Re: [TLS] Confirming Consensus on supporting only AEAD ciphers
Watson Ladd <watsonbladd@gmail.com> Fri, 28 March 2014 14:16 UTC
Return-Path: <watsonbladd@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AB58F1A0695 for <tls@ietfa.amsl.com>; Fri, 28 Mar 2014 07:16:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 93BRVoD__bCc for <tls@ietfa.amsl.com>; Fri, 28 Mar 2014 07:16:31 -0700 (PDT)
Received: from mail-yh0-x22d.google.com (mail-yh0-x22d.google.com [IPv6:2607:f8b0:4002:c01::22d]) by ietfa.amsl.com (Postfix) with ESMTP id 5EFBB1A0668 for <tls@ietf.org>; Fri, 28 Mar 2014 07:16:31 -0700 (PDT)
Received: by mail-yh0-f45.google.com with SMTP id a41so5008007yho.4 for <tls@ietf.org>; Fri, 28 Mar 2014 07:16:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=WAJg2HOnDoUgjzIA3frrwkpDB9dwGNHXj6ilzDfk5zw=; b=bC+P24N6kszpkh/dE7X9VCRA4D/BuKWpRPf3PgM6qeNuD/SpX+sWNmSISgPh4qpqw9 XkojbOEjlpLcFfdf0eYJdIZaXQwNZU/eF8wTu6ecN+mj23gS2h29uLbuVLcIdX3fYNeW L+fMuvHxg1cYzlxLSfXIKIlzpxGKoh/UWp8o6pbalmuRFWVnUlbiCmgWEU7vcCS+pNd4 yW74eXukXiN+19RbM9kgMCzPuFixS767aEhzkT8hI2WsR6W9uruw0ES2JkGb0cYbRj1F 8hYLIOtqSSWqG++tpIWL6//0AAUexZsqPo2TPYX0ajFKtaVSynQJU5tGRXAYFCHNBTDj 1P4A==
MIME-Version: 1.0
X-Received: by 10.236.137.8 with SMTP id x8mr11744538yhi.4.1396016189127; Fri, 28 Mar 2014 07:16:29 -0700 (PDT)
Received: by 10.170.80.214 with HTTP; Fri, 28 Mar 2014 07:16:29 -0700 (PDT)
In-Reply-To: <CABcZeBPKAnp1Lna8hL9P67iuqdP_Lkcxjf20mNw-WtW67dqbrQ@mail.gmail.com>
References: <9A043F3CF02CD34C8E74AC1594475C7372394B6C@uxcn10-6.UoA.auckland.ac.nz> <F8DB048B-24D0-4B97-85F0-39807B54EDDB@cisco.com> <1395998078.19721.60.camel@dhcp-2-127.brq.redhat.com> <CABcZeBPKAnp1Lna8hL9P67iuqdP_Lkcxjf20mNw-WtW67dqbrQ@mail.gmail.com>
Date: Fri, 28 Mar 2014 10:16:29 -0400
Message-ID: <CACsn0cnSJ6i5m3eNonXE++fouuryOHzEMAf0xTP8SEruUhu87A@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: Eric Rescorla <ekr@rtfm.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/FRF2ORJ7VCGaXMgrhW6DFXaoE00
Cc: "<tls@ietf.org>" <tls@ietf.org>
Subject: Re: [TLS] Confirming Consensus on supporting only AEAD ciphers
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 28 Mar 2014 14:16:33 -0000
On Fri, Mar 28, 2014 at 9:57 AM, Eric Rescorla <ekr@rtfm.com> wrote: > > > > On Fri, Mar 28, 2014 at 2:14 AM, Nikos Mavrogiannopoulos <nmav@redhat.com> > wrote: >> >> On Fri, 2014-03-28 at 04:42 +0000, Joseph Salowey (jsalowey) wrote: >> >> > >> Please look at RFC 6476. In that document, Peter Gutmann uses >> > >> traditional >> > >> encryption and integrity functions to make an AEAD cipher. Does this >> > >> decision allow or prohibit such ciphers? >> > > >> > > I had a similar question, the EtM draft uses the existing CBC as part >> > > of an >> > > AEAD mechanism, in a manner that requires minimal changes and no >> > > implementation of new cipher modes. Does that count as AEAD, or does >> > > it have >> > > to be a combined cipher mode? >> > [Joe] I don't think it counts as an AEAD mechanism. It is not using the >> > AEAD cipher type defined in RFC 5246. You could define EtM using CBC so >> > that it fits the AEAD interface. >> >> I don't think this is possible. Don't forget that the AEAD mechanism in >> TLS is only applicable to stream ciphers, i.e, for ciphers that >> plaintext equals ciphertext. So moving everything to "AEAD" would have >> to create a new AEAD mode. > > > This is fairly straightforward to address by simply adopting > the same length approach that Peter's draft adopts. Yes, we > would need to update the text, but since we're talking about > a new document that doesn't seem like a problem. > > >> Overall, I think that this discussion about allowing only the true >> "AEAD" is pointless. All TLS ciphersuites are Authenticated Encryption >> by definition and there is no advantage by require them to fit into the >> TLS true "AEAD" mode. > > > The idea here is that TLS currently specifies *in TLS* how to compose > authentication and encryption which means that we have to specify > three interfaces for three different kinds of ciphers (stream, block, AEAD). > Since cryptographic practice seems to be moving towards AEAD as > a primitive, we have an opportunity to simplify matters by going to > an AEAD only interface which also has the virtue of having to specify > specific constructions in TLS. So let me get this straight: what we are planning to do is eliminate the current MAC-encryption layer, and instead have a layer that takes a plaintext TLS record and encapsulates as an encrypted one. The TLS spec specifies the inputs, and the cipher has to specify how to go from inputs to ciphertext, and be IND-CCA2+INT_PTXT secure. This has a major advantage in that we lose a lot of length and complexity from the spec. I don't see any disadvantages. Sincerely, Watson Ladd > > -Ekr > > > > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls > -- "Those who would give up Essential Liberty to purchase a little Temporary Safety deserve neither Liberty nor Safety." -- Benjamin Franklin
- [TLS] Confirming Consensus on supporting only AEA… Joseph Salowey (jsalowey)
- Re: [TLS] Confirming Consensus on supporting only… Russ Housley
- Re: [TLS] Confirming Consensus on supporting only… Joseph Salowey (jsalowey)
- Re: [TLS] Confirming Consensus on supporting only… Peter Gutmann
- Re: [TLS] Confirming Consensus on supporting only… Joseph Salowey (jsalowey)
- Re: [TLS] Confirming Consensus on supporting only… Nikos Mavrogiannopoulos
- Re: [TLS] Confirming Consensus on supporting only… Eric Rescorla
- Re: [TLS] Confirming Consensus on supporting only… Watson Ladd
- Re: [TLS] Confirming Consensus on supporting only… Eric Rescorla
- Re: [TLS] Confirming Consensus on supporting only… Joseph Salowey (jsalowey)
- Re: [TLS] Confirming Consensus on supporting only… Fedor Brunner
- Re: [TLS] Confirming Consensus on supporting only… Peter Gutmann
- Re: [TLS] Confirming Consensus on supporting only… Watson Ladd
- Re: [TLS] Confirming Consensus on supporting only… Peter Bowen
- Re: [TLS] Confirming Consensus on supporting only… Michael D'Errico
- Re: [TLS] Confirming Consensus on supporting only… Martin Thomson
- Re: [TLS] Confirming Consensus on supporting only… Ralph Holz
- Re: [TLS] Confirming Consensus on supporting only… Michael D'Errico
- Re: [TLS] Confirming Consensus on supporting only… Eric Rescorla
- Re: [TLS] Confirming Consensus on supporting only… Michael StJohns
- Re: [TLS] Confirming Consensus on supporting only… Martin Rex
- Re: [TLS] Confirming Consensus on supporting only… Michael StJohns
- Re: [TLS] Confirming Consensus on supporting only… Joseph Salowey (jsalowey)
- Re: [TLS] Confirming Consensus on supporting only… Fedor Brunner
- [TLS] (offline note) Re: Confirming Consensus on … Rene Struik
- Re: [TLS] (offline note) Re: Confirming Consensus… Joseph Salowey (jsalowey)
- Re: [TLS] Confirming Consensus on supporting only… Michael StJohns
- Re: [TLS] (offline note) Re: Confirming Consensus… Martin Rex
- Re: [TLS] (offline note) Re: Confirming Consensus… Michael StJohns
- Re: [TLS] (offline note) Re: Confirming Consensus… Michael StJohns
- Re: [TLS] (offline note) Re: Confirming Consensus… Manuel Pégourié-Gonnard
- Re: [TLS] (offline note) Re: Confirming Consensus… Michael StJohns
- Re: [TLS] Confirming Consensus on supporting only… Manuel Pégourié-Gonnard
- Re: [TLS] Confirming Consensus on supporting only… Eric Rescorla
- Re: [TLS] [PATCH] Clean up removal of all non-AEA… Martin Thomson
- [TLS] [PATCH] Clean up removal of all non-AEAD mo… Daniel Kahn Gillmor
- Re: [TLS] [PATCH] Clean up removal of all non-AEA… Eric Rescorla
- Re: [TLS] [PATCH] Clean up removal of all non-AEA… Daniel Kahn Gillmor
- Re: [TLS] [PATCH] Clean up removal of all non-AEA… Eric Rescorla