Re: [TLS] ChaCha20 + Poly1305 in TLS

mrex@sap.com (Martin Rex) Tue, 17 September 2013 17:00 UTC

Return-Path: <mrex@sap.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CB85B11E82AB for <tls@ietfa.amsl.com>; Tue, 17 Sep 2013 10:00:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.175
X-Spam-Level:
X-Spam-Status: No, score=-10.175 tagged_above=-999 required=5 tests=[AWL=0.074, BAYES_00=-2.599, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CFJsEG6xWOse for <tls@ietfa.amsl.com>; Tue, 17 Sep 2013 10:00:40 -0700 (PDT)
Received: from smtpde02.sap-ag.de (smtpde02.sap-ag.de [155.56.68.140]) by ietfa.amsl.com (Postfix) with ESMTP id 4374F11E8528 for <tls@ietf.org>; Tue, 17 Sep 2013 10:00:32 -0700 (PDT)
Received: from mail05.wdf.sap.corp by smtpde02.sap-ag.de (26) with ESMTP id r8HH0Skp000507 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Tue, 17 Sep 2013 19:00:28 +0200 (MEST)
In-Reply-To: <CAL9PXLxm=WezLdg2EMuh--aW+cR5CJzCFeYgySQGqhQPOn3ntA@mail.gmail.com>
To: Adam Langley <agl@google.com>
Date: Tue, 17 Sep 2013 19:00:28 +0200 (CEST)
X-Mailer: ELM [version 2.4ME+ PL125 (25)]
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="US-ASCII"
Message-Id: <20130917170028.43B0B1A974@ld9781.wdf.sap.corp>
From: mrex@sap.com (Martin Rex)
X-SAP: out
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] ChaCha20 + Poly1305 in TLS
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: mrex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Sep 2013 17:00:45 -0000

Adam Langley wrote:
>
> > Which versions of TLS is this aimed at, TLS 1.2 (and later) only or earlier
> > versions too?
> 
> Since it's defined as an AEAD, technically it's only compatible with
> TLS 1.2 - same as AES-GCM.
> 
> However, the reality, at least for browsers, is that we cannot depend
> on TLS's version negotiation because of bugs in servers. Therefore, in
> practice, I'm planning on making some or all AES-GCM and
> Chacha20-Poly1305 ciphersuites work for all versions. For SSLv3,
> ECDHE/ECDSA variants will implicitly indicate support for
> P-{256,384,521} and uncompressed points since SSLv3 cannot carry the
> EC extensions needed to indicate that.

Only those incarnations of SSLv3 that are "TLS extensions intolerant"
can not carry TLS extensions.  For all other implementations of SSLv3
(i.e. those based on the ssl302 draft that became rfc6101), support
for TLS extensions is no different from what it is in TLSv1.0 onward.

-Martin