Re: [TLS] Comments on
nisse@lysator.liu.se (Niels Möller ) Fri, 14 February 2014 18:57 UTC
Return-Path: <nisse@lysator.liu.se>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 95DEC1A02D0 for <tls@ietfa.amsl.com>; Fri, 14 Feb 2014 10:57:48 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.019
X-Spam-Level:
X-Spam-Status: No, score=-1.019 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_SE=0.35, MIME_8BIT_HEADER=0.3, RP_MATCHES_RCVD=-0.548, SPF_NEUTRAL=0.779] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4q0wFgSjqUWG for <tls@ietfa.amsl.com>; Fri, 14 Feb 2014 10:57:46 -0800 (PST)
Received: from bacon.lysator.liu.se (bacon.lysator.liu.se [IPv6:2001:6b0:17:f0a0::ce]) by ietfa.amsl.com (Postfix) with ESMTP id D38041A02E4 for <tls@ietf.org>; Fri, 14 Feb 2014 10:57:45 -0800 (PST)
Received: from bacon.lysator.liu.se (localhost [127.0.0.1]) by bacon.lysator.liu.se (8.14.5+Sun/8.14.5) with ESMTP id s1EIvU28008018; Fri, 14 Feb 2014 19:57:30 +0100 (MET)
Received: (from nisse@localhost) by bacon.lysator.liu.se (8.14.5+Sun/8.14.5/Submit) id s1EIvSSN008010; Fri, 14 Feb 2014 19:57:28 +0100 (MET)
X-Authentication-Warning: bacon.lysator.liu.se: nisse set sender to nisse@lysator.liu.se using -f
From: nisse@lysator.liu.se
To: Adam Langley <agl@google.com>
References: <nnha83nwy9.fsf@bacon.lysator.liu.se> <CAL9PXLyWhqSdG5YRyrOprW5wgCYCwHn7_a=R2sb+mN-irkMYbA@mail.gmail.com> <nna9dum6fk.fsf@bacon.lysator.liu.se> <CAL9PXLyC98rc73x7o4gDeu-UBz1k0VP_qTdbCqgSSObuKf9+LA@mail.gmail.com>
Date: Fri, 14 Feb 2014 19:57:28 +0100
In-Reply-To: <CAL9PXLyC98rc73x7o4gDeu-UBz1k0VP_qTdbCqgSSObuKf9+LA@mail.gmail.com> (Adam Langley's message of "Fri, 14 Feb 2014 12:45:21 -0500")
Message-ID: <nnsirlldyf.fsf@bacon.lysator.liu.se>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.3 (usg-unix-v)
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/G_zPKZEq8Dw0fIphaIZlUcPtGKg
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Comments on
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 14 Feb 2014 18:57:48 -0000
Adam Langley <agl@google.com> writes: > It appears that IPSec wants the extra 32 bits of nonce. Although this > is an important change in definition it doesn't actually change the > wire-format for TLS because the record-length limit means that those > bits are always zero anyway in both cases. Right, with some care both views these input words could perhaps coexist. And a 32-bit counter (256 GB message size, if I manage to get the powers right) ought to be sufficient for almost all applications. But I'm afraid it might to slow adoption of chacha if there are multiple slightly incompatible specifications. And my current focus is more on what the chacha programming interface should look like, not wire format of any particular protocol. > Keep in mind that it affects more than just your users. By making > streaming designs easy you allow people to make bad designs (like CMS) > that force streaming designs on others in order to handle large files. > The point of AEADs is that it's an easier primitive to use. By streaming, I don't advocate you do the decryption in a pipe line; that's clearly a dangerous habit. Usecase is more like on one machine running src-machine$ tar -cf - foo-dir | aead-encrypt | send to send the encrypted data over some untrusted link. And on the receiving side target-machine$ recv | aead-decrypt -o foo.tar The point of the "streaming" here is that there's no need to store any copy of plaintext or cryptotext at the source, and at the receiver, at least there's no need to store a copy of the ciphertext. (And with some more care, and a paranoid enough tar program, it's even possibly to safely extract the received tar file in a pipe, avoiding storing a copy of the tar file, *if* one arranges to handle the aead-decrypt exit code properly). If I want to encrypt a large file (say, with key derived from a passphrase, or with an random and RSA-encrypted session key), I see no clearly better or easier way to do that than as a single large AEAD message processed using a streaming/incremental API. Sure, I could divide the data into reasonably sized shorter blocks and process each block as a separate message with AEAD, but then I would have to think about how to do sequence numbers and a properly authenticated EOF indication, to prevent reorder and truncation. And to me, that's also very much against the spirit of AEAD as a safe and easy-to-use mechanism. > However, my preference would be to leave it as is because I've already > got code that does it that way I'm afraid that's the answer that I expected... > and I don't believe that streaming is something that should be made > easy. We'll probably just have to disagree on that. >> I see. Vaguely related question: Do you see any need for 128-bit chacha >> keys? > > Since they are no faster I don't believe that anyone will want to > support them. However, I may be wrong about that. Thanks. (I currently do support them in my development version, but I'm considering removing that feature, for simplicity, before release). Regards, /Niels -- Niels Möller. PGP-encrypted email is preferred. Keyid C0B98E26. Internet email is subject to wholesale government surveillance.
- Re: [TLS] Comments on Adam Langley
- Re: [TLS] Comments on Wan-Teh Chang
- [TLS] Comments on Niels Möller
- Re: [TLS] Comments on Niels Möller
- Re: [TLS] Comments on Dr Stephen Henson
- Re: [TLS] Comments on Adam Langley
- Re: [TLS] Comments on Niels Möller
- Re: [TLS] Comments on Adam Langley
- Re: [TLS] Comments on Niels Möller
- Re: [TLS] Comments on Adam Langley
- Re: [TLS] Comments on Nikos Mavrogiannopoulos
- Re: [TLS] Comments on Watson Ladd
- Re: [TLS] Comments on Adam Langley
- Re: [TLS] Comments on Adam Langley
- Re: [TLS] Comments on Watson Ladd
- Re: [TLS] Comments on Bill Frantz
- Re: [TLS] Comments on Watson Ladd
- Re: [TLS] Comments on Bill Frantz
- Re: [TLS] Comments on Alfredo Pironti
- Re: [TLS] Comments on Niels Möller
- [TLS] dealing with AEAD partial delivery [was: Re… Daniel Kahn Gillmor
- Re: [TLS] Comments on Bill Frantz
- Re: [TLS] Comments on draft-nir-cfrg-chacha20-pol… Niels Möller
- Re: [TLS] Comments on draft-nir-cfrg-chacha20-pol… Adam Langley
- Re: [TLS] Comments on draft-nir-cfrg-chacha20-pol… Niels Möller
- Re: [TLS] Comments on draft-nir-cfrg-chacha20-pol… Niels Möller
- Re: [TLS] Comments on draft-nir-cfrg-chacha20-pol… Adam Langley
- Re: [TLS] Comments on draft-nir-cfrg-chacha20-pol… Niels Möller