[TLS] Re: draft-ietf-tls-psk-new-mac-aes-gcm-01 : portfolio question

[badra@isima.fr]

> Out of hand option B looks better for cryptographic reasons.

With regards to RFC 5289 and 5288, option B seems to be the appropriate
option. I will update the document to include only AES-128 with SHA-256
and AES-256 with SHA-384.

Best regards
Badra

>
>
> --
> Regards,
> Uri
>
> ----- Original Message -----
> From: tls-bounces@ietf.org <tls-bounces@ietf.org>
> To: tls@ietf.org <tls@ietf.org>
> Sent: Wed Aug 20 16:06:32 2008
> Subject: [TLS] draft-ietf-tls-psk-new-mac-aes-gcm-01 : portfolio question
>
> During off-list discussions of the changes for the -01 version
> of draft-ietf-tls-psk-new-mac-aes-gcm, it became apparent that
> there's a certain degree of imbalance in the draft regarding the
> portfolio of combinations of  AES-{128|256}  with  SHA-{256|384} .
>
> Looking into the IANA TLS Cipher Suite Registry, I found a similar
> lack of balance for the SHA-2 cipher suites already registered:
>
>    - RFC 5246 has registered cipher suites employing both AES-128
>      and AES-256  *with SHA-256 only* ;
>
>    - both RFC 5288 and RFC 5289 (posted yesterday [PDT])
>      *only* combine  AES-128 with SHA-256
>      and             AES-256 with SHA-384 .
>
> Notwithstanding any applicable 'hard' cryptographic arguments,
> I suggest that in draft-ietf-tls-psk-new-mac-aes-gcm,
> simply for self-consistency of the portfolio ...
>
> either:
>
>   a) Section 2 be amended with the missing combinations
>      for TLS_DHE_PSK_* and TLS_RSA_PSK_* (two each),
>      thus achieving an orthogonal portfolio of combinations
>      of AES-{128|256} with SHA-{256|384} for all flavors of
>      authentication,
>
> or:
>
>   b) the TLS_DHE_PSK_* and TLS_RSA_PSK_* portfolio in Section 2
>      be reverted to the -00 (and pre-WG draft) portfolio
>      (combining AES-128 with SHA-256 and AES-256 with SHA-384 only),
>      and all combinations of  AES-128 with SHA-384  as well as
>      all combinations of  AES-256 with SHA-256  be removed from
>      the portfolio in Sections 2, 31., 3.2, and 3.3, leaving only
>      combinations of AES-128 with SHA-256 and AES-256 with SHA-384
>      in the draft.
>
> I see work in progress throughout the IETF (and elsewhere)
> following both ways of combining block ciphers with various
> key strenghts (like AES-xxx) and the SHA-2 variants.
>
> The major PRO for a) seems to be completeness and orthogonality,
> and the major PRO for b) might be containment of the growing
> "TLS Cipher Suite zoo".
>
> Any opinions?   (In particular, 'crypto geek' voices welcome!)
>
>
> Kind regards,
>   Alfred HÎnes.
>
> --
>
> +------------------------+--------------------------------------------+
> | TR-Sys Alfred Hoenes   |  Alfred Hoenes   Dipl.-Math., Dipl.-Phys.  |
> | Gerlinger Strasse 12   |  Phone: (+49)7156/9635-0, Fax: -18         |
> | D-71254  Ditzingen     |  E-Mail:  ah@TR-Sys.de                     |
> +------------------------+--------------------------------------------+
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>
>

_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls