Re: [TLS] open issues for draft-ietf-tls-chacha20-poly1305-00

David Benjamin <davidben@chromium.org> Tue, 04 August 2015 17:22 UTC

Return-Path: <davidben@google.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4726C1A88ED for <tls@ietfa.amsl.com>; Tue, 4 Aug 2015 10:22:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.388
X-Spam-Level:
X-Spam-Status: No, score=-1.388 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LtWnxYuMG2vD for <tls@ietfa.amsl.com>; Tue, 4 Aug 2015 10:22:12 -0700 (PDT)
Received: from mail-ig0-x229.google.com (mail-ig0-x229.google.com [IPv6:2607:f8b0:4001:c05::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1F7E51A887D for <tls@ietf.org>; Tue, 4 Aug 2015 10:22:12 -0700 (PDT)
Received: by iggf3 with SMTP id f3so15900316igg.1 for <tls@ietf.org>; Tue, 04 Aug 2015 10:22:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-type; bh=OFeuy3Bfx9wASLEO/ETJ+r/OFg89/Bt/P+OTGRuT648=; b=b9qcg+Gt50R31vPyp0khc3isalJIwsqmPUJwQApdFdk52oGscFoOLoQCsl7phqE7Jg UkUtkaBhH7s0bGvQRLxitnFBdnLYZiQLEBBnUqzoM3IUkf7AYkxIl+idYnl+RDZN2A2F yJNXEleJsOuR2qjlNj97NPItfXAvnKRKHu4Qo=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-type; bh=OFeuy3Bfx9wASLEO/ETJ+r/OFg89/Bt/P+OTGRuT648=; b=J835TtE4nunCLYKJI/FXXAIOR9xDxhZZfOaw4xd2XI6s2dQnYVZoY+jMIagvo4xMh4 F0cCp37B0omotxZtjh6ulF4n0T3ouB96KZ1XYSLA4SGWMCJEmK3hTqmCIl5gcABzAxQH 8A6wSFNG50SLEkRj3mwlho3ImmMulqhnisO769ZrKJeF9zwDIkm46bz2dSaE2+hzh6Nx X8zvC4UduCCgBIztNxpCEFe8xiU5/jnxpQt53VT8Fb6jIMDR2ZYrfXiS2IaJioqp3Y0F juo7bq4Hq7QocbehGoGTyAzutUgvUODvpHjJUfYz88lFyMPwoWp++f06LdK31gCdiKsI Ov/g==
X-Gm-Message-State: ALoCoQnjykTtvWUORdrPjsvomd+ni7CtxbXUvv8+mxuRgD97mn6UIeV4BBAnotQUt4zpzJTXgpff
X-Received: by 10.50.112.170 with SMTP id ir10mr5133301igb.69.1438708931401; Tue, 04 Aug 2015 10:22:11 -0700 (PDT)
MIME-Version: 1.0
References: <1438691824.10777.9.camel@redhat.com> <CABkgnnVLahWvJ1ONUW7RLTuUVj1nrGVwgxBGsh2A58r1Gjf3aw@mail.gmail.com> <c2baa76f65b846d29868989886814981@ustx2ex-dag1mb2.msg.corp.akamai.com>
In-Reply-To: <c2baa76f65b846d29868989886814981@ustx2ex-dag1mb2.msg.corp.akamai.com>
From: David Benjamin <davidben@chromium.org>
Date: Tue, 04 Aug 2015 17:22:01 +0000
Message-ID: <CAF8qwaBxEje4kW0dO-h-h=DXDi1RWgyVrdFo_7i92icDHFBrqA@mail.gmail.com>
To: "Salz, Rich" <rsalz@akamai.com>, Martin Thomson <martin.thomson@gmail.com>, Nikos Mavrogiannopoulos <nmav@redhat.com>
Content-Type: multipart/alternative; boundary=089e013c6a94cac9cc051c7f8696
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/JOz8lnk1RSXUllQwBujR30o8AAE>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] open issues for draft-ietf-tls-chacha20-poly1305-00
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 04 Aug 2015 17:22:14 -0000

On Tue, Aug 4, 2015 at 12:20 PM Salz, Rich <rsalz@akamai.com> wrote:

> > Personally, I would rather see the nonce construction follow the form
> > defined in the respective TLS version. [DB: Adding back in for context:
> "That means including redundant bytes in TLS 1.2 and only getting the full
> advantage when we move to TLS 1.3."]
>
> Yes, consistency.  +1
>

I think this already came up:
https://www.ietf.org/mail-archive/web/tls/current/msg16365.html

This is a waste of bandwidth. Consistency is generally good, but a weak
argument here. The complexity is minimal. If you don't care about
decrypting in-place, none of this matters. If you do care, you already have
to deal with:

- RC4 and TLS 1.0 CBC use no prefix on the ciphertext
- AES-GCM, TLS 1.1+ 3DES use an 8-byte prefix
- TLS 1.1+ AES CBC use a 16-byte prefix

Adding a 0-byte prefix cipher doesn't make anything worse. It already must
vary.

As for following what's defined in TLS 1.2, RFC 5246 just says that
GenericAEADCipher has a nonce_explicit field and:

   Each AEAD cipher suite MUST specify how the nonce supplied to the
   AEAD operation is constructed, and what is the length of the
   GenericAEADCipher.nonce_explicit part.

It then describes the 1.2 AES-GCM scheme, but prefaced with "In many cases,
it is appropriate to [...]". Saying nonce_explicit is empty and the nonce
is built from the sequence number is perfectly consistent here.

David