Re: [TLS] ChaCha and IVs
Adam Langley <agl@google.com> Tue, 04 March 2014 18:48 UTC
Return-Path: <agl@google.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C6C191A0290 for <tls@ietfa.amsl.com>; Tue, 4 Mar 2014 10:48:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.926
X-Spam-Level:
X-Spam-Status: No, score=-1.926 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, RP_MATCHES_RCVD=-0.547, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GAW0Xhpb0jcZ for <tls@ietfa.amsl.com>; Tue, 4 Mar 2014 10:48:05 -0800 (PST)
Received: from mail-ve0-x233.google.com (mail-ve0-x233.google.com [IPv6:2607:f8b0:400c:c01::233]) by ietfa.amsl.com (Postfix) with ESMTP id C00DC1A0187 for <tls@ietf.org>; Tue, 4 Mar 2014 10:48:04 -0800 (PST)
Received: by mail-ve0-f179.google.com with SMTP id db12so6091629veb.24 for <tls@ietf.org>; Tue, 04 Mar 2014 10:48:01 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=1Hs8wviczvPf50f8P0P5reM7GaV06hV9JdMAnIEKARw=; b=omXGnJHXD3UhPaS/e720UZ2vuVuWpsVW1WVObhjGgHusRSBnoTMdjM2sv6xmuwoVo7 7FzujT0IHZOy8N2ci52+7RZWuH8b8twVr7pid5++Ad2j+J486rfepRUh5DioxUwxgZ4X Kn+ekcVSikC/d/wmXVBTnoJ4EkSc0UA/P4sEstjjl2bYf1CRD9wr3g+Dw9p1MkF+Smar nRouYbzpj7E8oCxzl/fCe6gqppHqhcBIYn/4v5WRAWjWD/Jv6+k+Wu0zX6r70IhuIKgt P+8+PsBpo14nCmlNYe6gs0AoN1qPBf2NzIz42YpghhjmKXx7WRl66zx7HS+MubhFpt+N UeeQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=1Hs8wviczvPf50f8P0P5reM7GaV06hV9JdMAnIEKARw=; b=UFStn0yVvgSAyGQhHcfU5x8vKu/kECUyarW5t/19wuBtD9yQzWw1O1yCvVrsZQLlOQ 14T3rOFfABi6JcE5ClJWYI6Hd3uuOh4uvemAcpu4crRwQJr+kz3XN9DzKAUJIg15Fl+X UKIt89ytG/kpjXFL7dMpaXP0+toR+4oaYa1TVOXxAb/Jh8qa65GGl/hz/DPN2PYizOC5 INjm5jIcw5DMyFYsyulFaMgi1FNKqqjAHpMy8fquR1wUyIeG1eG+UpXD0zfr/Zu7VsDS 7KvSMoLBoUyNzN7EcOugw82PzHmYXEuzFhUIefiiG0jZO8e4DpB1nJJ0QtaqGTEabNse zS6g==
X-Gm-Message-State: ALoCoQnodocS31A6tmF+pmVXGRKIV5uj16kEH058QFOW+/gniyOtUJH3nN2xZOqK09gBLky+i8cdsWFokIR+BGk+CxQpHzmimA6M+wQenrgB7hoD1K7ZzU6G1LK5xsZooBiciOeTbbDTuQzZxm/xvD5hMPbcBOSZxcMtGsMZvAU123nuaienMlY9+U07xHrDOsviNyD10KDQ
X-Received: by 10.58.54.35 with SMTP id g3mr653746vep.46.1393957049726; Tue, 04 Mar 2014 10:17:29 -0800 (PST)
MIME-Version: 1.0
Received: by 10.52.104.37 with HTTP; Tue, 4 Mar 2014 10:17:09 -0800 (PST)
In-Reply-To: <53160513.20703@bbn.com>
References: <53160513.20703@bbn.com>
From: Adam Langley <agl@google.com>
Date: Tue, 04 Mar 2014 13:17:09 -0500
Message-ID: <CAL9PXLzy+g_Mc2THFxV4zpLPQPGOtTPb5zdBMSAXT4Os0hq7+A@mail.gmail.com>
To: Stephen Kent <kent@bbn.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/a3OAXTQ9r4LKc7xqwZ4Rz8fKJHg
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] ChaCha and IVs
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 04 Mar 2014 18:48:07 -0000
Here are the points from the slides: > From a security assurance perspective, > an IV based on a protocol-supplied value > expands the scope of what has to be > analyzed (to ensure uniqueness) The uniqueness of the sequence number is needed to ensure that records cannot be reordered so you cannot get away from having to establish that property. > An algorithm implementation submitted for FIPS evaluation must be independently evaluable. An evaluation already assumes properties - i.e. that the key is actually secret! The interface and assumptions of an AEAD are well established (https://tools.ietf.org/html/rfc5116) and include an nonce input that must be unique for a given key. > If DTLS and ESP adopt different IV approaches for the > same algorithm/mode, chip vendors have problems ChaCha is not the hardware orientated cipher in any case, but I'm unconvinced this is true. So far, hardware implementations that I've seen take the nonce as an input, which is also the obvious design from my point of view. > In some cases, a non-counter IV approach can be faster > than a counter (in hardware) A non-counter IV is not safe unless the nonce is significantly extended. Certainly, nobody should never use a non-counter IV with AES-GCM in TLS. In any case, I think significant evidence would be needed to show that the performance of this outweighs the cost of wasting ~16 bytes / record. > Allowing each sender to choose its own IV generation > approach is more flexible. It's flexible in the same way that AES-GCM in TLS is flexible: i.e. that I had to survey all the implementations to ensure that nobody has used a random IV because that's unsafe. I don't want that sort of flexibility! Cheers AGL
- Re: [TLS] ChaCha and IVs Adam Langley
- [TLS] ChaCha and IVs Stephen Kent
- Re: [TLS] ChaCha and IVs Watson Ladd
- Re: [TLS] ChaCha and IVs Nikos Mavrogiannopoulos
- Re: [TLS] ChaCha and IVs Stephen Kent
- Re: [TLS] ChaCha and IVs Salz, Rich
- Re: [TLS] ChaCha and IVs Dr Stephen Henson
- Re: [TLS] ChaCha and IVs Adam Langley
- Re: [TLS] ChaCha and IVs Adam Langley
- Re: [TLS] ChaCha and IVs Adam Langley
- Re: [TLS] ChaCha and IVs Wan-Teh Chang
- Re: [TLS] ChaCha and IVs Dr Stephen Henson
- Re: [TLS] ChaCha and IVs Dr Stephen Henson
- Re: [TLS] ChaCha and IVs Salz, Rich
- Re: [TLS] ChaCha and IVs Brian Smith
- Re: [TLS] ChaCha and IVs Adam Langley
- Re: [TLS] ChaCha and IVs Brian Smith
- Re: [TLS] ChaCha and IVs Salz, Rich
- Re: [TLS] ChaCha and IVs Nikos Mavrogiannopoulos
- Re: [TLS] ChaCha and IVs Nikos Mavrogiannopoulos
- Re: [TLS] ChaCha and IVs Alyssa Rowan
- Re: [TLS] ChaCha and IVs Adam Langley
- Re: [TLS] ChaCha and IVs Dr Stephen Henson
- Re: [TLS] ChaCha and IVs Sandeep Kumar
- Re: [TLS] ChaCha and IVs Robert Cragie
- Re: [TLS] ChaCha and IVs Dr Stephen Henson
- Re: [TLS] ChaCha and IVs Bodo Moeller
- Re: [TLS] ChaCha and IVs Nico Williams
- Re: [TLS] ChaCha and IVs Andy Lutomirski
- Re: [TLS] ChaCha and IVs Nico Williams
- Re: [TLS] ChaCha and IVs Bodo Moeller
- Re: [TLS] ChaCha and IVs Bodo Moeller
- Re: [TLS] ChaCha and IVs Nico Williams
- Re: [TLS] ChaCha and IVs Dr Stephen Henson
- Re: [TLS] ChaCha and IVs Bodo Moeller