Re: [TLS] AEAD only for TLS1.3 revisit
Ilari Liusvaara <ilari.liusvaara@elisanet.fi> Wed, 01 October 2014 17:57 UTC
Return-Path: <ilari.liusvaara@elisanet.fi>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 809CD1A1B0C for <tls@ietfa.amsl.com>; Wed, 1 Oct 2014 10:57:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RYvg1qm8tA3L for <tls@ietfa.amsl.com>; Wed, 1 Oct 2014 10:57:50 -0700 (PDT)
Received: from emh07.mail.saunalahti.fi (emh07.mail.saunalahti.fi [62.142.5.117]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 48F051A1AED for <tls@ietf.org>; Wed, 1 Oct 2014 10:57:50 -0700 (PDT)
Received: from LK-Perkele-VII (a88-112-44-140.elisa-laajakaista.fi [88.112.44.140]) by emh07.mail.saunalahti.fi (Postfix) with ESMTP id BBAB94001; Wed, 1 Oct 2014 20:57:47 +0300 (EEST)
Date: Wed, 01 Oct 2014 20:57:47 +0300
From: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
To: Michael StJohns <msj@nthpermutation.com>
Message-ID: <20141001175747.GA14447@LK-Perkele-VII>
References: <542988C5.8050307@nthpermutation.com> <A46BA862-DEE1-46CF-9193-40D1EAAA14BE@cisco.com> <D05080B2.1ABB6%uri@ll.mit.edu> <44A2498B-D0CB-415C-A1D8-2E362FD8BDF0@cisco.com> <542B450C.5010304@cs.tcd.ie> <542C2D85.7000705@nthpermutation.com> <2A0EFB9C05D0164E98F19BB0AF3708C71D2F8F7B6B@USMBX1.msg.corp.akamai.com> <542C362A.4010802@nthpermutation.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <542C362A.4010802@nthpermutation.com>
User-Agent: Mutt/1.5.23 (2014-03-12)
Sender: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/TarX8Cswl9yYWhM93cvSwpI-hYU
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] AEAD only for TLS1.3 revisit
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Oct 2014 17:57:52 -0000
On Wed, Oct 01, 2014 at 01:13:14PM -0400, Michael StJohns wrote: > On 10/1/2014 12:47 PM, Salz, Rich wrote: > > > In your equation above, with respect to this thread only, the actual problem > is not the " + epsilon" but the "- some_crypto_mechanisms" which took away > all the mechanisms where the integrity key can be isolated from the > encryption key. Trying to define new AEAD mechanisms that provide this > capability *AND* make it in to sufficient commercial stacks becomes an > interesting problem (and frankly a great deal of work in TLS1.3 that's not > necessary in TLS1.2). Actually isolating integrity key from encryption key would require two MACs, with inner one inner to encryption and with its own subkey. > The discussion really is about how we're making a number of structural > changes to TLS in the TLS1.3 draft. Some of them have interesting and > possibly unintended consequences (cf the discussion on encrypting the > handshake with respect to encrypting the SNI extension; or the discussion > about doing the hash of the handshake mixin with key derivation interacting > badly with the desire for 1rtt); this particular change had an unintended > consequence that didn't come to light (at least for me) until I got a > specific request and tried to figure out how to satisfy it. What's the problem? It seems that hashing the early handshake is easy enough (and there ARE attacks without this). Is this something about hashing in the "identities" or something like that? -Ilari
- [TLS] AEAD only for TLS1.3 revisit Michael StJohns
- Re: [TLS] AEAD only for TLS1.3 revisit Salz, Rich
- Re: [TLS] AEAD only for TLS1.3 revisit Blumenthal, Uri - 0558 - MITLL
- Re: [TLS] AEAD only for TLS1.3 revisit Joseph Salowey (jsalowey)
- Re: [TLS] AEAD only for TLS1.3 revisit Blumenthal, Uri - 0558 - MITLL
- Re: [TLS] AEAD only for TLS1.3 revisit Michael StJohns
- Re: [TLS] AEAD only for TLS1.3 revisit Martin Thomson
- Re: [TLS] AEAD only for TLS1.3 revisit Joseph Salowey (jsalowey)
- Re: [TLS] AEAD only for TLS1.3 revisit Joseph Salowey (jsalowey)
- Re: [TLS] AEAD only for TLS1.3 revisit Michael StJohns
- Re: [TLS] AEAD only for TLS1.3 revisit Stephen Farrell
- Re: [TLS] AEAD only for TLS1.3 revisit Nikos Mavrogiannopoulos
- Re: [TLS] AEAD only for TLS1.3 revisit Michael StJohns
- Re: [TLS] AEAD only for TLS1.3 revisit Salz, Rich
- Re: [TLS] AEAD only for TLS1.3 revisit Michael StJohns
- Re: [TLS] AEAD only for TLS1.3 revisit Dan Harkins
- Re: [TLS] AEAD only for TLS1.3 revisit Ilari Liusvaara
- Re: [TLS] AEAD only for TLS1.3 revisit Michael StJohns
- Re: [TLS] AEAD only for TLS1.3 revisit Salz, Rich
- Re: [TLS] AEAD only for TLS1.3 revisit Peter Gutmann
- Re: [TLS] AEAD only for TLS1.3 revisit Hubert Kario
- Re: [TLS] AEAD only for TLS1.3 revisit Salz, Rich
- Re: [TLS] AEAD only for TLS1.3 revisit Peter Gutmann