IETF Logo Mail Archive

Re: [TLS] AES-CCM ECC Cipher Suites for TLS @ IETF 78

David McGrew <mcgrew@cisco.com> Tue, 20 July 2010 17:56 UTC

Return-Path: <mcgrew@cisco.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 90ACD3A687D for <tls@core3.amsl.com>; Tue, 20 Jul 2010 10:56:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.599
X-Spam-Level:
X-Spam-Status: No, score=-10.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NiPeqzx4sd+J for <tls@core3.amsl.com>; Tue, 20 Jul 2010 10:56:42 -0700 (PDT)
Received: from sj-iport-6.cisco.com (sj-iport-6.cisco.com [171.71.176.117]) by core3.amsl.com (Postfix) with ESMTP id 6891E3A6898 for <tls@ietf.org>; Tue, 20 Jul 2010 10:56:42 -0700 (PDT)
Authentication-Results: sj-iport-6.cisco.com; dkim=neutral (message not signed) header.i=none
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AvsEAIeARUyrR7H+/2dsb2JhbACfbXGlV5sxhTIEhACEWQ
Received: from sj-core-2.cisco.com ([171.71.177.254]) by sj-iport-6.cisco.com with ESMTP; 20 Jul 2010 17:56:57 +0000
Received: from stealth-10-32-254-212.cisco.com (stealth-10-32-254-212.cisco.com [10.32.254.212]) by sj-core-2.cisco.com (8.13.8/8.14.3) with ESMTP id o6KHuufB026959; Tue, 20 Jul 2010 17:56:56 GMT
Message-Id: <152DF6E4-BC01-453B-BCE4-0324F9B97D81@cisco.com>
From: David McGrew <mcgrew@cisco.com>
To: Brian Smith <brian@briansmith.org>
In-Reply-To: <004b01cb276a$ac2a2190$047e64b0$@briansmith.org>
Content-Type: text/plain; charset="US-ASCII"; format="flowed"; delsp="yes"
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (Apple Message framework v936)
Date: Tue, 20 Jul 2010 10:56:55 -0700
References: <C9990CC0-A4D7-4519-9DEA-E415F11EBCEB@cisco.com> <001b01cb253a$242ad9b0$6c808d10$@briansmith.org> <43895D94-BB8B-4151-8E4E-C7148B35D361@cisco.com> <004b01cb276a$ac2a2190$047e64b0$@briansmith.org>
X-Mailer: Apple Mail (2.936)
Cc: tls@ietf.org
Subject: Re: [TLS] AES-CCM ECC Cipher Suites for TLS @ IETF 78
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Jul 2010 17:56:43 -0000

Hi Brian,

On Jul 19, 2010, at 10:48 AM, Brian Smith wrote:

> David McGrew wrote:
>> GCM requires implementation of the AES forward (encrypt) operation  
>> and a
>> GF(2^128) multiplier.  CCM requires only the AES forward (encrypt)
> operation.
>>
>> A CCM circuit can be more compact, because it doesn't need a  
>> GF(2^128)
>> multiplier.  Existing hardware for low-power radio devices typically
>> lacks the GF(2^128) multiplier.   GCM would use a bit less power than
>> CCM, FWIW.
>>
>> Within the low-power radio community, there is probably an  
>> expectation
> that
>> the CCM ciphersuite does not need universal support; it would be  
>> adequate
> if
>> servers for that application environment supported it.
>
> I do not quite understand this last comment. Would a user use a  
> regular web
> browser to connect to a 802.15.4-enabled desktop/mobile device to an
> administrative interface for an 802.15.4 device over HTTPS?

In the Zigbee SE2.0 group's recent meeting in Cincinnati, there was a  
discussion where it was concluded that it was not a priority to  
interoperate with web browsers, since many devices will not have the  
administrative interface that you're describing.

>
> I agree with Juho's comments regarding the restrictions on ClientHello
> extensions and the way support for truncation is supported/ 
> requested. I do
> not think it makes sense to multiply the number of AEAD cipher suite  
> codes
> by 3 just to add truncation support.

There are currently 17 AEAD algorithms, 8 of which are short-ICV  
versions (see http://www.iana.org/assignments/aead-parameters/aead-parameters.xhtml) 
    The four new CCM algorithms in the draft would bring those numbers  
to 21 and 12, respectively.   Adding these new algorithms are  
consistent with precedent in the AEAD registry.

Besides, "truncation" is not legal with the AEAD interface (because  
RFC5116 says that "Applications MUST NOT assume any particular  
structure or formatting of the ciphertext"), so new algorithms/numbers  
need to be defined/assigned.


> And, IMO, every implementation should
> support the un-truncated form, so it should be impossible for the  
> client to
> offer the truncated forms without also offering the un-truncated form.
> Specifying the truncation in an extension that the server is free to  
> ignore
> would provide for that.

I respectfully disagree.  Users of low-power radio devices have  
already decided that it is acceptable to use 8 octets or fewer for  
authentication, and IMO TLS should accept and incorporate that  
policy.   (802.15.4 link crypto allows zero to 8 octets of  
authentication strength.)

David

>
> Regards,
> Brian
>

v2.23.0 | Report a Bug | By Email