Re: [TLS] Confirming Consensus on supporting only AEAD ciphers
Eric Rescorla <ekr@rtfm.com> Fri, 28 March 2014 13:58 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3CC0F1A064F for <tls@ietfa.amsl.com>; Fri, 28 Mar 2014 06:58:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.977
X-Spam-Level:
X-Spam-Status: No, score=-1.977 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gcoja06BOKtg for <tls@ietfa.amsl.com>; Fri, 28 Mar 2014 06:58:34 -0700 (PDT)
Received: from mail-wi0-f169.google.com (mail-wi0-f169.google.com [209.85.212.169]) by ietfa.amsl.com (Postfix) with ESMTP id 4A1111A0648 for <tls@ietf.org>; Fri, 28 Mar 2014 06:58:34 -0700 (PDT)
Received: by mail-wi0-f169.google.com with SMTP id hm4so777852wib.2 for <tls@ietf.org>; Fri, 28 Mar 2014 06:58:31 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=lh/+2amA+N644ayvtE/K3wQ647EvRFZx2wWqp2p6Ohw=; b=TwFPGr0vn4OTDnMcwVbWLJ5c2fH83tOHmgKOwBIP2agyAsl112JBpla92sJAYaRmfP UD8sJxZuDmgI4MY2rK47T3VNI82ISijNwo8s1WKdU0C7y6/IsX3SLV889VkEte9I4WsY ILP4kSvLQ91yvUBqP3NQW08z7/Z1CbOphn8lNuwgVL2X1Ytf0uAYZTCRgMmk7X/a6VAD SLoP4FLYFcSRz+bG71iQtAVgdT5mWEAo/epLkvLKQGRUR05WvT+CZQ8QLrCh+jEvZh9G 2mj8KHHEs3URVUKYvOUwysNhPdxJcEsQjngUcWP1AhX1gB5nS4o+nY0PAXkXwk5foEOT yHjQ==
X-Gm-Message-State: ALoCoQlzoB3RLaRRl9MWaBgodHuFp0Qpi57O7o97VJ8783xxEx2p5Hi4oyOHb/wbw1fK9cCVseBI
X-Received: by 10.180.9.42 with SMTP id w10mr12898802wia.20.1396015111723; Fri, 28 Mar 2014 06:58:31 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.216.218.198 with HTTP; Fri, 28 Mar 2014 06:57:14 -0700 (PDT)
X-Originating-IP: [74.95.2.168]
In-Reply-To: <1395998078.19721.60.camel@dhcp-2-127.brq.redhat.com>
References: <9A043F3CF02CD34C8E74AC1594475C7372394B6C@uxcn10-6.UoA.auckland.ac.nz> <F8DB048B-24D0-4B97-85F0-39807B54EDDB@cisco.com> <1395998078.19721.60.camel@dhcp-2-127.brq.redhat.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Fri, 28 Mar 2014 06:57:14 -0700
Message-ID: <CABcZeBPKAnp1Lna8hL9P67iuqdP_Lkcxjf20mNw-WtW67dqbrQ@mail.gmail.com>
To: Nikos Mavrogiannopoulos <nmav@redhat.com>
Content-Type: multipart/alternative; boundary="001a11c247acd5f3c604f5ab18bf"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/DWGqEs7d4XlSaXPq6H6jPpdYXf4
Cc: "<tls@ietf.org>" <tls@ietf.org>
Subject: Re: [TLS] Confirming Consensus on supporting only AEAD ciphers
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 28 Mar 2014 13:58:36 -0000
On Fri, Mar 28, 2014 at 2:14 AM, Nikos Mavrogiannopoulos <nmav@redhat.com>wrote: > On Fri, 2014-03-28 at 04:42 +0000, Joseph Salowey (jsalowey) wrote: > > > >> Please look at RFC 6476. In that document, Peter Gutmann uses > traditional > > >> encryption and integrity functions to make an AEAD cipher. Does this > > >> decision allow or prohibit such ciphers? > > > > > > I had a similar question, the EtM draft uses the existing CBC as part > of an > > > AEAD mechanism, in a manner that requires minimal changes and no > > > implementation of new cipher modes. Does that count as AEAD, or does > it have > > > to be a combined cipher mode? > > [Joe] I don't think it counts as an AEAD mechanism. It is not using the > AEAD cipher type defined in RFC 5246. You could define EtM using CBC so > that it fits the AEAD interface. > > I don't think this is possible. Don't forget that the AEAD mechanism in > TLS is only applicable to stream ciphers, i.e, for ciphers that > plaintext equals ciphertext. So moving everything to "AEAD" would have > to create a new AEAD mode. > This is fairly straightforward to address by simply adopting the same length approach that Peter's draft adopts. Yes, we would need to update the text, but since we're talking about a new document that doesn't seem like a problem. Overall, I think that this discussion about allowing only the true > "AEAD" is pointless. All TLS ciphersuites are Authenticated Encryption > by definition and there is no advantage by require them to fit into the > TLS true "AEAD" mode. > The idea here is that TLS currently specifies *in TLS* how to compose authentication and encryption which means that we have to specify three interfaces for three different kinds of ciphers (stream, block, AEAD). Since cryptographic practice seems to be moving towards AEAD as a primitive, we have an opportunity to simplify matters by going to an AEAD only interface which also has the virtue of having to specify specific constructions in TLS. -Ekr
- [TLS] Confirming Consensus on supporting only AEA… Joseph Salowey (jsalowey)
- Re: [TLS] Confirming Consensus on supporting only… Russ Housley
- Re: [TLS] Confirming Consensus on supporting only… Joseph Salowey (jsalowey)
- Re: [TLS] Confirming Consensus on supporting only… Peter Gutmann
- Re: [TLS] Confirming Consensus on supporting only… Joseph Salowey (jsalowey)
- Re: [TLS] Confirming Consensus on supporting only… Nikos Mavrogiannopoulos
- Re: [TLS] Confirming Consensus on supporting only… Eric Rescorla
- Re: [TLS] Confirming Consensus on supporting only… Watson Ladd
- Re: [TLS] Confirming Consensus on supporting only… Eric Rescorla
- Re: [TLS] Confirming Consensus on supporting only… Joseph Salowey (jsalowey)
- Re: [TLS] Confirming Consensus on supporting only… Fedor Brunner
- Re: [TLS] Confirming Consensus on supporting only… Peter Gutmann
- Re: [TLS] Confirming Consensus on supporting only… Watson Ladd
- Re: [TLS] Confirming Consensus on supporting only… Peter Bowen
- Re: [TLS] Confirming Consensus on supporting only… Michael D'Errico
- Re: [TLS] Confirming Consensus on supporting only… Martin Thomson
- Re: [TLS] Confirming Consensus on supporting only… Ralph Holz
- Re: [TLS] Confirming Consensus on supporting only… Michael D'Errico
- Re: [TLS] Confirming Consensus on supporting only… Eric Rescorla
- Re: [TLS] Confirming Consensus on supporting only… Michael StJohns
- Re: [TLS] Confirming Consensus on supporting only… Martin Rex
- Re: [TLS] Confirming Consensus on supporting only… Michael StJohns
- Re: [TLS] Confirming Consensus on supporting only… Joseph Salowey (jsalowey)
- Re: [TLS] Confirming Consensus on supporting only… Fedor Brunner
- [TLS] (offline note) Re: Confirming Consensus on … Rene Struik
- Re: [TLS] (offline note) Re: Confirming Consensus… Joseph Salowey (jsalowey)
- Re: [TLS] Confirming Consensus on supporting only… Michael StJohns
- Re: [TLS] (offline note) Re: Confirming Consensus… Martin Rex
- Re: [TLS] (offline note) Re: Confirming Consensus… Michael StJohns
- Re: [TLS] (offline note) Re: Confirming Consensus… Michael StJohns
- Re: [TLS] (offline note) Re: Confirming Consensus… Manuel Pégourié-Gonnard
- Re: [TLS] (offline note) Re: Confirming Consensus… Michael StJohns
- Re: [TLS] Confirming Consensus on supporting only… Manuel Pégourié-Gonnard
- Re: [TLS] Confirming Consensus on supporting only… Eric Rescorla
- Re: [TLS] [PATCH] Clean up removal of all non-AEA… Martin Thomson
- [TLS] [PATCH] Clean up removal of all non-AEAD mo… Daniel Kahn Gillmor
- Re: [TLS] [PATCH] Clean up removal of all non-AEA… Eric Rescorla
- Re: [TLS] [PATCH] Clean up removal of all non-AEA… Daniel Kahn Gillmor
- Re: [TLS] [PATCH] Clean up removal of all non-AEA… Eric Rescorla