IETF Logo Mail Archive

Re: [TLS] "Notes" column in draft-ietf-tls-rfc8447bis?

Valery Smyslov <smyslov.ietf@gmail.com> Fri, 08 December 2023 13:18 UTC

Return-Path: <smyslov.ietf@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 25907C09C22C for <tls@ietfa.amsl.com>; Fri, 8 Dec 2023 05:18:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.105
X-Spam-Level:
X-Spam-Status: No, score=-7.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nlOBjXZhhH_7 for <tls@ietfa.amsl.com>; Fri, 8 Dec 2023 05:17:59 -0800 (PST)
Received: from mail-ej1-x62f.google.com (mail-ej1-x62f.google.com [IPv6:2a00:1450:4864:20::62f]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B1E6DC151081 for <tls@ietf.org>; Fri, 8 Dec 2023 05:17:58 -0800 (PST)
Received: by mail-ej1-x62f.google.com with SMTP id a640c23a62f3a-a1cdeab6b53so442407166b.1 for <tls@ietf.org>; Fri, 08 Dec 2023 05:17:58 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1702041477; x=1702646277; darn=ietf.org; h=content-language:thread-index:mime-version:message-id:date:subject :in-reply-to:references:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=gcV33jaW9j4UVlWtF3OoCKUKFhotJZY6gf7h0jiy/eM=; b=f4zz2p6A0Et1mVF0WiXs+kyamKG52XuP2NZBFWyqKWqh/tPwE6+o2DlXTSIsEqrqzL mxLP04ubgZHTtDKmsEdjcVG+TV28tNojCMk2CVNZhlTVhF5S0BZ2ANv+96Swgz5c4Jfn RgD1fCGHE1q2oitXIwdaSJfq3J5GjJKtxCo+e5OXLIpOJWW4CWTEA8SpVCW7BoFVKb0L b4BgPrN0xscBopbGCupu5vzUVNTESuMvyQuxtuUfA9qPtYP0OaBorKlvu1Jjopndj3nC Mhxk7WxQrKlWoKeyQtKXsN9YvaGqDsoKxfW4IvI7bBq4VPBPRcXJhMY/d40e3Jl1NJYO aLMQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1702041477; x=1702646277; h=content-language:thread-index:mime-version:message-id:date:subject :in-reply-to:references:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=gcV33jaW9j4UVlWtF3OoCKUKFhotJZY6gf7h0jiy/eM=; b=VYFLq4YHotaJirWau6PLUlZJjKcQer6wdyVTeJ5cEbNjn7ey8A2xMQat0GPAfpYusX QArZ2P4jGI7Z/z4xRNfJM0TYbmWzZEMx2Nk2s+60bD34q31SLz9VYfhdgTqCqPLrJg+t CwUEgtQdnNAruOLEMkBl0g8kJdv4FtGqQprPri/NeJuc1oMx3MDs2rS9rjXjECeOosq6 H3bojcclV9pWn1B+y3cJSCAW88t+LrjlrxgbAWdJnXgLQpg9q/mHNfG7WW+Bz14RP4jv qhTgaBUCYk/Mr3/zjfdEA8OLwM6haiNBPB5WmcWBKQsnIHddT1yLomyjseW7fMmXWkJE 2orA==
X-Gm-Message-State: AOJu0YyDsRLkPAVyk/G0mbQvPJAqAjqC3hrFHWZ7vq/TlKmdp5D291Ce nHDPKtQe8c/EC1YQ4bM6z9kZg0USUl0=
X-Google-Smtp-Source: AGHT+IFonHmME2GmZcqwD4gcFr3zMT0DKrNvmoEWUa+jlTr4R9IRgSqKMRICe2NSCHw0/9GkVE7RvA==
X-Received: by 2002:a17:907:60c7:b0:a1c:4c3e:99e2 with SMTP id hv7-20020a17090760c700b00a1c4c3e99e2mr915585ejc.22.1702041476782; Fri, 08 Dec 2023 05:17:56 -0800 (PST)
Received: from buildpc ([93.188.44.204]) by smtp.gmail.com with ESMTPSA id ry9-20020a1709068d8900b00a1f744953c1sm368448ejc.105.2023.12.08.05.17.55 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Fri, 08 Dec 2023 05:17:56 -0800 (PST)
From: Valery Smyslov <smyslov.ietf@gmail.com>
To: 'John Mattsson' <john.mattsson@ericsson.com>, 'Sean Turner' <sean@sn3rd.com>, "'Salz, Rich'" <rsalz@akamai.com>
Cc: 'TLS List' <tls@ietf.org>
References: <4E5AE0C0-E9FD-4BF8-8102-81F4A236C32B@akamai.com> <GVXPR07MB9678C46D361929DA5D14370B8984A@GVXPR07MB9678.eurprd07.prod.outlook.com> <18950AB7-02F8-4D3F-A786-AB233DC489A0@akamai.com> <3976BB0F-9649-4815-BE74-D433240D2833@sn3rd.com> <GVXPR07MB96786BB3FEA1EBC78B2C9ADA8984A@GVXPR07MB9678.eurprd07.prod.outlook.com> <009201da286e$9bd0d8c0$d3728a40$@gmail.com> <GVXPR07MB96789CDCFF0F77243BAB2E01898AA@GVXPR07MB9678.eurprd07.prod.outlook.com> <02af01da29d1$655cb890$301629b0$@gmail.com> <GVXPR07MB967849F9FA3205A3A8B85851898AA@GVXPR07MB9678.eurprd07.prod.outlook.com>
In-Reply-To: <GVXPR07MB967849F9FA3205A3A8B85851898AA@GVXPR07MB9678.eurprd07.prod.outlook.com>
Date: Fri, 08 Dec 2023 16:17:54 +0300
Message-ID: <02c001da29d8$f4a8aa20$ddf9fe60$@gmail.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_02C1_01DA29F2.19FC98E0"
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQEsNwSvdN6deT/hMJXMflIviahwVwH13zT0Ap9q0skCb613IAHo0IR6AjKYX1cBW9vl5wGXKBakAiYHnd+xeXgGYA==
Content-Language: ru
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/PWy7qlKecxR6_fBZp_G7jGhBwjI>
Subject: Re: [TLS] "Notes" column in draft-ietf-tls-rfc8447bis?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 08 Dec 2023 13:18:03 -0000

>And second, the packet protection key

>depends only on the corresponding application traffic secret 

>and on the packet number, it can always be calculated

>if the packet number is known. Both DTLS and QUIC 

>bear sequence numbers in packets, so 

>there seem to be no major obstacles for using GOST suites in them

>(I didn’t evaluate their use myself, but similar construction 

>is used for GOST ciphers in ESP, RFC 9227, and it works).

 

I think the ESP approach would work for GOST suites in DTLS 1.2. The difference is that sequence numbers are always encrypted in
DTLS 1.3 and QUIC. With rekeying every 8192 records (TLS_GOSTR341112_256_WITH_KUZNYECHIK_MGM_L) I think you could update the epoch
every time and things would work. With rekeying every record (TLS_GOSTR341112_256_WITH_MAGMA_MGM_S) you would not be able to rely on
epoch for out of order records and I think the receiver might need to try several keys before finding the correct one.
 
              Ah, I see. I didn’t realize that sequence numbers are encrypted.
              Yes, this adds some complexities. Thank you for pointing out.
 
              Regards,
              Valery.
 
Cheers,
John Preuß Mattsson

 

From: Valery Smyslov <smyslov.ietf@gmail.com>
Date: Friday, 8 December 2023 at 13:24
To: John Mattsson <john.mattsson@ericsson.com>, 'Sean Turner' <sean@sn3rd.com>, 'Salz, Rich' <rsalz@akamai.com>
Cc: 'TLS List' <tls@ietf.org>
Subject: RE: [TLS] "Notes" column in draft-ietf-tls-rfc8447bis?

Hi John,

 

two more clarifications regarding GOST suites.

 

First, the rekeying is not per-packet, but per n packets,

where n depends on the suite and varies from 1 to 8192

(as per table 1, Section 4.1, RFC 9367, constant C_3).

 

And second, the packet protection key

depends only on the corresponding application traffic secret 

and on the packet number, it can always be calculated

if the packet number is known. Both DTLS and QUIC 

bear sequence numbers in packets, so 

there seem to be no major obstacles for using GOST suites in them

(I didn’t evaluate their use myself, but similar construction 

is used for GOST ciphers in ESP, RFC 9227, and it works).

 

Regards,

Valery.

 

 

 

From: John Mattsson [mailto:john.mattsson@ericsson.com] 
Sent: Friday, December 08, 2023 12:31 PM
To: Valery Smyslov; 'Sean Turner'; 'Salz, Rich'
Cc: 'TLS List'
Subject: Re: [TLS] "Notes" column in draft-ietf-tls-rfc8447bis?

 

Hi,

 

Valery Smyslov wrote:

>No, they include only hash (GOSTR341112) and AEAD cipher (MAGMA_MGM or KUZNYECHIK_MGM).

>Their order in the names is unusual (hash first, cipher second).

 

Yes, my misunderstanding based on the weird naming order. So nothing weird technically. 

 

 

Ilari Liusvaara wrote:

>Also,

> 

>0x00,0xC6 TLS_SM4_GCM_SM3

>0x00,0xC7 TLS_SM4_CCM_SM3 

> 

>Both are explicitly flagged as not OK for DTLS. However, using GCM/CCM

>in usual way, so not difficult to define how those would work in DTLS

>or QUIC (just copy what AES-128 does there).

 

Yes, I agree that would be straightforward. But it has not been done yet.

 

Ilari Liusvaara wrote:

>If the _ECCPWD_ ones work for TLS 1.3, why wouldn't those work for DTLS

>1.3 or QUIC? Those ciphersuites use AES in standard way, and DTLS/QUIC

>do serialize the flights.

 

Yes, you are correct that they should work. DTLS 1.3 and QUIC defined header protection for all cipher suites that use AES.

 

Ilari Liusvaara wrote:

>Well, _ECCPWD_ is just special snowflake as it modifies the key

>exchange (I haven't checked if what it does actually works).

 

Feels to me like it would have been good if _ECCPWD_ TLS 1.3 cipher suites had never been registered. What should have been done is
to register TLS_AES_256_CCM_SHA384 together with some new key exchange or extentions....

 

Below is an updated table of TLS 1.3 cipher suites based on Ilari’s comments. One day I hope most of this info will be easy to
extract from the IANA registry.


Value

Description

DTLS 1.3

QUIC

Comment


0x00,0xC6

TLS_SM4_GCM_SM3

N

N

Would be straightforward to specify use in DTLS 1.3 and QUIC


0x00,0xC7

TLS_SM4_CCM_SM3

N

N

Would be straightforward to specify use in DTLS 1.3 and QUIC

					

0x13,0x01

TLS_AES_128_GCM_SHA256

Y

Y

	

0x13,0x02

TLS_AES_256_GCM_SHA384

Y

Y

	

0x13,0x03

TLS_CHACHA20_POLY1305_SHA256

Y

Y

	

0x13,0x04

TLS_AES_128_CCM_SHA256

Y

Y

	

0x13,0x05

TLS_AES_128_CCM_8_SHA256

Y

N

QUIC RFC states MUST NOT use


0x13,0x06

TLS_AEGIS_256_SHA512

Y

Y

	

0x13,0x07

TLS_AEGIS_128L_SHA256

Y

Y

	
					

0xC0,0xB0

TLS_ECCPWD_WITH_AES_128_GCM_SHA256

Y

Y

	

0xC0,0xB1

TLS_ECCPWD_WITH_AES_256_GCM_SHA384

Y

Y

	

0xC0,0xB2

TLS_ECCPWD_WITH_AES_128_CCM_SHA256

Y

Y

	

0xC0,0xB3

TLS_ECCPWD_WITH_AES_256_CCM_SHA384

Y

Y

	

0xC0,0xB4

TLS_SHA256_SHA256

N

N

Impossible to use in DTLS 1.3 and QUIC as NULL encryption is used.


0xC0,0xB5

TLS_SHA384_SHA384

N

N

Impossible to use in DTLS 1.3 and QUIC as NULL encryption is used.

					

0xC1,0x03

TLS_GOSTR341112_256_WITH_KUZNYECHIK_MGM_L

N

N

Not straightforward to specify use in DTLS 1.3 and QUIC due to per-packet rekeying


0xC1,0x04

TLS_GOSTR341112_256_WITH_MAGMA_MGM_L

N

N

Not straightforward to specify use in DTLS 1.3 and QUIC due to per-packet rekeying


0xC1,0x05

TLS_GOSTR341112_256_WITH_KUZNYECHIK_MGM_S

N

N

Not straightforward to specify use in DTLS 1.3 and QUIC due to per-packet rekeying


0xC1,0x06

TLS_GOSTR341112_256_WITH_MAGMA_MGM_S

N

N

Not straightforward to specify use in DTLS 1.3 and QUIC due to per-packet rekeying

 

Cheers,

John

 

From: Valery Smyslov <smyslov.ietf@gmail.com>
Date: Wednesday, 6 December 2023 at 19:04
To: John Mattsson <john.mattsson@ericsson.com>, 'Sean Turner' <sean@sn3rd.com>, 'Salz, Rich' <rsalz@akamai.com>
Cc: 'TLS List' <tls@ietf.org>
Subject: RE: [TLS] "Notes" column in draft-ietf-tls-rfc8447bis?

Hi John,

 

just a clarification:

 

 

The _GOSTR341112_ seems to include authentication and key exchange…. I did not think this was how TLS 1.3 cipher suites were
supposed to be used.

 

            No, they include only hash (GOSTR341112) and AEAD cipher (MAGMA_MGM or KUZNYECHIK_MGM).

            Their order in the names is unusual (hash first, cipher second).

 

            Regards,

            Valery.

 

Cheers,

John Preuß Mattsson

 

From: Sean Turner <sean@sn3rd.com>
Date: Wednesday, 6 December 2023 at 14:55
To: Salz, Rich <rsalz@akamai.com>, John Mattsson <john.mattsson@ericsson.com>
Cc: TLS List <tls@ietf.org>
Subject: Re: [TLS] "Notes" column in draft-ietf-tls-rfc8447bis?


> On Dec 6, 2023, at 08:02, Salz, Rich <rsalz=40akamai.com@dmarc.ietf.org> wrote:
> 
> Yes, I think information regarding if a cipher suite is for TLS 1.3 is very needed to have.  I already asked for that in
> https://mailarchive.ietf.org/arch/msg/tls/0gDKfXJvAemFDm7MWcS1DTDVIe8/
>  
> In addition, I would also like to information if the cipher suite can be used in QUIC.
>  
> The 8447bis draft added a notes column to every TLS registry. The “1.2 is frozen” draft says to use it to indicate things like
“for TLS 1.3 and later”. It’s a free-form text field, so we can direct IANA to put anything we want. :)

Yep we added it via:
https://protect2.fireeye.com/v1/url?k=31323334-501d5122-313273af-454445555731-cc6bdfdfb39824c6
<https://protect2.fireeye.com/v1/url?k=31323334-501d5122-313273af-454445555731-cc6bdfdfb39824c6&q=1&e=9148a29f-ecfe-46e0-869e-33ffd8
475127&u=https%3A%2F%2Fgithub.com%2Ftlswg%2Frfc8447bis%2Fpull%2F48>
&q=1&e=9148a29f-ecfe-46e0-869e-33ffd8475127&u=https%3A%2F%2Fgithub.com%2Ftlswg%2Frfc8447bis%2Fpull%2F48

spt

v2.23.0 | Report a Bug | By Email