IETF Logo Mail Archive

Re: [TLS] Comments on

nisse@lysator.liu.se (Niels Möller ) Fri, 14 February 2014 18:57 UTC

Return-Path: <nisse@lysator.liu.se>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 95DEC1A02D0 for <tls@ietfa.amsl.com>; Fri, 14 Feb 2014 10:57:48 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.019
X-Spam-Level:
X-Spam-Status: No, score=-1.019 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_SE=0.35, MIME_8BIT_HEADER=0.3, RP_MATCHES_RCVD=-0.548, SPF_NEUTRAL=0.779] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4q0wFgSjqUWG for <tls@ietfa.amsl.com>; Fri, 14 Feb 2014 10:57:46 -0800 (PST)
Received: from bacon.lysator.liu.se (bacon.lysator.liu.se [IPv6:2001:6b0:17:f0a0::ce]) by ietfa.amsl.com (Postfix) with ESMTP id D38041A02E4 for <tls@ietf.org>; Fri, 14 Feb 2014 10:57:45 -0800 (PST)
Received: from bacon.lysator.liu.se (localhost [127.0.0.1]) by bacon.lysator.liu.se (8.14.5+Sun/8.14.5) with ESMTP id s1EIvU28008018; Fri, 14 Feb 2014 19:57:30 +0100 (MET)
Received: (from nisse@localhost) by bacon.lysator.liu.se (8.14.5+Sun/8.14.5/Submit) id s1EIvSSN008010; Fri, 14 Feb 2014 19:57:28 +0100 (MET)
X-Authentication-Warning: bacon.lysator.liu.se: nisse set sender to nisse@lysator.liu.se using -f
From: nisse@lysator.liu.se
To: Adam Langley <agl@google.com>
References: <nnha83nwy9.fsf@bacon.lysator.liu.se> <CAL9PXLyWhqSdG5YRyrOprW5wgCYCwHn7_a=R2sb+mN-irkMYbA@mail.gmail.com> <nna9dum6fk.fsf@bacon.lysator.liu.se> <CAL9PXLyC98rc73x7o4gDeu-UBz1k0VP_qTdbCqgSSObuKf9+LA@mail.gmail.com>
Date: Fri, 14 Feb 2014 19:57:28 +0100
In-Reply-To: <CAL9PXLyC98rc73x7o4gDeu-UBz1k0VP_qTdbCqgSSObuKf9+LA@mail.gmail.com> (Adam Langley's message of "Fri, 14 Feb 2014 12:45:21 -0500")
Message-ID: <nnsirlldyf.fsf@bacon.lysator.liu.se>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.3 (usg-unix-v)
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/G_zPKZEq8Dw0fIphaIZlUcPtGKg
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Comments on
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 14 Feb 2014 18:57:48 -0000

Adam Langley <agl@google.com> writes:

> It appears that IPSec wants the extra 32 bits of nonce. Although this
> is an important change in definition it doesn't actually change the
> wire-format for TLS because the record-length limit means that those
> bits are always zero anyway in both cases.

Right, with some care both views these input words could perhaps
coexist. And a 32-bit counter (256 GB message size, if I manage to get
the powers right) ought to be sufficient for almost all applications.
But I'm afraid it might to slow adoption of chacha if there are multiple
slightly incompatible specifications.

And my current focus is more on what the chacha programming interface
should look like, not wire format of any particular protocol.

> Keep in mind that it affects more than just your users. By making
> streaming designs easy you allow people to make bad designs (like CMS)
> that force streaming designs on others in order to handle large files.
> The point of AEADs is that it's an easier primitive to use.

By streaming, I don't advocate you do the decryption in a pipe line;
that's clearly a dangerous habit. Usecase is more like on one machine
running

  src-machine$ tar -cf - foo-dir | aead-encrypt | send

to send the encrypted data over some untrusted link. And on the
receiving side 

  target-machine$ recv | aead-decrypt -o foo.tar

The point of the "streaming" here is that there's no need to store any
copy of plaintext or cryptotext at the source, and at the receiver, at
least there's no need to store a copy of the ciphertext. (And with some
more care, and a paranoid enough tar program, it's even possibly to
safely extract the received tar file in a pipe, avoiding storing a copy
of the tar file, *if* one arranges to handle the aead-decrypt exit code
properly).

If I want to encrypt a large file (say, with key derived from a
passphrase, or with an random and RSA-encrypted session key), I see no
clearly better or easier way to do that than as a single large AEAD
message processed using a streaming/incremental API. Sure, I could
divide the data into reasonably sized shorter blocks and process each
block as a separate message with AEAD, but then I would have to think
about how to do sequence numbers and a properly authenticated EOF
indication, to prevent reorder and truncation. And to me, that's also
very much against the spirit of AEAD as a safe and easy-to-use
mechanism.

> However, my preference would be to leave it as is because I've already
> got code that does it that way

I'm afraid that's the answer that I expected...

> and I don't believe that streaming is something that should be made
> easy.

We'll probably just have to disagree on that.

>> I see. Vaguely related question: Do you see any need for 128-bit chacha
>> keys?
>
> Since they are no faster I don't believe that anyone will want to
> support them. However, I may be wrong about that.

Thanks. (I currently do support them in my development version, but I'm
considering removing that feature, for simplicity, before release).

Regards,
/Niels

-- 
Niels Möller. PGP-encrypted email is preferred. Keyid C0B98E26.
Internet email is subject to wholesale government surveillance.

v2.23.0 | Report a Bug | By Email