IETF Logo Mail Archive

Re: [TLS] ChaCha and IVs

Dr Stephen Henson <lists@drh-consultancy.co.uk> Wed, 05 March 2014 18:45 UTC

Return-Path: <lists@drh-consultancy.co.uk>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0CC2B1A011E for <tls@ietfa.amsl.com>; Wed, 5 Mar 2014 10:45:36 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.111
X-Spam-Level:
X-Spam-Status: No, score=-1.111 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_NEUTRAL=0.779, T_HK_NAME_DR=0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ShtLHyzOYtu2 for <tls@ietfa.amsl.com>; Wed, 5 Mar 2014 10:45:34 -0800 (PST)
Received: from claranet-outbound-smtp07.uk.clara.net (claranet-outbound-smtp07.uk.clara.net [195.8.89.40]) by ietfa.amsl.com (Postfix) with ESMTP id A684B1A01DD for <tls@ietf.org>; Wed, 5 Mar 2014 10:45:33 -0800 (PST)
Received: from drh-consultancy.demon.co.uk ([80.177.30.10]:24318 helo=[192.168.7.9]) by relay17.mail.eu.clara.net (relay.clara.net [81.171.239.37]:10465) with esmtpa (authdaemon_plain:drh) id 1WLGon-0006nT-PK for tls@ietf.org (return-path <lists@drh-consultancy.co.uk>); Wed, 05 Mar 2014 18:45:25 +0000
Message-ID: <531770C1.3090509@drh-consultancy.co.uk>
Date: Wed, 05 Mar 2014 18:45:21 +0000
From: Dr Stephen Henson <lists@drh-consultancy.co.uk>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.3.0
MIME-Version: 1.0
To: tls@ietf.org
References: <53160513.20703@bbn.com> <1393955839.20861.20.camel@dhcp-2-127.brq.redhat.com> <53161BA7.3070405@drh-consultancy.co.uk> <CAL9PXLzMiq-WsaAO8Q=kWqbQ3taw-xtuNw_ffuZxjFUXCEEG9A@mail.gmail.com> <5317267F.1070909@akr.io> <53172AE6.1000300@drh-consultancy.co.uk> <53176278.7040902@gridmerge.com>
In-Reply-To: <53176278.7040902@gridmerge.com>
X-Enigmail-Version: 1.6
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: 8bit
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/XapZMv2S07hVmCQ37anzQf4zN54
Subject: Re: [TLS] ChaCha and IVs
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 05 Mar 2014 18:45:36 -0000

On 05/03/2014 17:44, Robert Cragie wrote:
> This seems to be a non-issue to me. In SP 800-38D section 8.2.1, the
> deterministic construction is described using an IV with an invocation field. If
> the invocation field is specified as an integer counter, it will, by definition,
> increment by one every time the AES-GCM encrypt function is invoked for a
> particular key. Maybe I missed it, but I didn't notice the requirement that the
> invocation field starts at a random starting point? Therefore, this could start
> at 0 on provision of a new key and also be the basis of the sequence number. If
> there is insistence that this is generated within a cryptographic module for
> validation purposes, in the TLS case, the module would use the deterministic
> construction with the invocation field as an integer counter and export the
> invocation field to form the TLS sequence number. In this way, there would be no
> need to have to supply any additional code as part of the validation.
> 


SP800-38D is combined with the FIPS 140-2 implementation guidance (IG) during
FIPS 140-2 validation. In this case IG A.5 is relevant for AES-GCM and IVs.

The IG can modify the requirements of other standards (e.g. restrict them) for
the purposes of FIPS 140-2. A deterministic IV from SP800-38D 8.2.1 looks like
it falls under IG A.5 3.A:

"A. Each deterministically established IV shall include an encoding of the
module’s name and the name shall be long enough to allow for at least 32^2
different names."

Which presumably isn't something we'd do for TLS.

There is of course some guesswork involved here in that any future FIPS spec and
IG would be similar to that for AES-GCM. In the case of AES-CCM there aren't any
IV internal generation requirements AFAIK.

Steve.
-- 
Dr Stephen N. Henson.
Core developer of the   OpenSSL project: http://www.openssl.org/
Freelance consultant see: http://www.drh-consultancy.co.uk/
Email: shenson@drh-consultancy.co.uk, PGP key: via homepage.

v2.23.0 | Report a Bug | By Email