Re: [TLS] PRF digest function for ChaCha20-Poly1305 cipher suites

Brian Smith <brian@briansmith.org> Tue, 22 December 2015 00:54 UTC

Return-Path: <brian@briansmith.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BF1041ACDDD for <tls@ietfa.amsl.com>; Mon, 21 Dec 2015 16:54:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.278
X-Spam-Level:
X-Spam-Status: No, score=-1.278 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lZ2RePWGSS8h for <tls@ietfa.amsl.com>; Mon, 21 Dec 2015 16:54:24 -0800 (PST)
Received: from mail-oi0-x229.google.com (mail-oi0-x229.google.com [IPv6:2607:f8b0:4003:c06::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E62821ACDD5 for <tls@ietf.org>; Mon, 21 Dec 2015 16:54:23 -0800 (PST)
Received: by mail-oi0-x229.google.com with SMTP id o124so100491488oia.1 for <tls@ietf.org>; Mon, 21 Dec 2015 16:54:23 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=briansmith-org.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=Szk4x+hWMMMb5jBs+eQqTQ23zurQrfr1vcK9KaIetCY=; b=W6/0Z0+aeZ/4wKE/FR1MgxOFxoiWfuH/h92FktLxgRTqERjKelvL9Nu5W4YpBaurJ6 8+CInEplSQUH5J6zcv5HG8PYJu6bYrG5MxqxB2piHd+E1TjL79qK+li6AsEfew2mK3NF eG2K0LAZjMDQiAC0GNtkJ3qYpcQMVFhOArpzxnNo6S5OIRCbJZDUUX/QjDWv3uHCh0MC VQeVUReTDmGXgQRHBxMOLzJUUtGUL0h63RV6MRTE67LdiIesqSv1kqW2rBDz5QnxZHpk Ve4MZaTqZu/I53eXgXwgnoxHgSpLdnaoIsUsHd1Oh23r9sfif8oA5607iE7luKCAfbI0 fyPg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=Szk4x+hWMMMb5jBs+eQqTQ23zurQrfr1vcK9KaIetCY=; b=La1bt3QD0yOgc4ulZH1fNDa0DQo2PRLqZOa7pfJgiGAqDiYRKtw1Ak5TqsdEQemqqe 2A0h9Vls+0/oZGycRn1DDsrgTmEFFsfaIlEBzCYiZyWPUX/DKZBSydOZYOMTVg8BHZ01 X628oVbRhKJ2wWqNt28qOGmp1ysqGTJlqRKhDU5fLLzYmXXKcmCp1Q7zdE9OjCR8sBN0 L8IRkHMzSWOTLVdw+mB0iJ61JoMNgCzB+hKi1Zw02QQhbujc+3afq8WfU5SYW85XzYIt YadFuoEQ2+X6VQe3BkpTn5j+aNHFK1jpHWp6+x9GVZECrvDDXrSdoi8aWhnManEhm/Zz +tEA==
X-Gm-Message-State: ALoCoQnKYYVDs/jt13e/sY+JruxDjnam1Xw/oSOBlC4skWBy6du9XQD1oBjRsU+ME7q+Uyggyc8G8vBxUBX90LKOJxS8Tt/rAw==
MIME-Version: 1.0
X-Received: by 10.202.189.7 with SMTP id n7mr8783863oif.55.1450745663365; Mon, 21 Dec 2015 16:54:23 -0800 (PST)
Received: by 10.76.62.8 with HTTP; Mon, 21 Dec 2015 16:54:23 -0800 (PST)
In-Reply-To: <CABcZeBMTCrxzGkTFqqwNrCaK6tcFQ+q9h2qRSY9dW9XRvTxnzw@mail.gmail.com>
References: <CAFewVt6=ztWUs-i5EvGaFE=_r_UgHsr_KsOwFyX+ngx6_J-tnA@mail.gmail.com> <CAFewVt7G3FVEyapwL=GE=fZ2HFaaJEYQv0rp-GmA_EdkhyQx=w@mail.gmail.com> <CAMfhd9WV=VPECOJG30cskeFtUkfGN3BM5S-n6ctCXFkW2-38jw@mail.gmail.com> <CAFewVt5aNfUyts=OvDnhXoYA5xerpYsdoLiSmEHDEDHhqAsPDQ@mail.gmail.com> <CABcZeBOqj5kYfSGhqEdT6ojCVyjF6xXbquU2nPtRok2jj1+BcA@mail.gmail.com> <CAFewVt6KptT9B2Oe0t7XRzZDGsYRUsLapm-MHJjg-zfJ1UqrOw@mail.gmail.com> <CABcZeBMTCrxzGkTFqqwNrCaK6tcFQ+q9h2qRSY9dW9XRvTxnzw@mail.gmail.com>
Date: Mon, 21 Dec 2015 14:54:23 -1000
Message-ID: <CAFewVt4DLXbxsDtjAxeDNU7_x=iF3OcN3THWE1zgnCNF0TZY9g@mail.gmail.com>
From: Brian Smith <brian@briansmith.org>
To: Eric Rescorla <ekr@rtfm.com>
Content-Type: multipart/alternative; boundary="001a113d7032ecc07a0527720b04"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/_7JiDFAIGrIjLotfPji7eVnbzUQ>
Cc: Adam Langley <agl@imperialviolet.org>, "<tls@ietf.org>" <tls@ietf.org>
Subject: Re: [TLS] PRF digest function for ChaCha20-Poly1305 cipher suites
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 22 Dec 2015 00:54:25 -0000

Eric Rescorla <ekr@rtfm.com> wrote:

> Sorry, I'm still confused TLS 1.2 uses a specific PRF. TLS 1.3 uses HKDF.
> Are you suggesting TLS 1.2 use the TLS 1.2 PRF with SHA-512 and that
> TLS 1.2 use SHA-512 with HKDF, or something different?
>

I mean that TLS 1.2 should use SHA-512 with the TLS 1.2 PRF and that TLS
1.3 should use SHA-512 with HKDF.


> Nobody should pay attention to what the MTI cipher suite for TLS 1.2 is,
>> because it's obsolete; in fact, one would be making a huge mistake to
>> deploy it now if one's application didn't have legacy backward
>> compatibility concerns. And, we should change the MTI cipher suite for TLS
>> 1.3 to the ChaCha20-Poly1305 ones, because they solve a lot of problems.
>> For example, they remove any question of any need to implement rekeying,
>> they avoid the weird IV construction hacks that are necessary for 128-bit
>> cipher suites like AES-GCM, and they can be implemented efficiently in a
>> safe way, unlike AES-GCM.
>>
>
> This seems like a separate question.
>

You are the one that brought the MTI stuff into this, not me.


> SHA-256-using cipher suites are widely deployed and not going away any
> time soon, so what resource are you trying to conserve here?
>

I'm trying to minimize the number of algorithms (amount of code) necessary
to implement ChaCha20-Poly1305 using x25519 for key agreement and Ed25519
for signatures. The different between needing or not needing SHA-256
matters most for very small computers (AVR and Cortex-M0), but doesn't
really matter much for larger computers where SHA-256 has an advantage.

In particular, since there seems to be a notable amount of hardware that is
or will soon be released that optimized for
ChaCha20-Poly1305+x25519+Ed25519, because of Apple HomeKit, it would be
nice to take advantage of that for TLS.

Besides that, the inconsistency regarding why these new
256-bit-encryption-key cipher suites are currently defined to use SHA-256
in the PRF whereas all the existing 256-bit-encryption-key cipher suites
use SHA-384 seems strange. Even if an application wants to use AES-GCM
cipher suites, it would be able to avoid needing SHA-256 if it implemented
the AES256-GCM cipher suites instead of AES128-GCM.

Cheers,
Brian
-- 
https://briansmith.org/