Re: [TLS] ChaCha and IVs
Robert Cragie <robert.cragie@gridmerge.com> Wed, 05 March 2014 17:43 UTC
Return-Path: <robert.cragie@gridmerge.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 15BDD1A053B for <tls@ietfa.amsl.com>; Wed, 5 Mar 2014 09:43:54 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VN5pBa0WwkIE for <tls@ietfa.amsl.com>; Wed, 5 Mar 2014 09:43:51 -0800 (PST)
Received: from mailscan1.extendcp.co.uk (mailscan7.extendcp.co.uk [79.170.43.71]) by ietfa.amsl.com (Postfix) with ESMTP id 313361A0663 for <tls@ietf.org>; Wed, 5 Mar 2014 09:43:51 -0800 (PST)
Received: from lb1.hi.local ([10.0.1.197] helo=mailscan5.hi.local) by mailscan-g67.hi.local with esmtp (Exim 4.80.1) (envelope-from <robert.cragie@gridmerge.com>) id 1WLFr8-0004vz-Qp for tls@ietf.org; Wed, 05 Mar 2014 17:43:46 +0000
Received: from lb1.hi.local ([10.0.1.197] helo=mail41.extendcp.co.uk) by mailscan5.hi.local with esmtps (UNKNOWN:DHE-RSA-AES256-GCM-SHA384:256) (Exim 4.80.1) (envelope-from <robert.cragie@gridmerge.com>) id 1WLFr3-0003Vv-Hq for tls@ietf.org; Wed, 05 Mar 2014 17:43:41 +0000
Received: from host86-156-114-243.range86-156.btcentralplus.com ([86.156.114.243] helo=[192.168.0.2]) by mail41.extendcp.com with esmtpsa (TLSv1:DHE-RSA-AES128-SHA:128) (Exim 4.80.1) id 1WLFr3-0004GW-0D for tls@ietf.org; Wed, 05 Mar 2014 17:43:41 +0000
Message-ID: <53176278.7040902@gridmerge.com>
Date: Wed, 05 Mar 2014 17:44:24 +0000
From: Robert Cragie <robert.cragie@gridmerge.com>
Organization: Gridmerge Ltd.
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.3.0
MIME-Version: 1.0
To: tls@ietf.org
References: <53160513.20703@bbn.com> <1393955839.20861.20.camel@dhcp-2-127.brq.redhat.com> <53161BA7.3070405@drh-consultancy.co.uk> <CAL9PXLzMiq-WsaAO8Q=kWqbQ3taw-xtuNw_ffuZxjFUXCEEG9A@mail.gmail.com> <5317267F.1070909@akr.io> <53172AE6.1000300@drh-consultancy.co.uk>
In-Reply-To: <53172AE6.1000300@drh-consultancy.co.uk>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha1"; boundary="------------ms010504060607070703000102"
X-Authenticated-As: robert.cragie@gridmerge.com
X-Extend-Src: mailout
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/aHy1YIW9FSoHAAEyHrKyr1_EbAw
Subject: Re: [TLS] ChaCha and IVs
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: robert.cragie@gridmerge.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 05 Mar 2014 17:43:54 -0000
This seems to be a non-issue to me. In SP 800-38D section 8.2.1, the deterministic construction is described using an IV with an invocation field. If the invocation field is specified as an integer counter, it will, by definition, increment by one every time the AES-GCM encrypt function is invoked for a particular key. Maybe I missed it, but I didn't notice the requirement that the invocation field starts at a random starting point? Therefore, this could start at 0 on provision of a new key and also be the basis of the sequence number. If there is insistence that this is generated within a cryptographic module for validation purposes, in the TLS case, the module would use the deterministic construction with the invocation field as an integer counter and export the invocation field to form the TLS sequence number. In this way, there would be no need to have to supply any additional code as part of the validation. Robert On 05/03/2014 1:47 PM, Dr Stephen Henson wrote: > On 05/03/2014 13:28, Alyssa Rowan wrote: >> Random IVs risk collision earlier, burn valuable entropy faster, and are >> far more fragile. >> >> Sequential IVs are deterministic, verifiable, debuggable, and implicit. >> >> It is crystal-clear to me that sequential IVs are the correct approach. I >> would be interested to hear NIST's reasons for recommending otherwise. >> > In the case of AES-GCM the relevant FIPS specifications *do* permit sequential > IVs. One permitted construction is a random starting point generated within > the module which is then incremented on each invocation. > > That "random starting point" requirement means you can't use the sequence > number directly though. > > One way round that would be to have a way to specify the starting point. An > explicit IV in the first record for example, but that looks messy to me. > > Steve.
- Re: [TLS] ChaCha and IVs Adam Langley
- [TLS] ChaCha and IVs Stephen Kent
- Re: [TLS] ChaCha and IVs Watson Ladd
- Re: [TLS] ChaCha and IVs Nikos Mavrogiannopoulos
- Re: [TLS] ChaCha and IVs Stephen Kent
- Re: [TLS] ChaCha and IVs Salz, Rich
- Re: [TLS] ChaCha and IVs Dr Stephen Henson
- Re: [TLS] ChaCha and IVs Adam Langley
- Re: [TLS] ChaCha and IVs Adam Langley
- Re: [TLS] ChaCha and IVs Adam Langley
- Re: [TLS] ChaCha and IVs Wan-Teh Chang
- Re: [TLS] ChaCha and IVs Dr Stephen Henson
- Re: [TLS] ChaCha and IVs Dr Stephen Henson
- Re: [TLS] ChaCha and IVs Salz, Rich
- Re: [TLS] ChaCha and IVs Brian Smith
- Re: [TLS] ChaCha and IVs Adam Langley
- Re: [TLS] ChaCha and IVs Brian Smith
- Re: [TLS] ChaCha and IVs Salz, Rich
- Re: [TLS] ChaCha and IVs Nikos Mavrogiannopoulos
- Re: [TLS] ChaCha and IVs Nikos Mavrogiannopoulos
- Re: [TLS] ChaCha and IVs Alyssa Rowan
- Re: [TLS] ChaCha and IVs Adam Langley
- Re: [TLS] ChaCha and IVs Dr Stephen Henson
- Re: [TLS] ChaCha and IVs Sandeep Kumar
- Re: [TLS] ChaCha and IVs Robert Cragie
- Re: [TLS] ChaCha and IVs Dr Stephen Henson
- Re: [TLS] ChaCha and IVs Bodo Moeller
- Re: [TLS] ChaCha and IVs Nico Williams
- Re: [TLS] ChaCha and IVs Andy Lutomirski
- Re: [TLS] ChaCha and IVs Nico Williams
- Re: [TLS] ChaCha and IVs Bodo Moeller
- Re: [TLS] ChaCha and IVs Bodo Moeller
- Re: [TLS] ChaCha and IVs Nico Williams
- Re: [TLS] ChaCha and IVs Dr Stephen Henson
- Re: [TLS] ChaCha and IVs Bodo Moeller