IETF Logo Mail Archive

Re: [TLS] Should CCM_8 CSs be Recommended?

Yoav Nir <ynir.ietf@gmail.com> Wed, 04 October 2017 07:30 UTC

Return-Path: <ynir.ietf@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2C06413318B for <tls@ietfa.amsl.com>; Wed, 4 Oct 2017 00:30:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.698
X-Spam-Level:
X-Spam-Status: No, score=-2.698 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IdCsVK-vA10X for <tls@ietfa.amsl.com>; Wed, 4 Oct 2017 00:30:32 -0700 (PDT)
Received: from mail-wm0-x232.google.com (mail-wm0-x232.google.com [IPv6:2a00:1450:400c:c09::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AFD0513295C for <tls@ietf.org>; Wed, 4 Oct 2017 00:30:31 -0700 (PDT)
Received: by mail-wm0-x232.google.com with SMTP id i82so18758156wmd.3 for <tls@ietf.org>; Wed, 04 Oct 2017 00:30:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=kEgP6j8TwiTBjHBes1YPKdkq7aoZ8r17T1x3B7r7ZBI=; b=IT3+wq0hW9ILTEeDO4FHSZvnjMhXqNZxNWbcbP7JO05uge45gAr2LVSwCIwB/PmDUH YoJ3BmSmai/uAPjJ5VN9gd94HpWdVNC9tM4NZCafH0FZv0KvwO3bIlqThMTuvJvMKrIg Xi3Nlf0J8n/b8p4g8ra5jRXzPH4QTCo7ajJEjqoTr4AbbyaXrBjx0F3KlWxaM+uKwGYQ dq48ok/6JI5RNwPzcoCvfIwwC0gZqdSrc7q1KNIdbZ+Tj/Bj/yuhrG9NWv8X1k+oUx8F yZPI/SipU1gDKk9pYsvzDUbSgHtSgV9HjM7INTLy12kFRESoJwtPwV+O0p2s0wnhsSEU 3wJA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=kEgP6j8TwiTBjHBes1YPKdkq7aoZ8r17T1x3B7r7ZBI=; b=bIt/J6DMOW1sg9n7NNuMdq8ldH/QLiro2fzO+/BNckf20kKeIAWfxVC8nsuu6iObf4 6YTQY4gq7ItmVSoIs6pV0xIhuswPnKVnPGnn7VsenmCiN3MLW7noO6R8rBAX3ILrTp1Y Ty3kUST1F8Z52lB/Cgz/OFX4CJ6lsbw1t4ZquI8/4Hhfiii/qkUjdM+ylMOQCLvLmf2q I4YJOAKKedEX8/Rllvnr+m8DLRLdyfejDGpbvPEfmq1RlMX3KNAOyy0ypjyP/+HRjhU0 1/VA85tCtCPoNzFI2xF7jThj20Ko0UUocnIFBUdT5A3f2Mc17FIiRThRx3buvLdLLx/E BUkA==
X-Gm-Message-State: AHPjjUiOk0pDIoWickz/psuJGMLG9ZiU2up2ZjguzVb62CJkOlsEie1k CEivv+FpR/9d7nq7Qhww+sXhi6GX
X-Google-Smtp-Source: AOwi7QBqb7r8drIdY880A122/6bFoqQT/gGYjNpIWunPzYwF1NCB+huFjcJ0Vr01EPwPtSe1t79H8w==
X-Received: by 10.80.183.231 with SMTP id i36mr26763888ede.262.1507102230075; Wed, 04 Oct 2017 00:30:30 -0700 (PDT)
Received: from [192.168.1.18] ([46.120.57.147]) by smtp.gmail.com with ESMTPSA id m1sm13261498edd.56.2017.10.04.00.30.27 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 04 Oct 2017 00:30:28 -0700 (PDT)
From: Yoav Nir <ynir.ietf@gmail.com>
Message-Id: <AACDE608-F8EE-4C5C-82C2-03AAF1C32BDA@gmail.com>
Content-Type: multipart/signed; boundary="Apple-Mail=_D98D95DF-A554-4FC7-90FB-5C6F2F15ECBF"; protocol="application/pgp-signature"; micalg="pgp-sha512"
Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\))
Date: Wed, 04 Oct 2017 10:30:26 +0300
In-Reply-To: <CABcZeBM=BnwGKydcWaaCTgqCvJA6Yc-ejz-q_BtsvCNO1JHWSg@mail.gmail.com>
Cc: Sean Turner <sean@sn3rd.com>, "<tls@ietf.org>" <tls@ietf.org>
To: Eric Rescorla <ekr@rtfm.com>
References: <CA26DC83-9524-4CDA-910A-7FDCBF73F849@sn3rd.com> <CABcZeBM=BnwGKydcWaaCTgqCvJA6Yc-ejz-q_BtsvCNO1JHWSg@mail.gmail.com>
X-Mailer: Apple Mail (2.3273)
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/JgOspnSQPFtdWwIIR9w2PyxR7so>
Subject: Re: [TLS] Should CCM_8 CSs be Recommended?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Oct 2017 07:30:34 -0000

What we did in IPsec in RFC-tp-be 8221 is the following.  This (including the IoT marker) is also going to appear in the IANA registry:
    +-------------------------+------------+---------+----------------+
    | Name                    | Status     | AEAD    | Comment        |
    +-------------------------+------------+---------+----------------+
    | ENCR_DES_IV64           | MUST NOT   | No      | UNSPECIFIED    |
    | ENCR_DES                | MUST NOT   | No      | [RFC2405]      |
    | ENCR_3DES               | SHOULD NOT | No      | [RFC2451]      |
    | ENCR_BLOWFISH           | MUST NOT   | No      | [RFC2451]      |
    | ENCR_3IDEA              | MUST NOT   | No      | UNSPECIFIED    |
    | ENCR_DES_IV32           | MUST NOT   | No      | UNSPECIFIED    |
    | ENCR_NULL               | MUST       | No      | [RFC2410]      |
    | ENCR_AES_CBC            | MUST       | No      | [RFC3602][1]   |
    | ENCR_AES_CCM_8          | SHOULD     | Yes     | [RFC4309](IoT) |
    | ENCR_AES_GCM_16         | MUST       | Yes     | [RFC4106][1]   |
    | ENCR_CHACHA20_POLY1305  | SHOULD     | Yes     | [RFC7634]      |
    +-------------------------+------------+---------+----------------+

   [1] - This requirement level is for 128-bit and 256-bit keys. 192-bit
   keys remain at the MAY level.

   (IoT) - This requirement is for interoperability with IoT.  Only
   128-bit keys are at the given level.

   IPsec sessions may have very long lifetime and carry multiple
   packets, so there is a need to move to 256-bit keys in the long term.

> On 4 Oct 2017, at 5:54, Eric Rescorla <ekr@rtfm.com> wrote:
> 
> Generally I tend to agree we should remove these, but as Jim said, there are reasons where I guess they make sense. Could we add a "Special Circumstances" marking?
> 
> -Ekr
> 
> 
> On Tue, Oct 3, 2017 at 3:53 PM, Sean Turner <sean@sn3rd.com <mailto:sean@sn3rd.com>> wrote:
> In the IANA registries draft (https://github.com/tlswg/draft-ietf-tls-iana-registry-updates <https://github.com/tlswg/draft-ietf-tls-iana-registry-updates>), we’ve added a recommended column to the Cipher Suites (CSs) registry (and some others).  Right now, the criteria for getting a recommended mark is AEAD ciphers with strong authentication standards track ciphers.  While that’s great generally, the list we’ve got five CSs that gave Joe and I pause:
> 
> TLS_DHE_RSA_WITH_AES_128_CCM_8
> TLS_DHE_RSA_WITH_AES_256_CCM_8
> TLS_PSK_DHE_WITH_AES_128_CCM_8
> TLS_PSK_DHE_WITH_AES_256_CCM_8
> TLS_ECDHE_PSK_WITH_AES_128_CCM_8_SHA256
> 
> The CCM_8 CSs have a significantly truncated authentication tag that represents a security trade-off that may not be appropriate for general environment.  In other words, this might be great for some IoT device but we should not generally be recommending these.
> 
> We’re recommending that these five suites be dropped from the recommended list.  Please let us know what you think.
> 
> J&S
> (editor hats on)
> _______________________________________________
> TLS mailing list
> TLS@ietf.org <mailto:TLS@ietf.org>
> https://www.ietf.org/mailman/listinfo/tls <https://www.ietf.org/mailman/listinfo/tls>
> 
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls

v2.23.0 | Report a Bug | By Email