Re: [TLS] Consensus call on Implicit IV for AEAD

Michael Hamburg <> Fri, 17 April 2015 21:04 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 0003A1B2CF7 for <>; Fri, 17 Apr 2015 14:04:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: 1.555
X-Spam-Level: *
X-Spam-Status: No, score=1.555 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FH_HOST_EQ_D_D_D_D=0.765, FH_HOST_EQ_D_D_D_DB=0.888, HELO_MISMATCH_ORG=0.611, HOST_MISMATCH_NET=0.311, RDNS_DYNAMIC=0.982, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id tPA6ArHXb3fA for <>; Fri, 17 Apr 2015 14:04:14 -0700 (PDT)
Received: from ( []) (using TLSv1.1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 35F051B2CDA for <>; Fri, 17 Apr 2015 14:04:14 -0700 (PDT)
Received: from [] (unknown []) by (Postfix) with ESMTPSA id 2CC793AA3D; Fri, 17 Apr 2015 14:03:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;; s=sldo; t=1429304636; bh=GEJ3H9a44fW/6cCDpdzRNhRGPzrpBqMfsO3qWxKwd4o=; h=Subject:From:In-Reply-To:Date:Cc:References:To:From; b=MLqlny6cGRSygkB2dXKyPDprOJ8lFTWrEho8byRF/jR3W9MJMt4htmgo/JapcCPv0 uF71LIz3+UuJue1TLRVbe3TRHcAuXgM9znmaU2oDnye95n/no92dr2ot6+DemfpF4g rMH5mb7M/wPeuqWPitQJHHfkWWHb9yXZv3zH/MBw=
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2098\))
From: Michael Hamburg <>
In-Reply-To: <20150417124739.GA30086@LK-Perkele-VII>
Date: Fri, 17 Apr 2015 14:04:11 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <>
References: <> <20150417124739.GA30086@LK-Perkele-VII>
To: Ilari Liusvaara <>
X-Mailer: Apple Mail (2.2098)
Archived-At: <>
Cc: "" <>
Subject: Re: [TLS] Consensus call on Implicit IV for AEAD
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 17 Apr 2015 21:04:17 -0000

> On Apr 17, 2015, at 5:47 AM, Ilari Liusvaara <> wrote:
> On Fri, Apr 03, 2015 at 01:34:15PM -0700, Joseph Salowey wrote:
>> In the interim meeting we had consensus to use an implicit IV for AEAD.
>> The proposal was to use the record sequence number and pad with zeros as
>> described in pull request 155 (
>>  This was also
>> discussed in the IETF-92 meeting in Dallas along with options to change the
>> offset.  The consensus was to stay with the original proposal.  We are
>> posting to the mailing list to confirm this consensus.
> I really do not like padding with zeroes, since it would weaken
> encryption relative to TLS v1.2. And this is not just if the
> symmetric encryption is already broken, but applies to all[1].
> This is especially prominent with AES-128[2]. And "Just use AES-256"
> does not solve the issue, since it will probably not be available
> in important environments[3].
> None of TLS v1.2, IPSec nor SSH use AES-GCM this way, all have
> secret[4] fixed nonce-parts (SSH does use Chacha20 without per-
> connection nonce[5]).
> OTOH, the explicit per-record nonce field for AES-GCM seems really
> unnecressary. Everybody uses it sequentially anyway, so it just
> wastes 8 bytes per record.
> [1] If the algorithm is broken, if the zeroes or even just known
> nonce further help breaking depends on type of attack (but of
> course, one rather not use such broken algorithms).[6]
> [2] Substantial weakening happens far before collisions become
> likely. So much less than AGL's "2^60" mentioned in the meeting.

Really?  Can you provide a citation?  Because if I’m reading it correctly, this is a claim that AES-128 is not a secure PRP, with significantly less than 2^60 known/chosen plaintexts, keys and compute time.

> [3] And I suppose nobody really likes AES-192 (despite the fact
> that seemingly just about every CPU with "AES acceleration" is able
> to accelerate that too). :->

… and this is a claim that AES-192 and AES-256 are somehow substantially more secure than AES-128 as PRPs.

> [4] Secret meaning those are derived from the main key block.

… and this is a claim that adding an extra key, which is in the nonce instead of an actual key to the cipher, makes it more secure.

All this said, I agree that it’s wise to reduce the amount of cribtext you give an attacker, so long as it doesn’t cost too much complexity.  If we are really providing a fatal amount of cribtext, then we need to fix that, but then again, we should probably toss the cipher out at that point.

— Mike

> [5] The encrypted stream looks like random noise, which makes it
> harder to tell where packet boundaries are (and Chacha20 is
> 256-bit keys anyway).
> [6] SSLv3 had known nonces for EXPORT ciphers, but secret ones
> for strong ones. Hmm...
> -Ilari
> _______________________________________________
> TLS mailing list