Re: [TLS] HSM-friendly Key Computation

Yoav Nir <ynir.ietf@gmail.com> Fri, 17 April 2015 20:32 UTC

Return-Path: <ynir.ietf@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BD47C1A017D for <tls@ietfa.amsl.com>; Fri, 17 Apr 2015 13:32:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YTI0y_1Kqss8 for <tls@ietfa.amsl.com>; Fri, 17 Apr 2015 13:32:26 -0700 (PDT)
Received: from mail-wi0-x229.google.com (mail-wi0-x229.google.com [IPv6:2a00:1450:400c:c05::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6090A1A0104 for <tls@ietf.org>; Fri, 17 Apr 2015 13:32:26 -0700 (PDT)
Received: by widdi4 with SMTP id di4so32948075wid.0 for <tls@ietf.org>; Fri, 17 Apr 2015 13:32:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=3HKJzQIituOu3nQs3BgPaD+iD+w2RFVWYhQl6u+cA5k=; b=MHzlbUJdNX6G6Jx73RfSNEgGxccZbbdi87uGq/BUfCU8K1pbq8PBD4QWqDxNf/qapk Ua5Qz11laK4MgPjRd67KL++e5YhmFpen4OSNE26Uttd4dWigJofn4VJW4KVjaylrN5yP zhPBSCXF5e0lwdY/C7569NQVYU6+WbdW6H1uIuFLbIH1rFmOge1AqT2f0k93f7W+JvdQ I8H5wXY8a0IR0NMaymFu3XCA4Y8sUhGTTc5ynzFBIaAl49fPah8040nqZ7ZD8i2EpvvW c5r6eOpf8njOWykKQuJp05aA/9HiM8fcMdxM7kG4U2UX+FoWOKr8YXpkQsJ6nbGkgSV+ P/cw==
X-Received: by 10.180.73.180 with SMTP id m20mr4472958wiv.2.1429302745164; Fri, 17 Apr 2015 13:32:25 -0700 (PDT)
Received: from [192.168.1.17] ([46.120.13.132]) by mx.google.com with ESMTPSA id dz4sm4068086wib.17.2015.04.17.13.32.24 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Fri, 17 Apr 2015 13:32:24 -0700 (PDT)
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2098\))
From: Yoav Nir <ynir.ietf@gmail.com>
In-Reply-To: <CABcZeBOh08+8bz3Wk+xXYp9myVHpk6R70QMWdRjs1h7Y7ghEeQ@mail.gmail.com>
Date: Fri, 17 Apr 2015 23:32:22 +0300
Content-Transfer-Encoding: quoted-printable
Message-Id: <A1051B9F-8186-4151-A209-D1B9808CEE43@gmail.com>
References: <0694C3DB-FB87-42A2-BCC4-CC0F761E9A03@vigilsec.com> <CABcZeBOh08+8bz3Wk+xXYp9myVHpk6R70QMWdRjs1h7Y7ghEeQ@mail.gmail.com>
To: Eric Rescorla <ekr@rtfm.com>
X-Mailer: Apple Mail (2.2098)
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/Za8nkoprkdBLMg5faJFJQLzMj7w>
Cc: IETF TLS <tls@ietf.org>
Subject: Re: [TLS] HSM-friendly Key Computation
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Apr 2015 20:32:27 -0000

> On Apr 17, 2015, at 10:40 PM, Eric Rescorla <ekr@rtfm.com> wrote:
> 
> We should defer this issue until we know whether we are generating an IV
> at all.
> 

The client_write_iv and server_write_iv are needed, and I’m not aware of any contention about them. In AES-GCM they are used for the “salt” value, and the chacha20-poly1305 draft uses the same terminology for a 32-bit fixed part of the nonce that is derived from the key buffer.

This is not the same as the per-record IV that we *are* considering dropping.

Yoav