IETF Logo Mail Archive

Re: [TLS] consensus on adopting draft-mcgrew-tls-aes-ccm and draft-mcgrew-tls-aes-ccm-ecc

Rene Struik <rstruik.ext@gmail.com> Thu, 01 December 2011 20:59 UTC

Return-Path: <rstruik.ext@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 307CD11E80A3 for <tls@ietfa.amsl.com>; Thu, 1 Dec 2011 12:59:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.999
X-Spam-Level:
X-Spam-Status: No, score=-2.999 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, J_CHICKENPOX_21=0.6, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Cf17K5r9yFa6 for <tls@ietfa.amsl.com>; Thu, 1 Dec 2011 12:59:05 -0800 (PST)
Received: from mail-lpp01m010-f44.google.com (mail-lpp01m010-f44.google.com [209.85.215.44]) by ietfa.amsl.com (Postfix) with ESMTP id D346511E809D for <tls@ietf.org>; Thu, 1 Dec 2011 12:59:04 -0800 (PST)
Received: by lahj13 with SMTP id j13so1094322lah.31 for <tls@ietf.org>; Thu, 01 Dec 2011 12:59:03 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:x-enigmail-version:content-type :content-transfer-encoding; bh=r2wADR2qr84OxGZCcsHtxDqnB9hgufiqeYVDn77xfDc=; b=uyMiwbfXGyJZXwl6eT9YY/SmOcFvA/tn/Xy7uNwR2CF+LjFAEQCTsJLHIjkgF76qUt Q1PsS8oAYx/bihMk4jO3lR8syETs3w29qTJXqTIIchqfAVxvB6cGUgsI5q/igGPHBr5p 501KYvZKsB2YNo4PHuSE8bMonQuqj5XdhkqLw=
Received: by 10.152.105.211 with SMTP id go19mr5919692lab.31.1322773143821; Thu, 01 Dec 2011 12:59:03 -0800 (PST)
Received: from [192.168.1.103] (CPE0013100e2c51-CM001cea35caa6.cpe.net.cable.rogers.com. [99.231.117.243]) by mx.google.com with ESMTPS id ne3sm6246140lab.7.2011.12.01.12.58.58 (version=TLSv1/SSLv3 cipher=OTHER); Thu, 01 Dec 2011 12:59:02 -0800 (PST)
Message-ID: <4ED7EA82.2080407@gmail.com>
Date: Thu, 01 Dec 2011 15:58:42 -0500
From: Rene Struik <rstruik.ext@gmail.com>
User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:8.0) Gecko/20111105 Thunderbird/8.0
MIME-Version: 1.0
To: Don Sturek <d.sturek@att.net>
References: <CAFD209E.DF10%d.sturek@att.net>
In-Reply-To: <CAFD209E.DF10%d.sturek@att.net>
X-Enigmail-Version: 1.3.3
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Cc: tls@ietf.org
Subject: Re: [TLS] consensus on adopting draft-mcgrew-tls-aes-ccm and draft-mcgrew-tls-aes-ccm-ecc
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Dec 2011 20:59:06 -0000

Dear colleagues:

Just a short note (I will have to review the cross-referenced four or so
RFCs later):

1) to my knowledge, for relatively short frames (a few times the size of
the underlying block cipher),
the GCM mode of operation is *not* "significantly faster" than the CCM
mode of operation.

2) 802.15.4-2011 (or 802.15.4-2006 for that matter) does use the CCM*
mode of operation, where
the nonce format is incompatible with that specified in the RFC 5116 or
the mcgrew-tls-aes-ccm draft.

Given #2 above, it seems that reference to 802.15.4's use of CCM is
somewhat inopportune. Moreover, from
Don Sturek's note below, it seems that the Joe Salovey's note that
"Zigbee smart energy group has
interest in these drafts" should be taken with some grain of salt
(lukewarm interest at most, so it seems [if one
really wished to have had another cipher (on technical grounds???), then
one missed a window of opportunity
802.15.4 TG4i issued very recently and 802.15.4 TGe just went to RevCom]).

On a more detailed technical note,

a) how does one assure that nonces used by different entities never
clash if they use a
shared key for securing network traffic? (a scenario prevalent in lots
of ZigBee, RoLL, etc. scenarios).

b) I am curious as to whether the design in mcgrew-tls-aes-ccm allows
for reuse of keying material accross
layers, so as to economize on key storage and key management overhead?
(given that devices should be
assumed to have intra-device open trust domain, this seems feasible. I
am concerned the current draft may
kill off this prospect).

Based on the above, I am somewhat critical as to why this should be
pushed, certainly as a standard-track
document.

Most of these arguments I have made before, but did not see addressed.

I will provide more technical feedback later on, but prior to the
suggested December 15th deadline.

Best regards, Rene

On 01/12/2011 3:20 PM, Don Sturek wrote:
> Hi Dan,
>
> While ZigBee does specify AES-CCM* in their *commercial* specification, I
> would say the general problem is that IEEE 802.15.4 (which ZigBee uses)
> specifies AES-CCM and nearly all silicon vendors have that (not CCM*)
> available.  If we could somehow get those implementations to switch to
> GCM, I don't think we would be asking for adoption of AES-CCM.  That said,
> for the IEEE 802.15.4 devices already manufactured and in those in the
> field, either we try to align the use of TLS with what is available
> hardware wise or else bypass the AES-CCM engine in those parts and
> implement GCM in software.....
>
> Don
>
>
>
>
> On 12/1/11 12:01 PM, "Dan Harkins" <dharkins@lounge.org> wrote:
>
>> On Wed, November 30, 2011 1:34 pm, Joe Salowey wrote:
>>> The chairs would like to see if there is consensus in the TLS working
>>> group to adopt draft-mcgrew-tls-aes-ccm and draft-mcgrew-tls-aes-ccm-ecc
>>> as working group items.  These drafts define AES-CCM cipher suites for
>>> TLS.  The Zigbee smart energy group has interest in these drafts.
>>> These
>>> drafts only deal with a AES-CCM and not with Zigbee's AES-CCM* which is
>>> a
>>> super set of AES-CCM.  The authors are requesting standards track for
>>> these ciphers.  Please note that there is an IPR declaration listed for
>>> draft-mcgrew-tls-aes-ccm-ecc available here:
>>> https://datatracker.ietf.org/ipr/1443/.  This declaration has been
>>> updated
>>> from previous declarations.   Please respond to the following by
>>> December
>>> 14, 2011 :
>>>
>>> - Do you object to taking these drafts on as working group items?
>>> (Please
>>> state the reason for you objection)
>>  No.
>>
>>> - Would you contribute time to review and provide text for the documents
>>> when needed?
>>  Yes.
>>
>>> - Do you object to standards track status for these documents?(Please
>>> state the reason for you objection)
>>  I have a mild objection. There is no point in doing CCM. GCM is faster,
>> if you're gonna implement an AEAD scheme implement GCM. If you really want
>> a 2-pass AEAD scheme you can use RFC 5297 and you get misuse-resistance
>> for free (basically the security of the mode does not collapse if you
>> reuse a nonce/counter). The only group I know pushing CCM is actually
>> pushing CCM* and, as you note, this isn't CCM*.
>>
>>  Dan.
>>
>>
>> _______________________________________________
>> TLS mailing list
>> TLS@ietf.org
>> https://www.ietf.org/mailman/listinfo/tls
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls


-- 
email: rstruik.ext@gmail.com
Skype: rstruik
cell: +1 (647) 867-5658
USA Google voice: +1 (415) 690-7363

v2.23.0 | Report a Bug | By Email