Re: [TLS] ChaCha20 + Poly1305 in TLS

Adam Langley <agl@google.com> Wed, 11 September 2013 14:08 UTC

Return-Path: <agl@google.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AEBDC21E80D1 for <tls@ietfa.amsl.com>; Wed, 11 Sep 2013 07:08:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.576
X-Spam-Level:
X-Spam-Status: No, score=-1.576 tagged_above=-999 required=5 tests=[AWL=0.402, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hmyOzRj-1nAu for <tls@ietfa.amsl.com>; Wed, 11 Sep 2013 07:08:50 -0700 (PDT)
Received: from mail-oa0-x230.google.com (mail-oa0-x230.google.com [IPv6:2607:f8b0:4003:c02::230]) by ietfa.amsl.com (Postfix) with ESMTP id E9D3921F9DFB for <tls@ietf.org>; Wed, 11 Sep 2013 07:08:49 -0700 (PDT)
Received: by mail-oa0-f48.google.com with SMTP id o17so9210713oag.21 for <tls@ietf.org>; Wed, 11 Sep 2013 07:08:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=UF8K60JN8GXdFAXobgOUIzGYz80gMFGJx5Qf4Ow+QQo=; b=QYNoDyvj26+wTKwjZy6ilJy1rb++sJIRbhbVIRhCPgbxInxz8+i1VDB2+L66yxWmFY X55LWsdAWD+bFw1qXkeyreyh5kiofYLHoRDA3AfhJVPYiZh1CpK3IrmQKGNytENATC/A J30gNSuE4BpbfXid6M0wGzbz9JwwjOS8+03nzy+CPpLB70MfH/8kZG1/LxhRRSIXF6ab B3nu5FpiFIk1BeDSF5seIhLqOL68oei8ncYaneK/D5ATlfaT3zw4jQFv/wrI2rXPz1mg GquiorEJvEdSIOrQtjGxC4uYXiKOUkMaKOGWToe/OJE9EWz4G/c1DJ+JavPLAktYVXqt qM7Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=UF8K60JN8GXdFAXobgOUIzGYz80gMFGJx5Qf4Ow+QQo=; b=C5tULQ2s76XoVYYxrjqI3MNn5ySlpMo3luWUGfpa1TcyuSQKiOcPmph98yo0nLFf33 zqdVjxfsMQopIacDDV9ojVdzKmv7+n7zyviZ9WibJgIeS1HNsJABa3U6QWE5UbEWF75N RR1BJeeYv3iICgdo/3Bg11wqAlPg+WShedrSIYiXL0qvUdUzrAwEA6CRC3MnMdKvqWEP jN91TT5GKAjTDjFdySBdyRFETV1rSkQrpPs2XvGSZTRF6Y/pbBfXdaK89mtMCyP9BizI Z+FzzV0tO4mAATUZsmNLPjHWiWYYooVauwOBYU93z8zRQn4CRdNm1gkLhurF6pIQgxr7 bhbg==
X-Gm-Message-State: ALoCoQmYwMThJAUkyMGzMgLIoNfX9DIK4aLi/WLDTlqQqz33rsdEjNbxePRlsJInDBTZMvqeZmw4Asj1JOxMA7m38vtmfV93QxBIOKfZmdLPyhEwzC88h1p6I0Oe9+NF+bF2SFJaPHLfGeiqrkisDqpfAOqLNdjIRCS/z0vungcWXzZgn5RlLloKH8lV3mS6qyqAvfvTIbex
X-Received: by 10.182.113.195 with SMTP id ja3mr1649393obb.46.1378908529256; Wed, 11 Sep 2013 07:08:49 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.182.79.105 with HTTP; Wed, 11 Sep 2013 07:08:28 -0700 (PDT)
In-Reply-To: <52306269.7020200@drh-consultancy.co.uk>
References: <CAL9PXLyLre-fySOY2H4oLAwSxiBmG+mnrJe9YiD9+OHmPVG-oA@mail.gmail.com> <52306269.7020200@drh-consultancy.co.uk>
From: Adam Langley <agl@google.com>
Date: Wed, 11 Sep 2013 10:08:28 -0400
Message-ID: <CAL9PXLxm=WezLdg2EMuh--aW+cR5CJzCFeYgySQGqhQPOn3ntA@mail.gmail.com>
To: Dr Stephen Henson <lists@drh-consultancy.co.uk>
Content-Type: text/plain; charset=UTF-8
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] ChaCha20 + Poly1305 in TLS
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Sep 2013 14:08:51 -0000

On Wed, Sep 11, 2013 at 8:30 AM, Dr Stephen Henson
<lists@drh-consultancy.co.uk> wrote:
> Which versions of TLS is this aimed at, TLS 1.2 (and later) only or earlier
> versions too?

Since it's defined as an AEAD, technically it's only compatible with
TLS 1.2 - same as AES-GCM.

However, the reality, at least for browsers, is that we cannot depend
on TLS's version negotiation because of bugs in servers. Therefore, in
practice, I'm planning on making some or all AES-GCM and
Chacha20-Poly1305 ciphersuites work for all versions. For SSLv3,
ECDHE/ECDSA variants will implicitly indicate support for
P-{256,384,521} and uncompressed points since SSLv3 cannot carry the
EC extensions needed to indicate that.

I don't know whether, in standards land, that will be explicit.

> Would it make sense to include some DHE ciphersuites as well as the ECDH ones
> for implementations which (for whatever reason) do not support or disable ECDH?

I would like to support only ECDHE-ECDSA at this point but RSA has
significant inertia because of the CA system. On reflection, it does
seem reasonable that some implementations might not want the weight of
an ECC implementation given that they have to have
multiplicative-modexp for RSA anyway. So I've spun version -01 with
with a DHE_RSA ciphersuite too.


Cheers

AGL