IETF Logo Mail Archive

Re: [TLS] Comments on

Adam Langley <agl@google.com> Thu, 13 February 2014 15:53 UTC

Return-Path: <agl@google.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8E3921A0294 for <tls@ietfa.amsl.com>; Thu, 13 Feb 2014 07:53:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.627
X-Spam-Level:
X-Spam-Status: No, score=-1.627 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, MIME_8BIT_HEADER=0.3, RP_MATCHES_RCVD=-0.548, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 49Ds_LL6tXcb for <tls@ietfa.amsl.com>; Thu, 13 Feb 2014 07:53:04 -0800 (PST)
Received: from mail-vc0-x22c.google.com (mail-vc0-x22c.google.com [IPv6:2607:f8b0:400c:c03::22c]) by ietfa.amsl.com (Postfix) with ESMTP id E5D061A01F7 for <tls@ietf.org>; Thu, 13 Feb 2014 07:53:03 -0800 (PST)
Received: by mail-vc0-f172.google.com with SMTP id lf12so8250845vcb.17 for <tls@ietf.org>; Thu, 13 Feb 2014 07:53:02 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type:content-transfer-encoding; bh=8swj3+2Rhfk75WYeC0I6at4HhL9zHoZFCZvyqZK5fb4=; b=odGc1gKS6Q057fE+f2dvI7tT27/U0/tYk7okNZVbrsqtXgo10NPkZ7g6opSE48DVfM G2R/Q2CFA9WVduMg2J0Ae8C0o0IaxuSaXTVMh3v7kg+c8mCRkkcxb8NfsC7VDpFiFVah N0OlNzeruFwNyNryhUlHJFLLbrE4uCRCYWYXhO8HqSblxUmG7g126Fr85b/35FVwT9zm yUrKxhvSn6x/9IusMCW7ZMZp1KoZMFrMEuIqULR+V66pOusmjcuZHzSjDg185ak55v3N BVAE010QN9gxS8Lf2MyKGK7qremp4MG12XdL5xRM9dyeg7JFJtuHZS1NeZmdh3ZHTX/w JItQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type:content-transfer-encoding; bh=8swj3+2Rhfk75WYeC0I6at4HhL9zHoZFCZvyqZK5fb4=; b=kxIKpDnp2NE4G9JFAoSnphuv6Bvr3YXc/u8vZEwH92GjwaqFzX6bXKKFE1fWzRAyuf 2LJV8kLSLVPLpI0s29QFbj9RQWGnf29JV+ZMggtX6uQWGRX/nIDt3Tb2zjNpra1HhbWb MLQOTxP//KhKn8NyY+Fhet+dQ+rtU1gqydwTbUzuabAZXQF8snK5eITPuPZcZw90zpL3 zFPN8e2f8VLokqDji6JIV5DVlSj8SqytL2PLt4hYSLlzYyHlNEfp9ksMKgh4Sx7S4Ijf jvKQyqIXem5iC1oq1v09EGRRt4KkfF9LfMTewPeoTOlGSOxI2Vp4PM3wUGpdNeNg2nSa 70AA==
X-Gm-Message-State: ALoCoQkN3AfzHDm2adj1bJNrkcY5N2AEZoa6A5UXtJ5WOziX00fQGRb6lCPmMCak+SS1cnay+P99rd372C3v7WgfA83PDkjD8CFzm21ssJkS2vGYDM4CQ9tra9lsOOIuhD/5w0lAGmlgbJhaRUYiarnmyGi+Xpw4MTiaxPHZyPGnrAxiQd46IqhW217JeHdsjOLfXbNNa1Vc
X-Received: by 10.58.48.133 with SMTP id l5mr654444ven.36.1392306782516; Thu, 13 Feb 2014 07:53:02 -0800 (PST)
MIME-Version: 1.0
Received: by 10.52.104.37 with HTTP; Thu, 13 Feb 2014 07:52:42 -0800 (PST)
In-Reply-To: <nnha83nwy9.fsf@bacon.lysator.liu.se>
References: <nnha83nwy9.fsf@bacon.lysator.liu.se>
From: Adam Langley <agl@google.com>
Date: Thu, 13 Feb 2014 10:52:42 -0500
Message-ID: <CAL9PXLyWhqSdG5YRyrOprW5wgCYCwHn7_a=R2sb+mN-irkMYbA@mail.gmail.com>
To: Niels Möller <nisse@lysator.liu.se>, Nikos Mavrogiannopoulos <nmav@redhat.com>, Yoav Nir <ynir@checkpoint.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Comments on
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 13 Feb 2014 15:53:05 -0000

On Thu, Feb 13, 2014 at 5:11 AM, Niels Möller <nisse@lysator.liu.se> wrote:
> 1. It would be nice with a couple of additional test cases for
>    AEAD_CHACHA20_POLY1305. In particular for the corner cases of empty
>    associated data and/or empty plaintext.

Ack. Yoav pulled out the AEAD bit into
https://tools.ietf.org/html/draft-nir-cfrg-chacha20-poly1305-01 so
that it's not TLS specific and that's probably the place for this now.

> 2. The input to the poly1305mac is defined as
>
>      ad | length(ad) | cryptotext | length(cryptotext)
>
>    As far as I understand, this is a bit redundant, since the second
>    length field is sufficient to make the encoding injective. Does using
>    two length fields increase security in some subtle way?

I don't believe so, it was just habit to put a length on each piece.
(The lengths were originally prefixes of the data. wtc suggested
moving them to the end so that the AEAD could be computed without
knowing the length of the data apriori. Although this does lead to the
possibility of "streaming" APIs which I would discourage as they
release unauthenticated plaintext and force others to also.)

>    At least in my implementantation, the length(ad) field causes some
>    additional complexity, so

Could you elaborate on why knowing the length of the AD is problematic?

> 3. Do you think reduced round variants of chacha make sense? If not,
>    the name "chacha-poly1305" is nicer than "chacha20-poly1305".

I suspect that some folks will want reduced round variants since it's
faster and the reduced round versions are holding up to analysis.


Cheers

AGL

v2.23.0 | Report a Bug | By Email