Re: [TLS] Confirming Consensus on supporting only AEAD ciphers

Watson Ladd <watsonbladd@gmail.com> Fri, 28 March 2014 14:16 UTC

Return-Path: <watsonbladd@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AB58F1A0695 for <tls@ietfa.amsl.com>; Fri, 28 Mar 2014 07:16:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 93BRVoD__bCc for <tls@ietfa.amsl.com>; Fri, 28 Mar 2014 07:16:31 -0700 (PDT)
Received: from mail-yh0-x22d.google.com (mail-yh0-x22d.google.com [IPv6:2607:f8b0:4002:c01::22d]) by ietfa.amsl.com (Postfix) with ESMTP id 5EFBB1A0668 for <tls@ietf.org>; Fri, 28 Mar 2014 07:16:31 -0700 (PDT)
Received: by mail-yh0-f45.google.com with SMTP id a41so5008007yho.4 for <tls@ietf.org>; Fri, 28 Mar 2014 07:16:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=WAJg2HOnDoUgjzIA3frrwkpDB9dwGNHXj6ilzDfk5zw=; b=bC+P24N6kszpkh/dE7X9VCRA4D/BuKWpRPf3PgM6qeNuD/SpX+sWNmSISgPh4qpqw9 XkojbOEjlpLcFfdf0eYJdIZaXQwNZU/eF8wTu6ecN+mj23gS2h29uLbuVLcIdX3fYNeW L+fMuvHxg1cYzlxLSfXIKIlzpxGKoh/UWp8o6pbalmuRFWVnUlbiCmgWEU7vcCS+pNd4 yW74eXukXiN+19RbM9kgMCzPuFixS767aEhzkT8hI2WsR6W9uruw0ES2JkGb0cYbRj1F 8hYLIOtqSSWqG++tpIWL6//0AAUexZsqPo2TPYX0ajFKtaVSynQJU5tGRXAYFCHNBTDj 1P4A==
MIME-Version: 1.0
X-Received: by 10.236.137.8 with SMTP id x8mr11744538yhi.4.1396016189127; Fri, 28 Mar 2014 07:16:29 -0700 (PDT)
Received: by 10.170.80.214 with HTTP; Fri, 28 Mar 2014 07:16:29 -0700 (PDT)
In-Reply-To: <CABcZeBPKAnp1Lna8hL9P67iuqdP_Lkcxjf20mNw-WtW67dqbrQ@mail.gmail.com>
References: <9A043F3CF02CD34C8E74AC1594475C7372394B6C@uxcn10-6.UoA.auckland.ac.nz> <F8DB048B-24D0-4B97-85F0-39807B54EDDB@cisco.com> <1395998078.19721.60.camel@dhcp-2-127.brq.redhat.com> <CABcZeBPKAnp1Lna8hL9P67iuqdP_Lkcxjf20mNw-WtW67dqbrQ@mail.gmail.com>
Date: Fri, 28 Mar 2014 10:16:29 -0400
Message-ID: <CACsn0cnSJ6i5m3eNonXE++fouuryOHzEMAf0xTP8SEruUhu87A@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: Eric Rescorla <ekr@rtfm.com>
Content-Type: text/plain; charset=UTF-8
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/FRF2ORJ7VCGaXMgrhW6DFXaoE00
Cc: "<tls@ietf.org>" <tls@ietf.org>
Subject: Re: [TLS] Confirming Consensus on supporting only AEAD ciphers
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 28 Mar 2014 14:16:33 -0000

On Fri, Mar 28, 2014 at 9:57 AM, Eric Rescorla <ekr@rtfm.com> wrote:
>
>
>
> On Fri, Mar 28, 2014 at 2:14 AM, Nikos Mavrogiannopoulos <nmav@redhat.com>
> wrote:
>>
>> On Fri, 2014-03-28 at 04:42 +0000, Joseph Salowey (jsalowey) wrote:
>>
>> > >> Please look at RFC 6476.  In that document, Peter Gutmann uses
>> > >> traditional
>> > >> encryption and integrity functions to make an AEAD cipher.  Does this
>> > >> decision allow or prohibit such ciphers?
>> > >
>> > > I had a similar question, the EtM draft uses the existing CBC as part
>> > > of an
>> > > AEAD mechanism, in a manner that requires minimal changes and no
>> > > implementation of new cipher modes.  Does that count as AEAD, or does
>> > > it have
>> > > to be a combined cipher mode?
>> > [Joe] I don't think it counts as an AEAD mechanism.  It is not using the
>> > AEAD  cipher type defined in RFC 5246.   You could define EtM using CBC so
>> > that it fits the AEAD interface.
>>
>> I don't think this is possible. Don't forget that the AEAD mechanism in
>> TLS is only applicable to stream ciphers, i.e, for ciphers that
>> plaintext equals ciphertext. So moving everything to "AEAD" would have
>> to create a new AEAD mode.
>
>
> This is fairly straightforward to address by simply adopting
> the same length approach that Peter's draft adopts. Yes, we
> would need to update the text, but since we're talking about
> a new document that doesn't seem like a problem.
>
>
>> Overall, I think that this discussion about allowing only the true
>> "AEAD" is pointless. All TLS ciphersuites are Authenticated Encryption
>> by definition and there is no advantage by require them to fit into the
>> TLS true "AEAD" mode.
>
>
> The idea here is that TLS currently specifies *in TLS* how to compose
> authentication and encryption which means that we have to specify
> three interfaces for three different kinds of ciphers (stream, block, AEAD).
> Since cryptographic practice seems to be moving towards AEAD as
> a primitive, we have an opportunity to simplify matters by going to
> an AEAD only interface which also has the virtue of having to specify
> specific constructions in TLS.

So let me get this straight: what we are planning to do is eliminate
the current MAC-encryption layer, and instead have a layer that takes
a plaintext TLS record and encapsulates as an encrypted one. The TLS
spec specifies the inputs, and the cipher has to specify how to go
from inputs to ciphertext, and be IND-CCA2+INT_PTXT secure.

This has a major advantage in that we lose a lot of length and
complexity from the spec. I don't see any disadvantages.

Sincerely,
Watson Ladd

>
> -Ekr
>
>
>
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>



-- 
"Those who would give up Essential Liberty to purchase a little
Temporary Safety deserve neither  Liberty nor Safety."
-- Benjamin Franklin