Re: [TLS] integrity only ciphersuites
Eric Rescorla <ekr@rtfm.com> Mon, 20 August 2018 20:58 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 055B6128BAC for <tls@ietfa.amsl.com>; Mon, 20 Aug 2018 13:58:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.909
X-Spam-Level:
X-Spam-Status: No, score=-1.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, T_DKIMWL_WL_MED=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Y1Mq8_CovUHV for <tls@ietfa.amsl.com>; Mon, 20 Aug 2018 13:58:41 -0700 (PDT)
Received: from mail-lf1-x135.google.com (mail-lf1-x135.google.com [IPv6:2a00:1450:4864:20::135]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 596F8124C04 for <tls@ietf.org>; Mon, 20 Aug 2018 13:58:41 -0700 (PDT)
Received: by mail-lf1-x135.google.com with SMTP id i7-v6so2369170lfh.5 for <tls@ietf.org>; Mon, 20 Aug 2018 13:58:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=wDWyNX6oYUL9ukmMJGUnBjE9VYgeEUUwMJhtRUJzLlc=; b=lzmnz8QM4dW2x1qRdCtq3RcrMG7Vg6x7Vlz/sW5LO3IhG+Kp2yW8HgKuJ/xSBWzkqw UzxRGnzSZiz4pyA8WT1njx+FF9aA74+7x6lEdiCQefdz5TtU8+mWwpefk+J6B0t3UPgH RHcTQBtqSyiMAeIz/vrb2dmYbygkmDO4sOxegUwO92OFcjnSHoUKYnhNTKRQD0RlD3OK yM3QQFNKRfRqA1oavq4/BxUNVd6eDGW03CokOStIIkFB6EVbDyutzzRGPtJ95LFf9Z+q fiApy3fM5YtXSIeV0IYpyVR8hTX5L3kye+/UILb+zxm8Y6zIKvCJrfpQ2jhBmgcNU3VD I2jg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=wDWyNX6oYUL9ukmMJGUnBjE9VYgeEUUwMJhtRUJzLlc=; b=qVfXIexIve37cscvtowIhbRTEci3PuWzbIsgwMwZ23OQ6HhfQBx4O+C9pGc0PorII6 ukxLqj0IhGiUBbPtX5p8scZV+asbvXHdbZDmv1rot1yM9A1KgiN7RJblODQaPr+613MX 3V0v9zdrg0trqOxjib91LeeAzeYXQtd+J30erBJkpyBFPvbf1YWbI+8pT4JOc+l/YCeT 2G1RoBWkY98OmM5xSyO+OHeWJcGeH1CgC/Ry1ux79c8wUJRtCXWzNS5Sc6N0OoBgz75w b7W9YO3n/7gkFYSt3S3KCP/jr1OigGuaocn52vRKV2xiNVENxzNzOW6TIEVJeIqn3oVX jfVQ==
X-Gm-Message-State: AOUpUlGD6TOlS2jpBdRXvKsZwV1mlQaxAD2znXh6mlOf7oOLfANOC0L4 8H3ej6wDDmyyvWSkOQzjGEC7SzPMARanHmMUfDSqH7ZCSw8=
X-Google-Smtp-Source: AA+uWPynHv1IM8B6duH8piAd0hlYhC8o039qykmS7P3zJj4MfLwKS246Cv7udiDcwk1ojXbQwvCgncMIsVnEmfSFUII=
X-Received: by 2002:a19:d095:: with SMTP id h143-v6mr29774898lfg.16.1534798719490; Mon, 20 Aug 2018 13:58:39 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:ab3:4091:0:0:0:0:0 with HTTP; Mon, 20 Aug 2018 13:57:58 -0700 (PDT)
In-Reply-To: <E29465D4-E4C5-466F-9E3F-240E258DC7C2@cisco.com>
References: <E29465D4-E4C5-466F-9E3F-240E258DC7C2@cisco.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Mon, 20 Aug 2018 13:57:58 -0700
Message-ID: <CABcZeBNpgnfBerkutLB0jKA4vF_FrpXNHnEeKQhAOFm-y=xJsA@mail.gmail.com>
To: "Nancy Cam-Winget (ncamwing)" <ncamwing=40cisco.com@dmarc.ietf.org>
Cc: "tls@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000007a327c0573e42ce9"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/Q0YMi_mK4oMaJB49lXVHFMGwi9U>
Subject: Re: [TLS] integrity only ciphersuites
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 20 Aug 2018 20:58:44 -0000
On Mon, Aug 20, 2018 at 1:48 PM, Nancy Cam-Winget (ncamwing) < ncamwing=40cisco.com@dmarc.ietf.org> wrote: > All, > > A couple IoT consortiums are trying to embrace the improvements made to > TLS 1.3 and as they define their new security constructs would like to > adopt the latest protocols, in this case TLS 1.3. To that extent, they > have a strong need for mutual authentication, but integrity only (no > confidentiality) requirements. > > > > In following the new IANA rules, we have posted the draft > https://tools.ietf.org/html/draft-camwinget-tls-ts13-macciphersuites-00 > to document request for registrations of HMAC based cipher selections with > TLS 1.3…..and are soliciting feedback from the WG on the draft and its path > forward. > Nancy, As you say, you don't need WG approval for code point registration as long as you don't want Recommended status. With that said, I don't think this document makes a very strong case for these cipher suites. Essentially you say: 1. We don't need confidentiality 2. Code footprint is important Generally, I'm not very enthusiastic about argument (1). It's often the case that applications superficially need integrity but actually rely on confidentiality in some way (the obvious case is that HTTP Cookies are an authentication mechanism, but because they are a bearer token, you actually need confidentiatilty). It's much easier to just always supply confidentiality than to try to reason about when it is or is not needed. The second argument is that you are trying to keep code size down. It's true that not having AES is cheaper than having AES, but it's possible to have very lightweight AES stacks (see for instance: https://github.com/01org/tinycrypt). So, overall, this doesn't seem very compelling. -Ekr > > Warm regards, Nancy (and Jack) > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls > >
- [TLS] integrity only ciphersuites Nancy Cam-Winget (ncamwing)
- Re: [TLS] integrity only ciphersuites Eric Rescorla
- Re: [TLS] EXTERNAL: Re: integrity only ciphersuit… Jack Visoky
- Re: [TLS] EXTERNAL: Re: integrity only ciphersuit… Eric Rescorla
- Re: [TLS] EXTERNAL: Re: integrity only ciphersuit… Ted Lemon
- Re: [TLS] integrity only ciphersuites Mike Bishop
- Re: [TLS] integrity only ciphersuites Nancy Cam-Winget (ncamwing)
- Re: [TLS] integrity only ciphersuites Judson Wilson
- Re: [TLS] integrity only ciphersuites Geoffrey Keating
- Re: [TLS] EXTERNAL: Re: integrity only ciphersuit… Lyndon Nerenberg
- Re: [TLS] EXTERNAL: Re: integrity only ciphersuit… Judson Wilson
- Re: [TLS] EXTERNAL: Re: integrity only ciphersuit… Peter Gutmann
- Re: [TLS] integrity only ciphersuites Stephen Farrell
- Re: [TLS] integrity only ciphersuites Viktor Dukhovni
- Re: [TLS] EXTERNAL: Re: integrity only ciphersuit… Judson Wilson
- Re: [TLS] integrity only ciphersuites Blumenthal, Uri - 0553 - MITLL
- Re: [TLS] integrity only ciphersuites Viktor Dukhovni
- Re: [TLS] integrity only ciphersuites Kathleen Moriarty
- Re: [TLS] integrity only ciphersuites Stephen Farrell
- Re: [TLS] integrity only ciphersuites Bill Frantz
- Re: [TLS] integrity only ciphersuites Andreas Walz
- Re: [TLS] EXTERNAL: Re: integrity only ciphersuit… Jack Visoky
- Re: [TLS] integrity only ciphersuites Richard Barnes
- Re: [TLS] integrity only ciphersuites Stephen Farrell
- Re: [TLS] integrity only ciphersuites Blumenthal, Uri - 0553 - MITLL
- Re: [TLS] EXTERNAL: Re: integrity only ciphersuit… Ted Lemon
- Re: [TLS] EXTERNAL: Re: integrity only ciphersuit… Jack Visoky
- Re: [TLS] integrity only ciphersuites Fries, Steffen
- Re: [TLS] integrity only ciphersuites Salz, Rich
- Re: [TLS] integrity only ciphersuites Fries, Steffen
- Re: [TLS] integrity only ciphersuites Ted Lemon
- Re: [TLS] integrity only ciphersuites Salz, Rich
- Re: [TLS] EXTERNAL: Re: integrity only ciphersuit… Ted Lemon
- Re: [TLS] EXTERNAL: Re: integrity only ciphersuit… Stephen Farrell
- Re: [TLS] integrity only ciphersuites Fries, Steffen
- Re: [TLS] EXTERNAL: Re: integrity only ciphersuit… Jack Visoky
- Re: [TLS] EXTERNAL: Re: integrity only ciphersuit… Jack Visoky
- Re: [TLS] integrity only ciphersuites Salz, Rich
- Re: [TLS] EXTERNAL: Re: integrity only ciphersuit… Ted Lemon
- Re: [TLS] EXTERNAL: Re: integrity only ciphersuit… Jack Visoky
- Re: [TLS] EXTERNAL: Re: integrity only ciphersuit… Ted Lemon
- Re: [TLS] integrity only ciphersuites Bill Frantz
- Re: [TLS] EXTERNAL: Re: integrity only ciphersuit… Salz, Rich
- Re: [TLS] EXTERNAL: Re: integrity only ciphersuit… Jack Visoky
- Re: [TLS] EXTERNAL: Re: integrity only ciphersuit… Ted Lemon
- Re: [TLS] EXTERNAL: Re: integrity only ciphersuit… Jack Visoky
- Re: [TLS] EXTERNAL: Re: integrity only ciphersuit… Jack Visoky
- Re: [TLS] EXTERNAL: Re: integrity only ciphersuit… Viktor Dukhovni
- Re: [TLS] EXTERNAL: Re: integrity only ciphersuit… Eric Rescorla
- Re: [TLS] null auth ciphers for TLS 1.3? Viktor Dukhovni
- Re: [TLS] null auth ciphers for TLS 1.3? Eric Rescorla
- Re: [TLS] null auth ciphers for TLS 1.3? David Benjamin
- Re: [TLS] EXTERNAL: Re: integrity only ciphersuit… Blumenthal, Uri - 0553 - MITLL
- Re: [TLS] integrity only ciphersuites Martin Thomson
- Re: [TLS] null auth ciphers for TLS 1.3? Peter Gutmann
- Re: [TLS] integrity only ciphersuites Peter Gutmann
- Re: [TLS] EXTERNAL: Re: integrity only ciphersuit… Peter Gutmann
- Re: [TLS] raw public keys in the wild? Viktor Dukhovni
- Re: [TLS] raw public keys in the wild? Peter Gutmann
- Re: [TLS] null auth ciphers for TLS 1.3? Wang Haiguang
- Re: [TLS] null auth ciphers for TLS 1.3? Bill Frantz
- Re: [TLS] EXTERNAL: Re: integrity only ciphersuit… Nancy Cam-Winget (ncamwing)
- Re: [TLS] integrity only ciphersuites Nancy Cam-Winget (ncamwing)
- Re: [TLS] raw public keys in the wild? Richard Barnes
- Re: [TLS] raw public keys in the wild? Viktor Dukhovni