IETF Logo Mail Archive

Re: [TLS] ChaCha and IVs

Bodo Moeller <bmoeller@acm.org> Thu, 06 March 2014 02:33 UTC

Return-Path: <SRS0=caPd=YH=acm.org=bmoeller@srs.kundenserver.de>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CC9F51A0081 for <tls@ietfa.amsl.com>; Wed, 5 Mar 2014 18:33:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.476
X-Spam-Level:
X-Spam-Status: No, score=-1.476 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HELO_EQ_DE=0.35, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.547, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2c7vq5p6TiL9 for <tls@ietfa.amsl.com>; Wed, 5 Mar 2014 18:33:54 -0800 (PST)
Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.17.10]) by ietfa.amsl.com (Postfix) with ESMTP id 5E49B1A0056 for <tls@ietf.org>; Wed, 5 Mar 2014 18:33:54 -0800 (PST)
Received: from mail-yh0-f47.google.com (mail-yh0-f47.google.com [209.85.213.47]) by mrelayeu.kundenserver.de (node=mreue105) with ESMTP (Nemesis) id 0MN4u0-1WJA8q4AGm-006hfi; Thu, 06 Mar 2014 03:33:49 +0100
Received: by mail-yh0-f47.google.com with SMTP id c41so2039390yho.20 for <tls@ietf.org>; Wed, 05 Mar 2014 18:33:48 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=Q0C2XMvQ5oOHJowGvv3Ax+uX73v9qVhrwmnlU7F6EVI=; b=MIJEv5nhdeixjqe83RmX7oDgOzw7GNaOiZxul6wfUSfSjvh2eX8iPZ1DpZDrmaDaRH jHUFYRSW9VxIZo753/I2gkCPYsx7us/fLL2lqRiw8uTTU/dyXzLMeuHl91kUEVyIUdnI cfdYIDekTqtOmZuYbVRRAjpjY711oKome14XLN/MhxDH0mjq7CFLiNuWMWCnkTWUgkI/ 6qL230f3Myn+77Tx0gMDbDKaeoNrWKzkdkrda5t09l7JTxr5/19RQDfT52ylCpHqpvvN zGjV1gVb3snjg8hRGby/GW9OR4cbTTSyBSfn86s8KcvhP7iMVVYEUJ9CFYFVr2cOJhZd oYjA==
MIME-Version: 1.0
X-Received: by 10.236.82.226 with SMTP id o62mr11348241yhe.90.1394073227981; Wed, 05 Mar 2014 18:33:47 -0800 (PST)
Received: by 10.170.78.5 with HTTP; Wed, 5 Mar 2014 18:33:47 -0800 (PST)
In-Reply-To: <CAK3OfOjabMzWOCHitV=aPxWcHHMknQGicmoq3U3b=nFB8PiE0w@mail.gmail.com>
References: <53160513.20703@bbn.com> <1393955839.20861.20.camel@dhcp-2-127.brq.redhat.com> <53161825.7060409@bbn.com> <CADMpkcLqWOr6kq4VjTatpDGW8Ryf73V+YziOf3Op3waciG9o4w@mail.gmail.com> <CAK3OfOg5pqF_sEmKYJVxqmiekkPrycqbA1sbK8H7=EAtWFQMrw@mail.gmail.com> <CADMpkcKJMTfu_=2wASTu0i8oz69Xwn=keUOd-jKoGQFZa-W8LQ@mail.gmail.com> <CAK3OfOjabMzWOCHitV=aPxWcHHMknQGicmoq3U3b=nFB8PiE0w@mail.gmail.com>
Date: Wed, 05 Mar 2014 18:33:47 -0800
Message-ID: <CADMpkcJEhrHV2C2Vs5Q27--PrQeMe9vc-wriZJMobmfqYrhm9w@mail.gmail.com>
From: Bodo Moeller <bmoeller@acm.org>
To: Nico Williams <nico@cryptonector.com>
Content-Type: multipart/alternative; boundary="20cf3010e3ef8bc0c104f3e6f7be"
X-Provags-ID: V02:K0:8LyINNVsI6XHA6XPUgUc15JFB3iX/h5uwH4n+NZ2lAs dfrvdT74nvgbofexAd4Nd/bg3QXM/ZXofBbLG9g6ZOM9moaCm6 hXVjx9v4RqxwcbffyAQ9epDOtowHcZ3Mw8rq8yC+hSxNCm01js OT8lGWnW2FXUo8Hc3itWy7t2fjqEk/dJI3ljMSyB6FxPkz4fzl PyfdUGhSU9Vi0zBAN++OMAjkVtrfeYlggBtLmhrllG/oQLnNxj 9cAYkm9Shxa/JVlCQuSV5Lkp5srlLzQjpMuOzlo9khNcUCkFlQ 7LsngpWk/k07yoPAAVIut5/utJ6Og1HwHVnXGk2KvoCRTw2RQW EF7MgnqDHDJV0FVweHqcY83gdQRf1w8UeZM7p4O8N5ho1qCsA/ O8MAHJRi9EG5yVUwTxb+myoIPTs6WGUCImoRldM/l//eJ8ryyH RADXz
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/MKvKS-IsbeNEyMnHs7PDAA0izbg
Cc: Stephen Kent <kent@bbn.com>, "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] ChaCha and IVs
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Mar 2014 02:33:56 -0000

Nico Williams <nico@cryptonector.com>:

> Bodo Moeller <bmoeller@acm.org> wrote:
>


> > Right -- sorry, when I wrote the above, I only meant a check when
> > *en*crypting. *De*cryption is normally expected to have to handle
> > potentially arbitrary explicit IVs, anyway: for example, if encryption
> uses
> > random IVs, decryption will just have to accept these -- you wouldn't be
> > generating random IVs in the decryption module too :-).
>


> Again, the module might check a sequence number window of its own.
> And on the encryption side you should want a threaded program to be
> able to encrypt out of order.  DTLS' out of order functionality is not
> (or need not be) just in case the transport reorders.


I do understand that, but we have three competing optimization goals here:

- Keep the code requiring FIPS evaluation (if that's required) as small as
possible.
- Avoid the overhead of an explicit IV [as a side-effect, improving
security -- a counter is better than random IVs].
- Allow optimal parallelization.

Pick any two.  For example, if you introduce random IVs to allow concurrent
encryption by multiple threads in a more easily evaluable encryption
module, while encryption can get faster, the explicit IV also means you end
up with more data to send.  It's not clear why that would be the best
trade-off.

Bodo

v2.23.0 | Report a Bug | By Email