Re: [TLS] open issues for draft-ietf-tls-chacha20-poly1305-00

Ilari Liusvaara <ilari.liusvaara@elisanet.fi> Wed, 05 August 2015 10:44 UTC

Return-Path: <ilari.liusvaara@elisanet.fi>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8990F1B2F18 for <tls@ietfa.amsl.com>; Wed, 5 Aug 2015 03:44:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hEkz26P2Eaqf for <tls@ietfa.amsl.com>; Wed, 5 Aug 2015 03:44:24 -0700 (PDT)
Received: from emh06.mail.saunalahti.fi (emh06.mail.saunalahti.fi [62.142.5.116]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8CCC01B2DA0 for <tls@ietf.org>; Wed, 5 Aug 2015 03:44:23 -0700 (PDT)
Received: from LK-Perkele-VII (a91-155-194-207.elisa-laajakaista.fi [91.155.194.207]) by emh06.mail.saunalahti.fi (Postfix) with ESMTP id 96523699FA; Wed, 5 Aug 2015 13:44:20 +0300 (EEST)
Date: Wed, 5 Aug 2015 13:44:20 +0300
From: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
To: Martin Thomson <martin.thomson@gmail.com>
Message-ID: <20150805104420.GA17150@LK-Perkele-VII>
References: <1438691824.10777.9.camel@redhat.com> <CABkgnnVLahWvJ1ONUW7RLTuUVj1nrGVwgxBGsh2A58r1Gjf3aw@mail.gmail.com> <CALTJjxFpKCSbzBB=kFF7FUMvDyR0ZiNGgyvBz4EG3UpVotUAvg@mail.gmail.com> <CABkgnnUZFrHBqM7w24hNEzckaWaJKLKGnNiSh4zExBtmnerCZw@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
In-Reply-To: <CABkgnnUZFrHBqM7w24hNEzckaWaJKLKGnNiSh4zExBtmnerCZw@mail.gmail.com>
User-Agent: Mutt/1.5.23 (2014-03-12)
Sender: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/LhM_J4RoMefLaqhkynoHuaFT6fs>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] open issues for draft-ietf-tls-chacha20-poly1305-00
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 05 Aug 2015 10:44:26 -0000

On Tue, Aug 04, 2015 at 10:35:30AM -0700, Martin Thomson wrote:
> 
> As for the wasted bytes, I don't care for that.  We will fix that later.

It is not just wasted bytes.

It is also increased auditing requirements: Auditing that the nonce 
generation is sound (e.g. not random).

And in constructs like this, if you get it wrong, you will notice very
quickly (contrast to AES-GCM nonce generation: Serious errors can remain
hidden).

Also, unifying the GCM scheme, CCM scheme the scheme from this draft
and TLS 1.3 scheme isn't hard (supporting CBC is loads more annoying,
as it is much harder to unify[1]).


[1] Well, there are tricks with TLS 1.1/1.2 CBC modes, but TLS 1.0
CBC modes just won't unify.


-Ilari