Re: [TLS] Consensus call on Implicit IV for AEAD

Michael Hamburg <mike@shiftleft.org> Fri, 17 April 2015 21:04 UTC

Return-Path: <mike@shiftleft.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0003A1B2CF7 for <tls@ietfa.amsl.com>; Fri, 17 Apr 2015 14:04:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.555
X-Spam-Level: *
X-Spam-Status: No, score=1.555 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FH_HOST_EQ_D_D_D_D=0.765, FH_HOST_EQ_D_D_D_DB=0.888, HELO_MISMATCH_ORG=0.611, HOST_MISMATCH_NET=0.311, RDNS_DYNAMIC=0.982, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tPA6ArHXb3fA for <tls@ietfa.amsl.com>; Fri, 17 Apr 2015 14:04:14 -0700 (PDT)
Received: from aspartame.shiftleft.org (199-116-74-168-v301.PUBLIC.monkeybrains.net [199.116.74.168]) (using TLSv1.1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 35F051B2CDA for <tls@ietf.org>; Fri, 17 Apr 2015 14:04:14 -0700 (PDT)
Received: from [10.184.148.249] (unknown [209.36.6.242]) by aspartame.shiftleft.org (Postfix) with ESMTPSA id 2CC793AA3D; Fri, 17 Apr 2015 14:03:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=shiftleft.org; s=sldo; t=1429304636; bh=GEJ3H9a44fW/6cCDpdzRNhRGPzrpBqMfsO3qWxKwd4o=; h=Subject:From:In-Reply-To:Date:Cc:References:To:From; b=MLqlny6cGRSygkB2dXKyPDprOJ8lFTWrEho8byRF/jR3W9MJMt4htmgo/JapcCPv0 uF71LIz3+UuJue1TLRVbe3TRHcAuXgM9znmaU2oDnye95n/no92dr2ot6+DemfpF4g rMH5mb7M/wPeuqWPitQJHHfkWWHb9yXZv3zH/MBw=
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2098\))
From: Michael Hamburg <mike@shiftleft.org>
In-Reply-To: <20150417124739.GA30086@LK-Perkele-VII>
Date: Fri, 17 Apr 2015 14:04:11 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <B131C415-9282-4A27-8370-B6499B2CE415@shiftleft.org>
References: <CAOgPGoCW-znnh5VFobCFjZafxEOcwsaHZ_eByTwpCpmqfgX=6Q@mail.gmail.com> <20150417124739.GA30086@LK-Perkele-VII>
To: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
X-Mailer: Apple Mail (2.2098)
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/MjiZHU-ylJu6XFbPAFH5RBWlGz4>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Consensus call on Implicit IV for AEAD
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Apr 2015 21:04:17 -0000

> On Apr 17, 2015, at 5:47 AM, Ilari Liusvaara <ilari.liusvaara@elisanet.fi> wrote:
> 
> On Fri, Apr 03, 2015 at 01:34:15PM -0700, Joseph Salowey wrote:
>> In the interim meeting we had consensus to use an implicit IV for AEAD.
>> The proposal was to use the record sequence number and pad with zeros as
>> described in pull request 155 (
>> https://github.com/tlswg/tls13-spec/pull/155/files).  This was also
>> discussed in the IETF-92 meeting in Dallas along with options to change the
>> offset.  The consensus was to stay with the original proposal.  We are
>> posting to the mailing list to confirm this consensus.
> 
> I really do not like padding with zeroes, since it would weaken
> encryption relative to TLS v1.2. And this is not just if the
> symmetric encryption is already broken, but applies to all[1].
> 
> This is especially prominent with AES-128[2]. And "Just use AES-256"
> does not solve the issue, since it will probably not be available
> in important environments[3].
> 
> None of TLS v1.2, IPSec nor SSH use AES-GCM this way, all have
> secret[4] fixed nonce-parts (SSH does use Chacha20 without per-
> connection nonce[5]).
> 
> 
> OTOH, the explicit per-record nonce field for AES-GCM seems really
> unnecressary. Everybody uses it sequentially anyway, so it just
> wastes 8 bytes per record.
> 
> 
> 
> [1] If the algorithm is broken, if the zeroes or even just known
> nonce further help breaking depends on type of attack (but of
> course, one rather not use such broken algorithms).[6]
> 
> [2] Substantial weakening happens far before collisions become
> likely. So much less than AGL's "2^60" mentioned in the meeting.

Really?  Can you provide a citation?  Because if I’m reading it correctly, this is a claim that AES-128 is not a secure PRP, with significantly less than 2^60 known/chosen plaintexts, keys and compute time.

> [3] And I suppose nobody really likes AES-192 (despite the fact
> that seemingly just about every CPU with "AES acceleration" is able
> to accelerate that too). :->

… and this is a claim that AES-192 and AES-256 are somehow substantially more secure than AES-128 as PRPs.

> [4] Secret meaning those are derived from the main key block.

… and this is a claim that adding an extra key, which is in the nonce instead of an actual key to the cipher, makes it more secure.

All this said, I agree that it’s wise to reduce the amount of cribtext you give an attacker, so long as it doesn’t cost too much complexity.  If we are really providing a fatal amount of cribtext, then we need to fix that, but then again, we should probably toss the cipher out at that point.

Cheers,
— Mike

> 
> [5] The encrypted stream looks like random noise, which makes it
> harder to tell where packet boundaries are (and Chacha20 is
> 256-bit keys anyway).
> 
> [6] SSLv3 had known nonces for EXPORT ciphers, but secret ones
> for strong ones. Hmm...
> 
> 
> 
> -Ilari
> 
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls