IETF Logo Mail Archive

RE: [TLS] NIST TLS recomendations (IV generation)

"Blumenthal, Uri" <uri.blumenthal@intel.com> Tue, 21 November 2006 17:25 UTC

Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1GmZNY-0007Fq-TC; Tue, 21 Nov 2006 12:25:52 -0500
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1GmZNX-0007Fj-6g for tls@lists.ietf.org; Tue, 21 Nov 2006 12:25:51 -0500
Received: from mga02.intel.com ([134.134.136.20]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1GmZNU-0008BX-TJ for tls@lists.ietf.org; Tue, 21 Nov 2006 12:25:51 -0500
Received: from orsmga001.jf.intel.com ([10.7.209.18]) by mga02.intel.com with ESMTP; 21 Nov 2006 09:25:47 -0800
Received: from fmsmsx333.amr.corp.intel.com ([132.233.42.2]) by orsmga001.jf.intel.com with ESMTP; 21 Nov 2006 09:25:24 -0800
X-ExtLoop1: 1
X-IronPort-AV: i="4.09,443,1157353200"; d="scan'208"; a="165006061:sNHT478004989"
Received: from hdsmsx412.amr.corp.intel.com ([10.127.2.72]) by fmsmsx333.amr.corp.intel.com with Microsoft SMTPSVC(6.0.3790.1830); Tue, 21 Nov 2006 09:25:15 -0800
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Subject: RE: [TLS] NIST TLS recomendations (IV generation)
Date: Tue, 21 Nov 2006 12:25:04 -0500
Message-ID: <279DDDAFA85EC74C9300A0598E704056FE69FD@hdsmsx412.amr.corp.intel.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [TLS] NIST TLS recomendations (IV generation)
thread-index: Acb9wgSf1EKVbyKaR12QoVxxwPw3hAPwCs4wAAFWovAAAJYLoAABWDTw
From: "Blumenthal, Uri" <uri.blumenthal@intel.com>
To: Pasi.Eronen@nokia.com, ray.perlner@nist.gov, tls@lists.ietf.org
X-OriginalArrivalTime: 21 Nov 2006 17:25:15.0993 (UTC) FILETIME=[02655490:01C70D92]
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 00e94c813bef7832af255170dca19e36
Cc:
X-BeenThere: tls@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/tls>
List-Post: <mailto:tls@lists.ietf.org>
List-Help: <mailto:tls-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
Errors-To: tls-bounces@lists.ietf.org

>I'd like to align the text with NIST SP 800-38A, which doesn't 
>require uniqueness for CBC mode (and for other modes where 
>uniqueness is required, generating the IV randomly is not 
>usually acceptable).

I guess I have an issue with SP 800-38A then :-). 

>So how about "The Initialization Vector (IV) SHOULD be 
>chosen at random, and MUST be unpredictable" ?
>
>(This text is in section titled "CBC block cipher",
>so no need to consider OFB or CTR here...)

Well, I still would like to see at least "SHOULD be unique", but since
we are aligning with the official standard (and the issue is indeed
rather improbable for CBC) - I'm leaving it to the others to decide. No
strong push from my side in either direction.

:-)


-----Original Message-----
> From: ext Blumenthal, Uri [mailto:uri.blumenthal@intel.com] 
> Sent: 21 November, 2006 18:12
> To: Eronen Pasi (Nokia-NRC/Helsinki); ray.perlner@nist.gov; 
> tls@lists.ietf.org
> Subject: RE: [TLS] NIST TLS recomendations (IV generation)
> 
> Pasi,
> 
> For the 1st statement how about:
> 
> 	The IV SHOULD be chosen at random, and MUST be 
> 	unique and unpredictable. 
> 
> (based on crypto wisdom :-)
> 
> -----Original Message-----
> From: Pasi.Eronen@nokia.com [mailto:Pasi.Eronen@nokia.com] 
> Sent: Tuesday, November 21, 2006 10:37 AM
> To: ray.perlner@nist.gov; tls@lists.ietf.org
> Subject: RE: [TLS] NIST TLS recomendations (IV generation)
> 
> Ray Perlner wrote:
> > Page 20-21: Section 6.2.3.2 under IV The document specifies that the
> > IV SHOULD be generated by method (1) or (2) and MAY be generated by
> > an alternate method. There is, however, no language forbidding the
> > generation of IVs by a fourth unlisted method. If a fourth method is
> > used, the protocol will not fail but may be insecure. Therefore we
> > recommend adding language forbidding the use of an unlisted method
> > for IV generation.
> 
> Actually the whole text about IVs is quite long, and contains
> implementation details that IMHO are likely to confuse rather than
> help an implementer.
> 
> How about just replacing the whole text about IVs with something
> like this?
> 
>    IV
> 
>        The Initialization Vector (IV) MUST be chosen at random, and
>        MUST be unpredictable. See [SP800-38A] Appendix C for
>        RECOMMENDED methods for generating unpredictable IVs.
> 
>        It is critical that the IV is not sent before the entire
>        plaintext of the record is known; otherwise it is possible for
>        the attacker to mount the attack described in [CBCATT].
> 
>        Note: In versions of TLS prior to 1.1, there was no IV field,
>        and the last ciphertext block of the previous record (the "CBC
>        residue") was used as the IV. This was changed to prevent the
>        attacks described in [CBCATT].
> 
> Best regards,
> Pasi

_______________________________________________
TLS mailing list
TLS@lists.ietf.org
https://www1.ietf.org/mailman/listinfo/tls

v2.29.0 | Report a Bug | By Email | System Status