IETF Logo Mail Archive

Re: [TLS] ChaCha and IVs

Adam Langley <agl@google.com> Tue, 04 March 2014 18:48 UTC

Return-Path: <agl@google.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C6C191A0290 for <tls@ietfa.amsl.com>; Tue, 4 Mar 2014 10:48:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.926
X-Spam-Level:
X-Spam-Status: No, score=-1.926 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, RP_MATCHES_RCVD=-0.547, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GAW0Xhpb0jcZ for <tls@ietfa.amsl.com>; Tue, 4 Mar 2014 10:48:05 -0800 (PST)
Received: from mail-ve0-x233.google.com (mail-ve0-x233.google.com [IPv6:2607:f8b0:400c:c01::233]) by ietfa.amsl.com (Postfix) with ESMTP id C00DC1A0187 for <tls@ietf.org>; Tue, 4 Mar 2014 10:48:04 -0800 (PST)
Received: by mail-ve0-f179.google.com with SMTP id db12so6091629veb.24 for <tls@ietf.org>; Tue, 04 Mar 2014 10:48:01 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=1Hs8wviczvPf50f8P0P5reM7GaV06hV9JdMAnIEKARw=; b=omXGnJHXD3UhPaS/e720UZ2vuVuWpsVW1WVObhjGgHusRSBnoTMdjM2sv6xmuwoVo7 7FzujT0IHZOy8N2ci52+7RZWuH8b8twVr7pid5++Ad2j+J486rfepRUh5DioxUwxgZ4X Kn+ekcVSikC/d/wmXVBTnoJ4EkSc0UA/P4sEstjjl2bYf1CRD9wr3g+Dw9p1MkF+Smar nRouYbzpj7E8oCxzl/fCe6gqppHqhcBIYn/4v5WRAWjWD/Jv6+k+Wu0zX6r70IhuIKgt P+8+PsBpo14nCmlNYe6gs0AoN1qPBf2NzIz42YpghhjmKXx7WRl66zx7HS+MubhFpt+N UeeQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=1Hs8wviczvPf50f8P0P5reM7GaV06hV9JdMAnIEKARw=; b=UFStn0yVvgSAyGQhHcfU5x8vKu/kECUyarW5t/19wuBtD9yQzWw1O1yCvVrsZQLlOQ 14T3rOFfABi6JcE5ClJWYI6Hd3uuOh4uvemAcpu4crRwQJr+kz3XN9DzKAUJIg15Fl+X UKIt89ytG/kpjXFL7dMpaXP0+toR+4oaYa1TVOXxAb/Jh8qa65GGl/hz/DPN2PYizOC5 INjm5jIcw5DMyFYsyulFaMgi1FNKqqjAHpMy8fquR1wUyIeG1eG+UpXD0zfr/Zu7VsDS 7KvSMoLBoUyNzN7EcOugw82PzHmYXEuzFhUIefiiG0jZO8e4DpB1nJJ0QtaqGTEabNse zS6g==
X-Gm-Message-State: ALoCoQnodocS31A6tmF+pmVXGRKIV5uj16kEH058QFOW+/gniyOtUJH3nN2xZOqK09gBLky+i8cdsWFokIR+BGk+CxQpHzmimA6M+wQenrgB7hoD1K7ZzU6G1LK5xsZooBiciOeTbbDTuQzZxm/xvD5hMPbcBOSZxcMtGsMZvAU123nuaienMlY9+U07xHrDOsviNyD10KDQ
X-Received: by 10.58.54.35 with SMTP id g3mr653746vep.46.1393957049726; Tue, 04 Mar 2014 10:17:29 -0800 (PST)
MIME-Version: 1.0
Received: by 10.52.104.37 with HTTP; Tue, 4 Mar 2014 10:17:09 -0800 (PST)
In-Reply-To: <53160513.20703@bbn.com>
References: <53160513.20703@bbn.com>
From: Adam Langley <agl@google.com>
Date: Tue, 04 Mar 2014 13:17:09 -0500
Message-ID: <CAL9PXLzy+g_Mc2THFxV4zpLPQPGOtTPb5zdBMSAXT4Os0hq7+A@mail.gmail.com>
To: Stephen Kent <kent@bbn.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/a3OAXTQ9r4LKc7xqwZ4Rz8fKJHg
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] ChaCha and IVs
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 04 Mar 2014 18:48:07 -0000

Here are the points from the slides:

> From a security assurance perspective,
> an IV based on a protocol-supplied value
> expands the scope of what has to be
> analyzed (to ensure uniqueness)

The uniqueness of the sequence number is needed to ensure that records
cannot be reordered so you cannot get away from having to establish
that property.

> An algorithm implementation submitted for FIPS evaluation must be independently evaluable.

An evaluation already assumes properties - i.e. that the key is
actually secret! The interface and assumptions of an AEAD are well
established (https://tools.ietf.org/html/rfc5116) and include an nonce
input that must be unique for a given key.

> If DTLS and ESP adopt different IV approaches for the
> same algorithm/mode, chip vendors have problems

ChaCha is not the hardware orientated cipher in any case, but I'm
unconvinced this is true. So far, hardware implementations that I've
seen take the nonce as an input, which is also the obvious design from
my point of view.

> In some cases, a non-counter IV approach can be faster
> than a counter (in hardware)

A non-counter IV is not safe unless the nonce is significantly
extended. Certainly, nobody should never use a non-counter IV with
AES-GCM in TLS. In any case, I think significant evidence would be
needed to show that the performance of this outweighs the cost of
wasting ~16 bytes / record.

> Allowing each sender to choose its own IV generation
> approach is more flexible.

It's flexible in the same way that AES-GCM in TLS is flexible: i.e.
that I had to survey all the implementations to ensure that nobody has
used a random IV because that's unsafe. I don't want that sort of
flexibility!


Cheers

AGL

v2.23.0 | Report a Bug | By Email