IETF Logo Mail Archive

Re: [TLS] Clarifications and questions: TLS1.3 - Static RSA and AEAD

Michael StJohns <msj@nthpermutation.com> Tue, 27 May 2014 17:49 UTC

Return-Path: <msj@nthpermutation.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CBF271A01D8 for <tls@ietfa.amsl.com>; Tue, 27 May 2014 10:49:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pPyKjA_1tB36 for <tls@ietfa.amsl.com>; Tue, 27 May 2014 10:49:33 -0700 (PDT)
Received: from mail-pb0-f53.google.com (mail-pb0-f53.google.com [209.85.160.53]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A173C1A0573 for <tls@ietf.org>; Tue, 27 May 2014 10:49:26 -0700 (PDT)
Received: by mail-pb0-f53.google.com with SMTP id md12so9625677pbc.12 for <tls@ietf.org>; Tue, 27 May 2014 10:49:23 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to :subject:references:in-reply-to:content-type :content-transfer-encoding; bh=BlwkfllAJ1O5pmkzcxKNrkzz1aA56eRO9v8oJSm9Od4=; b=SUAQmYoJ0gUC4a14Xf0jeFBy3FMW7nnDtfPRZxCBREJYgn9nle6tOUeEvOqbjZnBr8 +iELbgmp2/zXTa4FkP7+RSZuECrNfcMT/fX258NO3nR52HXSayxuMSi09CtfvWhdSHN8 jSMo9Ofk6S/UZW3uDKSIyALbNCe9vCQH+MxXFTohTn7sFA59brRfJc8+HrzJ8/dteoid t63kZzzz/Ya5Blf4/LrCv5EqER+MVHZ8FjL3zZIfGqfv63WPq3cS6x2bv0eQkYZxR9ja +8uyeAPggM7VTBzpHuxBaRYGV2GocucLg5TD/W3mKOSCcYBpQQLvyecdWbPMBVZLEflk HWfw==
X-Gm-Message-State: ALoCoQm15rmVjvtBT53mANEAx1GiTVPn/ztNxFxnizhl5MQyQORA42jgIBC1fvzcZ0yHGLNL9Ik+
X-Received: by 10.66.141.165 with SMTP id rp5mr38934734pab.90.1401212963542; Tue, 27 May 2014 10:49:23 -0700 (PDT)
Received: from [192.168.1.102] (c-68-34-113-195.hsd1.md.comcast.net. [68.34.113.195]) by mx.google.com with ESMTPSA id io6sm76297637pac.44.2014.05.27.10.49.22 for <tls@ietf.org> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Tue, 27 May 2014 10:49:22 -0700 (PDT)
Message-ID: <5384D029.5080902@nthpermutation.com>
Date: Tue, 27 May 2014 13:49:29 -0400
From: Michael StJohns <msj@nthpermutation.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.5.0
MIME-Version: 1.0
To: tls@ietf.org
References: <5383F02F.4050706@nthpermutation.com> <CFAA0E43.15C3B%uri@ll.mit.edu> <f16c4cb2-3ee8-443f-adbc-4e6fab36f707@email.android.com> <CFAA11DB.15C49%uri@ll.mit.edu>
In-Reply-To: <CFAA11DB.15C49%uri@ll.mit.edu>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/QMyJIEC8JjUnVqhHQUCmw7I5_G4
Subject: Re: [TLS] Clarifications and questions: TLS1.3 - Static RSA and AEAD
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 27 May 2014 17:49:34 -0000

On 5/27/2014 9:59 AM, Blumenthal, Uri - 0558 - MITLL wrote:
> IVs:  contrary to what some people tend to believe, IV does not have to be
> random (or even unpredictable). Being unique is sufficient in many cases,
> including AEAD.

Hi Uri -

I seem to remember for some modes that the IV has to unpredictable - I 
believe that CBC was one. (But may be mitigated by integrity checks to 
defeat chosen plain text attacks?  I don't have time to search for a 
cite).  You are correct that uniqueness is the only requirement for 
AEAD, but mostly AEAD IVs are constructed from a [random nonce][per 
message value][block counter 0] concatenation - the random nonce 
enforces the uniquity.

Mike

v2.23.0 | Report a Bug | By Email