL27T4VQSYe1SSRhZpyOKLQ@mail.gmail.com>
References: <CABcZeBPfasM5HmJaATLUHQKRgiSGCreJt1T=UoDBGCbcuzyW8Q@mail.gmail.com> <CAFewVt7_+oqy0EczdaxVpgS9gkzp8EMjLCgjXj+DE7S-e94Q7A@mail.gmail.com> <CABcZeBMN=0GUsqDMnLM5eTg54t6Sn0ME9213ts75OXLKZxr9+w@mail.gmail.com> <CAMfhd9Xckw9s=5OxC_Cv7YSoZ4bxu4Xe59ZhmkUFuYcJNawEiA@mail.gmail.com> <CABcZeBNpV7qQSpUESEn64xr8_RjDboPsS9CHupkP5OAQfPkD-A@mail.gmail.com> <CAFewVt66vLEHSUMvnZ2N+uT0542vL27T4VQSYe1SSRhZpyOKLQ@mail.gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Sun, 22 Mar 2015 20:20:27 -0700
Message-ID: <CABcZeBPFwM4NjFCk96k3L8ngW9y2-00Gnm0g9y33rCqE_Gpi8A@mail.gmail.com>
To: Brian Smith <brian@briansmith.org>
Content-Type: multipart/alternative; boundary=14dae9cc9f9e41f07f0511ec2820
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/CHHMc5-d5mrhh0sVAb-UQ5yAvBA>
Cc: Adam Langley <agl@imperialviolet.org>, "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Pull Request: Removing the AEAD explicit IV
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 23 Mar 2015 03:21:11 -0000

On Sun, Mar 22, 2015 at 7:10 PM, Brian Smith <brian@briansmith.org>; wrote:

> Eric Rescorla <ekr@rtfm.com>; wrote:
> > Adam, Brian, what would you think of XOR rather than addition?
> >
> > E.g., generate a per-connection value V and then do:
> >
> > Nonce = Seq XOR V?
>
> Would the sequence number be logically the same size as the nonce (128
> bits or 256 bits), or would the spec will forbid sending 2^64 or more
> records under the same key?


What I had in mind was the latter.

-Ekr


> Either solution prevents the need to worry
> about the record number overflowing, but my answer depends on which
> approach is chosen.
>
> The advantage of XOR is that it is easy to implement correctly,
> because mutli-machine-word XOR is easier to implement than
> multi-machine-word unsigned integer addition with wraparound during
> overflow. However, XOR is also easier to implement *wrongly* without
> anybody noticing, by only doing the XOR for a single machine word
> (e.g. only the lower 32 bits on a 32-bit machine). It's not so
> practical to do a conformance test that sends/receives 2^32+1 or
> 2^64+1 records..
>
> It seems harder to implement addition wrongly without anybody noticing
> because all of the overflow cases should be triggered during interop
> testing and thus any bugs found and corrected. So, without knowing the
> answer to my question above, I prefer addition.
>
> Cheers,
> Brian
>