Re: [TLS] Confirming Consensus on supporting only AEAD ciphers

Eric Rescorla <> Fri, 28 March 2014 13:58 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 3CC0F1A064F for <>; Fri, 28 Mar 2014 06:58:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.977
X-Spam-Status: No, score=-1.977 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id gcoja06BOKtg for <>; Fri, 28 Mar 2014 06:58:34 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 4A1111A0648 for <>; Fri, 28 Mar 2014 06:58:34 -0700 (PDT)
Received: by with SMTP id hm4so777852wib.2 for <>; Fri, 28 Mar 2014 06:58:31 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=lh/+2amA+N644ayvtE/K3wQ647EvRFZx2wWqp2p6Ohw=; b=TwFPGr0vn4OTDnMcwVbWLJ5c2fH83tOHmgKOwBIP2agyAsl112JBpla92sJAYaRmfP UD8sJxZuDmgI4MY2rK47T3VNI82ISijNwo8s1WKdU0C7y6/IsX3SLV889VkEte9I4WsY ILP4kSvLQ91yvUBqP3NQW08z7/Z1CbOphn8lNuwgVL2X1Ytf0uAYZTCRgMmk7X/a6VAD SLoP4FLYFcSRz+bG71iQtAVgdT5mWEAo/epLkvLKQGRUR05WvT+CZQ8QLrCh+jEvZh9G 2mj8KHHEs3URVUKYvOUwysNhPdxJcEsQjngUcWP1AhX1gB5nS4o+nY0PAXkXwk5foEOT yHjQ==
X-Gm-Message-State: ALoCoQlzoB3RLaRRl9MWaBgodHuFp0Qpi57O7o97VJ8783xxEx2p5Hi4oyOHb/wbw1fK9cCVseBI
X-Received: by with SMTP id w10mr12898802wia.20.1396015111723; Fri, 28 Mar 2014 06:58:31 -0700 (PDT)
MIME-Version: 1.0
Received: by with HTTP; Fri, 28 Mar 2014 06:57:14 -0700 (PDT)
X-Originating-IP: []
In-Reply-To: <>
References: <> <> <>
From: Eric Rescorla <>
Date: Fri, 28 Mar 2014 06:57:14 -0700
Message-ID: <>
To: Nikos Mavrogiannopoulos <>
Content-Type: multipart/alternative; boundary="001a11c247acd5f3c604f5ab18bf"
Cc: "<>" <>
Subject: Re: [TLS] Confirming Consensus on supporting only AEAD ciphers
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 28 Mar 2014 13:58:36 -0000

On Fri, Mar 28, 2014 at 2:14 AM, Nikos Mavrogiannopoulos <>wrote:

> On Fri, 2014-03-28 at 04:42 +0000, Joseph Salowey (jsalowey) wrote:
> > >> Please look at RFC 6476.  In that document, Peter Gutmann uses
> traditional
> > >> encryption and integrity functions to make an AEAD cipher.  Does this
> > >> decision allow or prohibit such ciphers?
> > >
> > > I had a similar question, the EtM draft uses the existing CBC as part
> of an
> > > AEAD mechanism, in a manner that requires minimal changes and no
> > > implementation of new cipher modes.  Does that count as AEAD, or does
> it have
> > > to be a combined cipher mode?
> > [Joe] I don't think it counts as an AEAD mechanism.  It is not using the
> AEAD  cipher type defined in RFC 5246.   You could define EtM using CBC so
> that it fits the AEAD interface.
> I don't think this is possible. Don't forget that the AEAD mechanism in
> TLS is only applicable to stream ciphers, i.e, for ciphers that
> plaintext equals ciphertext. So moving everything to "AEAD" would have
> to create a new AEAD mode.

This is fairly straightforward to address by simply adopting
the same length approach that Peter's draft adopts. Yes, we
would need to update the text, but since we're talking about
a new document that doesn't seem like a problem.

Overall, I think that this discussion about allowing only the true
> "AEAD" is pointless. All TLS ciphersuites are Authenticated Encryption
> by definition and there is no advantage by require them to fit into the
> TLS true "AEAD" mode.

The idea here is that TLS currently specifies *in TLS* how to compose
authentication and encryption which means that we have to specify
three interfaces for three different kinds of ciphers (stream, block, AEAD).
Since cryptographic practice seems to be moving towards AEAD as
a primitive, we have an opportunity to simplify matters by going to
an AEAD only interface which also has the virtue of having to specify
specific constructions in TLS.