Re: [TLS] Should CCM_8 CSs be Recommended?
Yoav Nir <ynir.ietf@gmail.com> Wed, 04 October 2017 07:30 UTC
Return-Path: <ynir.ietf@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2C06413318B for <tls@ietfa.amsl.com>; Wed, 4 Oct 2017 00:30:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.698
X-Spam-Level:
X-Spam-Status: No, score=-2.698 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IdCsVK-vA10X for <tls@ietfa.amsl.com>; Wed, 4 Oct 2017 00:30:32 -0700 (PDT)
Received: from mail-wm0-x232.google.com (mail-wm0-x232.google.com [IPv6:2a00:1450:400c:c09::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AFD0513295C for <tls@ietf.org>; Wed, 4 Oct 2017 00:30:31 -0700 (PDT)
Received: by mail-wm0-x232.google.com with SMTP id i82so18758156wmd.3 for <tls@ietf.org>; Wed, 04 Oct 2017 00:30:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=kEgP6j8TwiTBjHBes1YPKdkq7aoZ8r17T1x3B7r7ZBI=; b=IT3+wq0hW9ILTEeDO4FHSZvnjMhXqNZxNWbcbP7JO05uge45gAr2LVSwCIwB/PmDUH YoJ3BmSmai/uAPjJ5VN9gd94HpWdVNC9tM4NZCafH0FZv0KvwO3bIlqThMTuvJvMKrIg Xi3Nlf0J8n/b8p4g8ra5jRXzPH4QTCo7ajJEjqoTr4AbbyaXrBjx0F3KlWxaM+uKwGYQ dq48ok/6JI5RNwPzcoCvfIwwC0gZqdSrc7q1KNIdbZ+Tj/Bj/yuhrG9NWv8X1k+oUx8F yZPI/SipU1gDKk9pYsvzDUbSgHtSgV9HjM7INTLy12kFRESoJwtPwV+O0p2s0wnhsSEU 3wJA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=kEgP6j8TwiTBjHBes1YPKdkq7aoZ8r17T1x3B7r7ZBI=; b=bIt/J6DMOW1sg9n7NNuMdq8ldH/QLiro2fzO+/BNckf20kKeIAWfxVC8nsuu6iObf4 6YTQY4gq7ItmVSoIs6pV0xIhuswPnKVnPGnn7VsenmCiN3MLW7noO6R8rBAX3ILrTp1Y Ty3kUST1F8Z52lB/Cgz/OFX4CJ6lsbw1t4ZquI8/4Hhfiii/qkUjdM+ylMOQCLvLmf2q I4YJOAKKedEX8/Rllvnr+m8DLRLdyfejDGpbvPEfmq1RlMX3KNAOyy0ypjyP/+HRjhU0 1/VA85tCtCPoNzFI2xF7jThj20Ko0UUocnIFBUdT5A3f2Mc17FIiRThRx3buvLdLLx/E BUkA==
X-Gm-Message-State: AHPjjUiOk0pDIoWickz/psuJGMLG9ZiU2up2ZjguzVb62CJkOlsEie1k CEivv+FpR/9d7nq7Qhww+sXhi6GX
X-Google-Smtp-Source: AOwi7QBqb7r8drIdY880A122/6bFoqQT/gGYjNpIWunPzYwF1NCB+huFjcJ0Vr01EPwPtSe1t79H8w==
X-Received: by 10.80.183.231 with SMTP id i36mr26763888ede.262.1507102230075; Wed, 04 Oct 2017 00:30:30 -0700 (PDT)
Received: from [192.168.1.18] ([46.120.57.147]) by smtp.gmail.com with ESMTPSA id m1sm13261498edd.56.2017.10.04.00.30.27 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 04 Oct 2017 00:30:28 -0700 (PDT)
From: Yoav Nir <ynir.ietf@gmail.com>
Message-Id: <AACDE608-F8EE-4C5C-82C2-03AAF1C32BDA@gmail.com>
Content-Type: multipart/signed; boundary="Apple-Mail=_D98D95DF-A554-4FC7-90FB-5C6F2F15ECBF"; protocol="application/pgp-signature"; micalg="pgp-sha512"
Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\))
Date: Wed, 04 Oct 2017 10:30:26 +0300
In-Reply-To: <CABcZeBM=BnwGKydcWaaCTgqCvJA6Yc-ejz-q_BtsvCNO1JHWSg@mail.gmail.com>
Cc: Sean Turner <sean@sn3rd.com>, "<tls@ietf.org>" <tls@ietf.org>
To: Eric Rescorla <ekr@rtfm.com>
References: <CA26DC83-9524-4CDA-910A-7FDCBF73F849@sn3rd.com> <CABcZeBM=BnwGKydcWaaCTgqCvJA6Yc-ejz-q_BtsvCNO1JHWSg@mail.gmail.com>
X-Mailer: Apple Mail (2.3273)
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/JgOspnSQPFtdWwIIR9w2PyxR7so>
Subject: Re: [TLS] Should CCM_8 CSs be Recommended?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Oct 2017 07:30:34 -0000
What we did in IPsec in RFC-tp-be 8221 is the following. This (including the IoT marker) is also going to appear in the IANA registry: +-------------------------+------------+---------+----------------+ | Name | Status | AEAD | Comment | +-------------------------+------------+---------+----------------+ | ENCR_DES_IV64 | MUST NOT | No | UNSPECIFIED | | ENCR_DES | MUST NOT | No | [RFC2405] | | ENCR_3DES | SHOULD NOT | No | [RFC2451] | | ENCR_BLOWFISH | MUST NOT | No | [RFC2451] | | ENCR_3IDEA | MUST NOT | No | UNSPECIFIED | | ENCR_DES_IV32 | MUST NOT | No | UNSPECIFIED | | ENCR_NULL | MUST | No | [RFC2410] | | ENCR_AES_CBC | MUST | No | [RFC3602][1] | | ENCR_AES_CCM_8 | SHOULD | Yes | [RFC4309](IoT) | | ENCR_AES_GCM_16 | MUST | Yes | [RFC4106][1] | | ENCR_CHACHA20_POLY1305 | SHOULD | Yes | [RFC7634] | +-------------------------+------------+---------+----------------+ [1] - This requirement level is for 128-bit and 256-bit keys. 192-bit keys remain at the MAY level. (IoT) - This requirement is for interoperability with IoT. Only 128-bit keys are at the given level. IPsec sessions may have very long lifetime and carry multiple packets, so there is a need to move to 256-bit keys in the long term. > On 4 Oct 2017, at 5:54, Eric Rescorla <ekr@rtfm.com> wrote: > > Generally I tend to agree we should remove these, but as Jim said, there are reasons where I guess they make sense. Could we add a "Special Circumstances" marking? > > -Ekr > > > On Tue, Oct 3, 2017 at 3:53 PM, Sean Turner <sean@sn3rd.com <mailto:sean@sn3rd.com>> wrote: > In the IANA registries draft (https://github.com/tlswg/draft-ietf-tls-iana-registry-updates <https://github.com/tlswg/draft-ietf-tls-iana-registry-updates>), we’ve added a recommended column to the Cipher Suites (CSs) registry (and some others). Right now, the criteria for getting a recommended mark is AEAD ciphers with strong authentication standards track ciphers. While that’s great generally, the list we’ve got five CSs that gave Joe and I pause: > > TLS_DHE_RSA_WITH_AES_128_CCM_8 > TLS_DHE_RSA_WITH_AES_256_CCM_8 > TLS_PSK_DHE_WITH_AES_128_CCM_8 > TLS_PSK_DHE_WITH_AES_256_CCM_8 > TLS_ECDHE_PSK_WITH_AES_128_CCM_8_SHA256 > > The CCM_8 CSs have a significantly truncated authentication tag that represents a security trade-off that may not be appropriate for general environment. In other words, this might be great for some IoT device but we should not generally be recommending these. > > We’re recommending that these five suites be dropped from the recommended list. Please let us know what you think. > > J&S > (editor hats on) > _______________________________________________ > TLS mailing list > TLS@ietf.org <mailto:TLS@ietf.org> > https://www.ietf.org/mailman/listinfo/tls <https://www.ietf.org/mailman/listinfo/tls> > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls
- [TLS] Should CCM_8 CSs be Recommended? Sean Turner
- Re: [TLS] Should CCM_8 CSs be Recommended? Jim Schaad
- Re: [TLS] Should CCM_8 CSs be Recommended? Eric Rescorla
- Re: [TLS] Should CCM_8 CSs be Recommended? Yoav Nir
- Re: [TLS] Should CCM_8 CSs be Recommended? Salz, Rich
- Re: [TLS] Should CCM_8 CSs be Recommended? Russ Housley
- Re: [TLS] Should CCM_8 CSs be Recommended? Yoav Nir
- Re: [TLS] Should CCM_8 CSs be Recommended? Russ Housley
- Re: [TLS] Should CCM_8 CSs be Recommended? Don Sturek
- Re: [TLS] Should CCM_8 CSs be Recommended? Joseph Salowey
- Re: [TLS] Should CCM_8 CSs be Recommended? Andrei Popov
- Re: [TLS] Should CCM_8 CSs be Recommended? Salz, Rich
- Re: [TLS] Should CCM_8 CSs be Recommended? Sean Turner
- Re: [TLS] Should CCM_8 CSs be Recommended? Sean Turner
- Re: [TLS] Should CCM_8 CSs be Recommended? Robert Cragie
- Re: [TLS] Should CCM_8 CSs be Recommended? Sean Turner
- Re: [TLS] Should CCM_8 CSs be Recommended? Eric Rescorla
- Re: [TLS] Should CCM_8 CSs be Recommended? Hannes Tschofenig
- Re: [TLS] Should CCM_8 CSs be Recommended? Benjamin Kaduk