Re: [TLS] Consensus call on Implicit IV for AEAD
Michael Hamburg <mike@shiftleft.org> Fri, 17 April 2015 21:04 UTC
Return-Path: <mike@shiftleft.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0003A1B2CF7 for <tls@ietfa.amsl.com>; Fri, 17 Apr 2015 14:04:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.555
X-Spam-Level: *
X-Spam-Status: No, score=1.555 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FH_HOST_EQ_D_D_D_D=0.765, FH_HOST_EQ_D_D_D_DB=0.888, HELO_MISMATCH_ORG=0.611, HOST_MISMATCH_NET=0.311, RDNS_DYNAMIC=0.982, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tPA6ArHXb3fA for <tls@ietfa.amsl.com>; Fri, 17 Apr 2015 14:04:14 -0700 (PDT)
Received: from aspartame.shiftleft.org (199-116-74-168-v301.PUBLIC.monkeybrains.net [199.116.74.168]) (using TLSv1.1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 35F051B2CDA for <tls@ietf.org>; Fri, 17 Apr 2015 14:04:14 -0700 (PDT)
Received: from [10.184.148.249] (unknown [209.36.6.242]) by aspartame.shiftleft.org (Postfix) with ESMTPSA id 2CC793AA3D; Fri, 17 Apr 2015 14:03:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=shiftleft.org; s=sldo; t=1429304636; bh=GEJ3H9a44fW/6cCDpdzRNhRGPzrpBqMfsO3qWxKwd4o=; h=Subject:From:In-Reply-To:Date:Cc:References:To:From; b=MLqlny6cGRSygkB2dXKyPDprOJ8lFTWrEho8byRF/jR3W9MJMt4htmgo/JapcCPv0 uF71LIz3+UuJue1TLRVbe3TRHcAuXgM9znmaU2oDnye95n/no92dr2ot6+DemfpF4g rMH5mb7M/wPeuqWPitQJHHfkWWHb9yXZv3zH/MBw=
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2098\))
From: Michael Hamburg <mike@shiftleft.org>
In-Reply-To: <20150417124739.GA30086@LK-Perkele-VII>
Date: Fri, 17 Apr 2015 14:04:11 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <B131C415-9282-4A27-8370-B6499B2CE415@shiftleft.org>
References: <CAOgPGoCW-znnh5VFobCFjZafxEOcwsaHZ_eByTwpCpmqfgX=6Q@mail.gmail.com> <20150417124739.GA30086@LK-Perkele-VII>
To: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
X-Mailer: Apple Mail (2.2098)
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/MjiZHU-ylJu6XFbPAFH5RBWlGz4>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Consensus call on Implicit IV for AEAD
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Apr 2015 21:04:17 -0000
> On Apr 17, 2015, at 5:47 AM, Ilari Liusvaara <ilari.liusvaara@elisanet.fi> wrote: > > On Fri, Apr 03, 2015 at 01:34:15PM -0700, Joseph Salowey wrote: >> In the interim meeting we had consensus to use an implicit IV for AEAD. >> The proposal was to use the record sequence number and pad with zeros as >> described in pull request 155 ( >> https://github.com/tlswg/tls13-spec/pull/155/files). This was also >> discussed in the IETF-92 meeting in Dallas along with options to change the >> offset. The consensus was to stay with the original proposal. We are >> posting to the mailing list to confirm this consensus. > > I really do not like padding with zeroes, since it would weaken > encryption relative to TLS v1.2. And this is not just if the > symmetric encryption is already broken, but applies to all[1]. > > This is especially prominent with AES-128[2]. And "Just use AES-256" > does not solve the issue, since it will probably not be available > in important environments[3]. > > None of TLS v1.2, IPSec nor SSH use AES-GCM this way, all have > secret[4] fixed nonce-parts (SSH does use Chacha20 without per- > connection nonce[5]). > > > OTOH, the explicit per-record nonce field for AES-GCM seems really > unnecressary. Everybody uses it sequentially anyway, so it just > wastes 8 bytes per record. > > > > [1] If the algorithm is broken, if the zeroes or even just known > nonce further help breaking depends on type of attack (but of > course, one rather not use such broken algorithms).[6] > > [2] Substantial weakening happens far before collisions become > likely. So much less than AGL's "2^60" mentioned in the meeting. Really? Can you provide a citation? Because if I’m reading it correctly, this is a claim that AES-128 is not a secure PRP, with significantly less than 2^60 known/chosen plaintexts, keys and compute time. > [3] And I suppose nobody really likes AES-192 (despite the fact > that seemingly just about every CPU with "AES acceleration" is able > to accelerate that too). :-> … and this is a claim that AES-192 and AES-256 are somehow substantially more secure than AES-128 as PRPs. > [4] Secret meaning those are derived from the main key block. … and this is a claim that adding an extra key, which is in the nonce instead of an actual key to the cipher, makes it more secure. All this said, I agree that it’s wise to reduce the amount of cribtext you give an attacker, so long as it doesn’t cost too much complexity. If we are really providing a fatal amount of cribtext, then we need to fix that, but then again, we should probably toss the cipher out at that point. Cheers, — Mike > > [5] The encrypted stream looks like random noise, which makes it > harder to tell where packet boundaries are (and Chacha20 is > 256-bit keys anyway). > > [6] SSLv3 had known nonces for EXPORT ciphers, but secret ones > for strong ones. Hmm... > > > > -Ilari > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls
- [TLS] Consensus call on Implicit IV for AEAD Joseph Salowey
- Re: [TLS] Consensus call on Implicit IV for AEAD Martin Thomson
- Re: [TLS] Consensus call on Implicit IV for AEAD Daniel Migault
- Re: [TLS] Consensus call on Implicit IV for AEAD Brian Smith
- Re: [TLS] Consensus call on Implicit IV for AEAD Dave Garrett
- Re: [TLS] Consensus call on Implicit IV for AEAD Eric Rescorla
- Re: [TLS] Consensus call on Implicit IV for AEAD Ilari Liusvaara
- Re: [TLS] Consensus call on Implicit IV for AEAD Tom Ritter
- Re: [TLS] Consensus call on Implicit IV for AEAD David Leon Gil
- Re: [TLS] Consensus call on Implicit IV for AEAD Eric Rescorla
- Re: [TLS] Consensus call on Implicit IV for AEAD Yoav Nir
- Re: [TLS] Consensus call on Implicit IV for AEAD Tom Ritter
- Re: [TLS] Consensus call on Implicit IV for AEAD Yoav Nir
- Re: [TLS] Consensus call on Implicit IV for AEAD Daniel Migault
- Re: [TLS] Consensus call on Implicit IV for AEAD Martin Thomson
- Re: [TLS] Consensus call on Implicit IV for AEAD Daniel Migault
- Re: [TLS] Consensus call on Implicit IV for AEAD Ilari Liusvaara
- Re: [TLS] Consensus call on Implicit IV for AEAD Martin Thomson
- Re: [TLS] Consensus call on Implicit IV for AEAD Ilari Liusvaara
- Re: [TLS] Consensus call on Implicit IV for AEAD Michael Hamburg
- Re: [TLS] Consensus call on Implicit IV for AEAD Brian Smith
- Re: [TLS] Consensus call on Implicit IV for AEAD Yoav Nir