Re: [TLS] (offline note) Re: Confirming Consensus on supporting only AEAD ciphers

"Joseph Salowey (jsalowey)" <> Tue, 06 May 2014 15:11 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 261D81A035A for <>; Tue, 6 May 2014 08:11:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -15.152
X-Spam-Status: No, score=-15.152 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.651, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id bZUHdMzIuxea for <>; Tue, 6 May 2014 08:11:05 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 508D71A048C for <>; Tue, 6 May 2014 08:11:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;;; l=5037; q=dns/txt; s=iport; t=1399389061; x=1400598661; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-id:content-transfer-encoding: mime-version; bh=yOfL0d06Sun9P0S68g56lmenfbHBTFfNc9lbaYE8dS4=; b=IK/nmSCMhgNKgsBzDqWEBtCcT8bH1mwhCwYwR8fKRJwWBOFZUrRQUetb OXhMGRGlVHdo74l/VCzn6J9B8crwuxAgka7mooYt7FzJuW3c3tFIAIu4r Iw7m+KuD7DZP6emmYqRJ265I+/yZKkPRnHox7QWqQ5nU3hNoKGL4/dNYr Y=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-AV: E=Sophos;i="4.97,997,1389744000"; d="scan'208";a="322555731"
Received: from ([]) by with ESMTP; 06 May 2014 15:11:01 +0000
Received: from ( []) by (8.14.5/8.14.5) with ESMTP id s46FB1gR030551 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Tue, 6 May 2014 15:11:01 GMT
Received: from ([]) by ([]) with mapi id 14.03.0123.003; Tue, 6 May 2014 10:11:00 -0500
From: "Joseph Salowey (jsalowey)" <>
To: Rene Struik <>
Thread-Topic: (offline note) Re: [TLS] Confirming Consensus on supporting only AEAD ciphers
Thread-Index: AQHPSSM6qiIeFUDRHUase0LCUT6SLpskiL+AgATejwCACjNNAIAAet2AgAAm2gA=
Date: Tue, 6 May 2014 15:11:00 +0000
Message-ID: <>
References: <> <> <> <> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
x-originating-ip: []
Content-Type: text/plain; charset="iso-8859-1"
Content-ID: <>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "" <>
Subject: Re: [TLS] (offline note) Re: Confirming Consensus on supporting only AEAD ciphers
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 06 May 2014 15:11:07 -0000

On May 6, 2014, at 5:51 AM, Rene Struik <> wrote:

> Hi Joe:
> In general, an AEAD mode takes as input two strings a and m and a key k, and authenticates a and m, while encrypting m. If m is the empty string, this results in an authentication-only mode.
> Thus, AEAD modes can be used to provide suitable combinations of authentication and/or encryption. Examples hereof include the GCM mode and CCM mode.

[Joe] Yes, but I don't think any of the defined cipher suites for AES-GCM or AES-CCM support an authentication-only mode.  If authentication-only support is desired then additional cipher suites would have to be defined.  

> Best regards, Rene
> On 5/6/2014 1:32 AM, Joseph Salowey (jsalowey) wrote:
>> On Apr 29, 2014, at 10:46 AM, Michael StJohns <> wrote:
>>> On 4/26/2014 11:24 AM, Joseph Salowey (jsalowey) wrote:
>>>> The consensus from the IETF-89 meeting holds, TLS 1.3 will only use record layer protection of type AEAD. The Editor is requested to make the appropriate changes to the draft on github.
>>> Sorry - I'm coming late here.  Does this also imply the complete elimination of the integrity only cipher suites?
>> [Joe] Its possible to have AEAD modes that provide only authentication, however I don't think that the currently defined AEAD ciphers support authentication only so its possible that some modification may need to be made to support this.
>>> With respect to the AEAD approach and with respect to composited AEAD cipher suites (e.g. AES_CBC_CMAC reformed as an AEAD cipher per Guttman for example), does this also imply that the key expansion phase will never be used to generate MAC keys, and that the cipher suite has to provide whatever mechanisms that are required to split the AEAD key into underlying encryption/integrity keys if required?
>> [Joe] Yes, the cipher suite would be responsible for deriving the appropriate keys from the key material it is given.
>>> Next (reading from the commited editors copy), this refers to 5116 which uses a one-size fits all approach that doesn't really fit all sizes, especially for composited AEAD. E.g.  the draft describes this generally as an incrementing value.  For AEAD suites that comply with 5116, that should be part of the suite specification - not TLS.  For TLS, this just needs to be an normatively opaque, per-message field.    Instead,  place an Informative section which recommends how to do this with AEAD suites that currently exist.
>> [Joe] I think I'm missing your point here. I thought the existing cipher suites did define how the nonce is generated and the TLS document just provides some guidance on nonce generation.
>>> And finally, as I've noted many times before, deriving IV/nonce material from the master_secret at the same time as deriving keys is not securely supportable in hardware.
>> [Joe]  So currently with AES-GCM and AES-CCM then nonce is  partially derived from the Client and Server IV.   If I remember correctly the TLS derivation by splitting up the derived key material into secret keys and IVs is problematic.  Can this part of the problem be solved by changing the way TLS derives keys and IVs?
>>>> Joe
>>>> [For the chairs]
>>>> On Mar 26, 2014, at 11:43 AM, Joseph Salowey (jsalowey) <> wrote:
>>>>> TLS has supported a number of different cipher types for protecting the record layer.   In TLS 1.3 these include Stream Cipher, CBC Block Cipher and AEAD Cipher. The construction of the CBC mode within TLS has been shown to be flawed and stream ciphers are not generally applicable to DTLS. Using a single mechanism for cryptographic transforms would make security analysis easier.   AEAD ciphers can be constructed from stream ciphers and block ciphers and are defined as protocol independent transforms.  The consensus in the room at IETF-89 was to only support AEAD ciphers in TLS 1.3. If you have concerns about this decision please respond on the TLS list by April 11, 2014.
>>>>> Thanks,
>>>>> Joe
>>>>> [Speaking for the TLS chairs]
>>>>> _______________________________________________
>>>>> TLS mailing list
>>>> _______________________________________________
>>>> TLS mailing list
>>> _______________________________________________
>>> TLS mailing list
>> _______________________________________________
>> TLS mailing list
> -- 
> email: | Skype: rstruik
> cell: +1 (647) 867-5658 | US: +1 (415) 690-7363