IETF Logo Mail Archive

Re: [TLS] NIST TLS recomendations (IV generation)

Bodo Moeller <bmoeller@acm.org> Tue, 21 November 2006 17:43 UTC

Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1GmZeC-0005Yv-Rd; Tue, 21 Nov 2006 12:43:04 -0500
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1GmZeA-0005Yc-TP for tls@lists.ietf.org; Tue, 21 Nov 2006 12:43:02 -0500
Received: from moutng.kundenserver.de ([212.227.126.171]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1GmZe9-0002eU-9F for tls@lists.ietf.org; Tue, 21 Nov 2006 12:43:02 -0500
Received: from [134.147.40.251] (helo=tau.invalid) by mrelayeu.kundenserver.de (node=mrelayeu4) with ESMTP (Nemesis), id 0ML21M-1GmZe031ff-0005KL; Tue, 21 Nov 2006 18:42:54 +0100
Received: by tau.invalid (Postfix, from userid 1000) id 57B204DC2; Tue, 21 Nov 2006 18:42:52 +0100 (CET)
Date: Tue, 21 Nov 2006 18:42:52 +0100
From: Bodo Moeller <bmoeller@acm.org>
To: "Blumenthal, Uri" <uri.blumenthal@intel.com>
Subject: Re: [TLS] NIST TLS recomendations (IV generation)
Message-ID: <20061121174252.GB15201@tau.invalid>
References: <279DDDAFA85EC74C9300A0598E704056FE69FD@hdsmsx412.amr.corp.intel.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <279DDDAFA85EC74C9300A0598E704056FE69FD@hdsmsx412.amr.corp.intel.com>
User-Agent: Mutt/1.5.9i
X-Provags-ID: kundenserver.de abuse@kundenserver.de login:2100a517a32aea841b51dac1f7c5a318
X-Spam-Score: 0.0 (/)
X-Scan-Signature: e1e48a527f609d1be2bc8d8a70eb76cb
Cc: tls@lists.ietf.org
X-BeenThere: tls@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/tls>
List-Post: <mailto:tls@lists.ietf.org>
List-Help: <mailto:tls-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
Errors-To: tls-bounces@lists.ietf.org

On Tue, Nov 21, 2006 at 12:25:04PM -0500, Blumenthal, Uri wrote:

>>> For the 1st statement how about:
>>> 
>>> 	The IV SHOULD be chosen at random, and MUST be 
>>> 	unique and unpredictable. 
>>> 
>>> (based on crypto wisdom :-)

>> I'd like to align the text with NIST SP 800-38A, which doesn't 
>> require uniqueness for CBC mode (and for other modes where 
>> uniqueness is required, generating the IV randomly is not 
>> usually acceptable).

> I guess I have an issue with SP 800-38A then :-). 

>> So how about "The Initialization Vector (IV) SHOULD be 
>> chosen at random, and MUST be unpredictable" ?
>> 
>> (This text is in section titled "CBC block cipher",
>> so no need to consider OFB or CTR here...)

> Well, I still would like to see at least "SHOULD be unique", but since
> we are aligning with the official standard (and the issue is indeed
> rather improbable for CBC) - I'm leaving it to the others to decide. No
> strong push from my side in either direction.

Being unpredictable makes the IVs unique except with negligible
probability (unless you've used CBC on too long a data stream), so
there's no need for an explicit uniqueness requirement.

If we write "MUST be unique", this might evoke the perception that
implementations using randomly generated IVs are expected to check
whether these actually are unique, which usually is totally
impractical, and totally unnecessary.

So "SHOULD be chosen at random, and MUST be unpredictable" looks
exactly right to me.

Bodo


_______________________________________________
TLS mailing list
TLS@lists.ietf.org
https://www1.ietf.org/mailman/listinfo/tls

v2.30.2 | Report a Bug | By Email | System Status