Re: [TLS] Encryption of TLS 1.3 content type

Eric Rescorla <ekr@rtfm.com> Mon, 28 July 2014 21:27 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 86A6D1A030C for <tls@ietfa.amsl.com>; Mon, 28 Jul 2014 14:27:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.677
X-Spam-Level:
X-Spam-Status: No, score=-1.677 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_LOW=-0.7] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lAHsx7H4-VuM for <tls@ietfa.amsl.com>; Mon, 28 Jul 2014 14:27:20 -0700 (PDT)
Received: from mail-wg0-f45.google.com (mail-wg0-f45.google.com [74.125.82.45]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 351DC1A02F7 for <tls@ietf.org>; Mon, 28 Jul 2014 14:27:20 -0700 (PDT)
Received: by mail-wg0-f45.google.com with SMTP id x12so7920725wgg.4 for <tls@ietf.org>; Mon, 28 Jul 2014 14:27:18 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=VFG+3szhEUdpy0vSZN3B+1xfT8EF5d//3aulWMgmE0Y=; b=ReoG1Nk5fBUYO9HL3yhiwqzynkjkOxV/dbjSQe+uYKbHkQS6y+x4L0RhBW/VacR9WO b1QWLNMiIJpt+NccyXSyA/bBB6+W+tzJCno41HvxOV1/aG50OOA46U7UlKtkcM+sPLKO rnELcOylyZva2QBxhUihKs+SM2/DBZJKIIElPXVxFEjtQwzaCJpGfS5aRVSOsfv0jqMc tqQ3wcwHyAK+0VovAuJOnpmgODKnardTrzPVkLmkDaM++p5pKjiYvAnD1PehDWJLF+B/ rp5EsRqiTuGZDM3yCuUEv8irt12xj5EVmcOWvYEYRV9XrC0QrjkZAvKtpxDBCNXfGIRt +o6g==
X-Gm-Message-State: ALoCoQkXGWLMUHGGOL+LQRjvLHiHt3ZCkjX3KN5LSL6p3bEtrZAzDf7nqjuUE7aAldNEm4LZfdB5
X-Received: by 10.180.37.77 with SMTP id w13mr9773439wij.78.1406582838841; Mon, 28 Jul 2014 14:27:18 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.217.128.12 with HTTP; Mon, 28 Jul 2014 14:26:38 -0700 (PDT)
X-Originating-IP: [2620:101:80fc:232:c9a7:3c2d:8df:866a]
In-Reply-To: <49AFE121-7421-4FCE-B3D8-46B75581F5B2@iki.fi>
References: <DD255E31-FA87-40CE-AF13-0F43A7DD54CF@cisco.com> <CACsn0cnt-ry182AjOyTTZGteifs7VyRPYHaj-xDCBOf0D53w9A@mail.gmail.com> <CAAF6GDfK7awipoMT_PPyKnTe-fF1=KY1Be8kUMSYrXN0Wzb=tg@mail.gmail.com> <1406537753.2413.12.camel@dhcp-2-127.brq.redhat.com> <CAAF6GDcKqymNMnVa50Q7kSTgHrWcM1-qMNGyxU-NcjXMnCD3gQ@mail.gmail.com> <1406560456.7750.20.camel@dhcp-2-127.brq.redhat.com> <CAAF6GDcnmyc5n0XfeunrV9GvQdhO1cePdXKwYNWRpnS8bQ4ZHA@mail.gmail.com> <49AFE121-7421-4FCE-B3D8-46B75581F5B2@iki.fi>
From: Eric Rescorla <ekr@rtfm.com>
Date: Mon, 28 Jul 2014 14:26:38 -0700
Message-ID: <CABcZeBNt5WpEdX1zPR2SeBZDBeXmLXDnc4eCBpW7a5J448b-4A@mail.gmail.com>
To: =?UTF-8?B?SnVobyBWw6Row6QtSGVydHR1YQ==?= <juhovh@iki.fi>
Content-Type: multipart/alternative; boundary=e89a8f64702174edac04ff479604
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/JV7G4Fao3j1kYnZDL3G7uQjXMDQ
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Encryption of TLS 1.3 content type
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 28 Jul 2014 21:27:21 -0000

On Mon, Jul 28, 2014 at 2:23 PM, Juho Vähä-Herttua <juhovh@iki.fi> wrote:

>
> > On 29.7.2014, at 0.15, Colm MacCárthaigh <colm@allcosts.net> wrote:
> >
> > On Mon, Jul 28, 2014 at 8:14 AM, Nikos Mavrogiannopoulos
> > <nmav@redhat.com> wrote:
> >> On the contrary, all _new_ ciphers are stream (GCM, CCM)
> >
> > Now you've got me scratching my head, because both GCM and CCM are
> > authentication modes for block ciphers, not stream.
>
> They are both authenticated counter modes for block ciphers, which means
> they behave like stream ciphers. Even though the output from the cipher
> comes in blocks, all redundant bytes in the end can be dropped, unlike in
> CBC mode.
>

FWIW, TLS has this idiosyncratic defn. of the term "stream cipher" that
matches
RC4 but not AEAD ciphers or even CTR mode... Hence comments about how
we are deprecating stream ciphers but not GCM.

-Ekr


> Therefore 2 byte alert encrypted with GCM or CCM is still 2 bytes plus the
> authentication tag. I believe this is what Nikos meant.
>
>
> Juho
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>