IETF Logo Mail Archive

Re: [TLS] ChaCha and IVs

Robert Cragie <robert.cragie@gridmerge.com> Wed, 05 March 2014 17:43 UTC

Return-Path: <robert.cragie@gridmerge.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 15BDD1A053B for <tls@ietfa.amsl.com>; Wed, 5 Mar 2014 09:43:54 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VN5pBa0WwkIE for <tls@ietfa.amsl.com>; Wed, 5 Mar 2014 09:43:51 -0800 (PST)
Received: from mailscan1.extendcp.co.uk (mailscan7.extendcp.co.uk [79.170.43.71]) by ietfa.amsl.com (Postfix) with ESMTP id 313361A0663 for <tls@ietf.org>; Wed, 5 Mar 2014 09:43:51 -0800 (PST)
Received: from lb1.hi.local ([10.0.1.197] helo=mailscan5.hi.local) by mailscan-g67.hi.local with esmtp (Exim 4.80.1) (envelope-from <robert.cragie@gridmerge.com>) id 1WLFr8-0004vz-Qp for tls@ietf.org; Wed, 05 Mar 2014 17:43:46 +0000
Received: from lb1.hi.local ([10.0.1.197] helo=mail41.extendcp.co.uk) by mailscan5.hi.local with esmtps (UNKNOWN:DHE-RSA-AES256-GCM-SHA384:256) (Exim 4.80.1) (envelope-from <robert.cragie@gridmerge.com>) id 1WLFr3-0003Vv-Hq for tls@ietf.org; Wed, 05 Mar 2014 17:43:41 +0000
Received: from host86-156-114-243.range86-156.btcentralplus.com ([86.156.114.243] helo=[192.168.0.2]) by mail41.extendcp.com with esmtpsa (TLSv1:DHE-RSA-AES128-SHA:128) (Exim 4.80.1) id 1WLFr3-0004GW-0D for tls@ietf.org; Wed, 05 Mar 2014 17:43:41 +0000
Message-ID: <53176278.7040902@gridmerge.com>
Date: Wed, 05 Mar 2014 17:44:24 +0000
From: Robert Cragie <robert.cragie@gridmerge.com>
Organization: Gridmerge Ltd.
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.3.0
MIME-Version: 1.0
To: tls@ietf.org
References: <53160513.20703@bbn.com> <1393955839.20861.20.camel@dhcp-2-127.brq.redhat.com> <53161BA7.3070405@drh-consultancy.co.uk> <CAL9PXLzMiq-WsaAO8Q=kWqbQ3taw-xtuNw_ffuZxjFUXCEEG9A@mail.gmail.com> <5317267F.1070909@akr.io> <53172AE6.1000300@drh-consultancy.co.uk>
In-Reply-To: <53172AE6.1000300@drh-consultancy.co.uk>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha1"; boundary="------------ms010504060607070703000102"
X-Authenticated-As: robert.cragie@gridmerge.com
X-Extend-Src: mailout
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/aHy1YIW9FSoHAAEyHrKyr1_EbAw
Subject: Re: [TLS] ChaCha and IVs
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: robert.cragie@gridmerge.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 05 Mar 2014 17:43:54 -0000

This seems to be a non-issue to me. In SP 800-38D section 8.2.1, the 
deterministic construction is described using an IV with an invocation 
field. If the invocation field is specified as an integer counter, it 
will, by definition, increment by one every time the AES-GCM encrypt 
function is invoked for a particular key. Maybe I missed it, but I 
didn't notice the requirement that the invocation field starts at a 
random starting point? Therefore, this could start at 0 on provision of 
a new key and also be the basis of the sequence number. If there is 
insistence that this is generated within a cryptographic module for 
validation purposes, in the TLS case, the module would use the 
deterministic construction with the invocation field as an integer 
counter and export the invocation field to form the TLS sequence number. 
In this way, there would be no need to have to supply any additional 
code as part of the validation.

Robert

On 05/03/2014 1:47 PM, Dr Stephen Henson wrote:
> On 05/03/2014 13:28, Alyssa Rowan wrote:
>> Random IVs risk collision earlier, burn valuable entropy faster, and are
>> far more fragile.
>>
>> Sequential IVs are deterministic, verifiable, debuggable, and implicit.
>>
>> It is crystal-clear to me that sequential IVs are the correct approach. I
>> would be interested to hear NIST's reasons for recommending otherwise.
>>
> In the case of AES-GCM the relevant FIPS specifications *do* permit sequential
> IVs. One permitted construction is a random starting point generated within
> the module which is then incremented on each invocation.
>
> That "random starting point" requirement means you can't use the sequence
> number directly though.
>
> One way round that would be to have a way to specify the starting point. An
> explicit IV in the first record for example, but that looks messy to me.
>
> Steve.

v2.23.0 | Report a Bug | By Email