Re: [TLS] Consensus call on Implicit IV for AEAD

Tom Ritter <tom@ritter.vg> Mon, 06 April 2015 01:10 UTC

Return-Path: <tom@ritter.vg>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E02411ACED2 for <tls@ietfa.amsl.com>; Sun, 5 Apr 2015 18:10:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.379
X-Spam-Level:
X-Spam-Status: No, score=-1.379 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XgpOYlruMkDG for <tls@ietfa.amsl.com>; Sun, 5 Apr 2015 18:10:35 -0700 (PDT)
Received: from mail-ie0-x22c.google.com (mail-ie0-x22c.google.com [IPv6:2607:f8b0:4001:c03::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6DA6D1ACEC4 for <tls@ietf.org>; Sun, 5 Apr 2015 18:10:35 -0700 (PDT)
Received: by iedfl3 with SMTP id fl3so13828463ied.1 for <tls@ietf.org>; Sun, 05 Apr 2015 18:10:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ritter.vg; s=vg; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=OBf5P6KH/LPktRQebzukV/a5VWnr4xdS/Hl9oYDNgV4=; b=GEE88PQV+CLXQrILo3pqF5zxUMsXyHGDbwQUSftF06lSIGTHJ0bMad+G6bInbkqXUc oo49z2uGheJtGJavJTIZjH/gu6qzCHnmwigpi8yuOjbQEwkxWQvY6M73+UCfBpaqjHLZ CmL1gcMZwpDcHRCCGm0J7Gm4GijoBe0iKG22k=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=OBf5P6KH/LPktRQebzukV/a5VWnr4xdS/Hl9oYDNgV4=; b=iRm/HVfHTdU62hUrxZMxybIizO0aoHguI0lg2Qe6AIwu/gepWrAaw9ojeDsJmom1Gq 1BBDM6PzqhrOuGJNoXSjTNBAP/o/cF/n0ZTvPTaCQbV6zP2/KNXVO2fIdGjmBMDpsRLl zmCa3ohct58M0Pu1AnMtkVEWZ+ZYANWKz6TZYuX4i86xeH2VrNpb5ho2hZEflsiCWsxx Eq6yg1nFozXmmGYSNTi8IF5iqaUrcLIGWahhgCkwu+Mrb+XuobcuPBp3UrULQ9TQXtlf Ds2xOc20FVjmmnJVPlrLs10QBg6jhhKDXO/GtzI6Upt9pk7+y8YgBSmEf4gbQwLBiCgT h/mw==
X-Gm-Message-State: ALoCoQmOGtbmXSm53UFR36YgBeZ0iU3BJoMRijsdt6vKpq1+M/9i6hw/3+iVlzfTqZWYjAQXdSrK
X-Received: by 10.50.225.72 with SMTP id ri8mr19867952igc.48.1428282634844; Sun, 05 Apr 2015 18:10:34 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.107.166.84 with HTTP; Sun, 5 Apr 2015 18:10:14 -0700 (PDT)
In-Reply-To: <CAOgPGoCW-znnh5VFobCFjZafxEOcwsaHZ_eByTwpCpmqfgX=6Q@mail.gmail.com>
References: <CAOgPGoCW-znnh5VFobCFjZafxEOcwsaHZ_eByTwpCpmqfgX=6Q@mail.gmail.com>
From: Tom Ritter <tom@ritter.vg>
Date: Sun, 5 Apr 2015 20:10:14 -0500
Message-ID: <CA+cU71=AZjGgisDyOyAeRsgh6PZDbiH2YTv3grn-d-4quunmNg@mail.gmail.com>
To: Joseph Salowey <joe@salowey.net>
Content-Type: text/plain; charset=ISO-8859-1
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/QQOUuh2-hcWoe9AigJeVgjGwsGA>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Consensus call on Implicit IV for AEAD
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Apr 2015 01:10:40 -0000

On 3 April 2015 at 15:34, Joseph Salowey <joe@salowey.net> wrote:
> In the interim meeting we had consensus to use an implicit IV for AEAD.  The
> proposal was to use the record sequence number and pad with zeros as
> described in pull request 155
> (https://github.com/tlswg/tls13-spec/pull/155/files).  This was also
> discussed in the IETF-92 meeting in Dallas along with options to change the
> offset.  The consensus was to stay with the original proposal.  We are
> posting to the mailing list to confirm this consensus. If you have comments,
> please reply by April 17, 2015.


I apologize if I'm mistaken or this has been raised previously, but I
feel compelled to speak up and not assume it has.

The record sequence number is predictable. It's not in the clear on
the wire, but it begins at 0 and increments with every record.
(Right?)

This will result in a predictable IV for the AEAD mode.  We have two
AEAD modes today:
 - GCM - IV must be unique, being predictable doesn't matter (Right?)
 - poly1305 - IV/Nonce must be unique, being predictable doesn't matter (Right?)

But we also don't know what AEAD modes we will add in the future.  I'm
far from being 'up' on the CAESER competition, but I skimmed the first
~10 entries, and one, CMCC  is based on CBC mode. It seems like a
predictable IV = BEAST.  Am I right in thinking we will be
pigeonholing ourselves into only allowing AEAD modes that do _not_
require an unpredictable IV?

-tom