Re: [TLS] AEAD only for TLS1.3 revisit
Nikos Mavrogiannopoulos <nmav@redhat.com> Wed, 01 October 2014 07:53 UTC
Return-Path: <nmav@redhat.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3CAAA1A884A for <tls@ietfa.amsl.com>; Wed, 1 Oct 2014 00:53:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.688
X-Spam-Level:
X-Spam-Status: No, score=-7.688 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.786, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nz4droHQjYUn for <tls@ietfa.amsl.com>; Wed, 1 Oct 2014 00:53:51 -0700 (PDT)
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A1FDA1A8828 for <tls@ietf.org>; Wed, 1 Oct 2014 00:53:51 -0700 (PDT)
Received: from int-mx09.intmail.prod.int.phx2.redhat.com (int-mx09.intmail.prod.int.phx2.redhat.com [10.5.11.22]) by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id s917WnhK004950 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Wed, 1 Oct 2014 03:32:49 -0400
Received: from [10.34.2.127] (dhcp-2-127.brq.redhat.com [10.34.2.127]) by int-mx09.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id s917Wk0b015744 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=NO); Wed, 1 Oct 2014 03:32:48 -0400
Message-ID: <1412148765.2628.4.camel@dhcp-2-127.brq.redhat.com>
From: Nikos Mavrogiannopoulos <nmav@redhat.com>
To: Michael StJohns <msj@nthpermutation.com>
Date: Wed, 01 Oct 2014 09:32:45 +0200
In-Reply-To: <542B2C80.7010903@nthpermutation.com>
References: <542988C5.8050307@nthpermutation.com> <CABkgnnXjYCUweN-oREB6LG77UzYZEFq+nWV3uo+5c9K6fBQQFw@mail.gmail.com> <542B2C80.7010903@nthpermutation.com>
Content-Type: text/plain; charset="UTF-8"
Mime-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Scanned-By: MIMEDefang 2.68 on 10.5.11.22
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/TYk79eF2pm6JHh6j6P1nJc7iojY
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] AEAD only for TLS1.3 revisit
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Oct 2014 07:53:53 -0000
On Tue, 2014-09-30 at 18:19 -0400, Michael StJohns wrote: > On 9/30/2014 4:28 PM, Martin Thomson wrote: > > On 29 September 2014 09:28, Michael StJohns <msj@nthpermutation.com> wrote: > >> Question: Is there absolutely no requirement for TLS1.3 integrity only > >> cipher suites? > > If you believe that integrity-only modes are valuable, you could > > propose an AEAD formulation that does not provide confidentiality. > > That's fairly trivial to do with an AEAD construction: just move > > everything under the AD part. > > To be a bit pedantic - that's not actually how you would do it. TLS > treats the user data as non-AD data. There is no provision in the > protocol for moving everything from encryption to AAD only. > > You could define an AEAD cipher such as NULL_HMAC_SHA256_AEAD could work > if you wanted integrity only - it's too bad we can't just use the > existing integrity only suites. It's not simply too bad, it is unnecessary work, and additional bloat to implementations which will have to carry two versions of the same ciphersuite. One that is valid for TLS 1.2 and prior, and another that will be valid for TLS 1.3 and later. Since SSL 3.0 is yet still in use we can expect this duplication (of code and bugs) to last at least 15 years. The benefit of this duplication is some "niceness" that will be observed in the TLS 1.3 protocol as everything will be marked as AEAD, but this "niceness" has no cryptographic value (the TLS 1.2 construction with cipher and MAC is authenticated encryption). Hence, instead of simplifying implementations, the AEAD-only move will add more code into implementations, duplicate code, increasing the number of potential bugs, and adding no value. regards, Nikos
- [TLS] AEAD only for TLS1.3 revisit Michael StJohns
- Re: [TLS] AEAD only for TLS1.3 revisit Salz, Rich
- Re: [TLS] AEAD only for TLS1.3 revisit Blumenthal, Uri - 0558 - MITLL
- Re: [TLS] AEAD only for TLS1.3 revisit Joseph Salowey (jsalowey)
- Re: [TLS] AEAD only for TLS1.3 revisit Blumenthal, Uri - 0558 - MITLL
- Re: [TLS] AEAD only for TLS1.3 revisit Michael StJohns
- Re: [TLS] AEAD only for TLS1.3 revisit Martin Thomson
- Re: [TLS] AEAD only for TLS1.3 revisit Joseph Salowey (jsalowey)
- Re: [TLS] AEAD only for TLS1.3 revisit Joseph Salowey (jsalowey)
- Re: [TLS] AEAD only for TLS1.3 revisit Michael StJohns
- Re: [TLS] AEAD only for TLS1.3 revisit Stephen Farrell
- Re: [TLS] AEAD only for TLS1.3 revisit Nikos Mavrogiannopoulos
- Re: [TLS] AEAD only for TLS1.3 revisit Michael StJohns
- Re: [TLS] AEAD only for TLS1.3 revisit Salz, Rich
- Re: [TLS] AEAD only for TLS1.3 revisit Michael StJohns
- Re: [TLS] AEAD only for TLS1.3 revisit Dan Harkins
- Re: [TLS] AEAD only for TLS1.3 revisit Ilari Liusvaara
- Re: [TLS] AEAD only for TLS1.3 revisit Michael StJohns
- Re: [TLS] AEAD only for TLS1.3 revisit Salz, Rich
- Re: [TLS] AEAD only for TLS1.3 revisit Peter Gutmann
- Re: [TLS] AEAD only for TLS1.3 revisit Hubert Kario
- Re: [TLS] AEAD only for TLS1.3 revisit Salz, Rich
- Re: [TLS] AEAD only for TLS1.3 revisit Peter Gutmann