Re: [TLS] Consensus Call on MTI Algorithms

Dave Garrett <davemgarrett@gmail.com> Fri, 03 April 2015 15:10 UTC

Return-Path: <davemgarrett@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5A5A41A90E9 for <tls@ietfa.amsl.com>; Fri, 3 Apr 2015 08:10:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lTk8oNJzFLzG for <tls@ietfa.amsl.com>; Fri, 3 Apr 2015 08:10:43 -0700 (PDT)
Received: from mail-qc0-x230.google.com (mail-qc0-x230.google.com [IPv6:2607:f8b0:400d:c01::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AFE891A9090 for <tls@ietf.org>; Fri, 3 Apr 2015 08:10:43 -0700 (PDT)
Received: by qcgx3 with SMTP id x3so90924882qcg.3 for <tls@ietf.org>; Fri, 03 Apr 2015 08:10:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:to:subject:date:user-agent:cc:references:in-reply-to :mime-version:content-type:content-transfer-encoding:message-id; bh=x+xnArCxcQWgqUMAFPN48kAZ4JFMIHuvw6BSMUZTK38=; b=xmdVJ2234kYkkUFq8xoHDn2V/y+G2yRLYl6Q70tZRJIuE8rIubKuIwN0L7+lkD1b00 85xj4rKD9RTTey3HY9wsy5zRBKF18Rneif5ZcrL2noAxIwQyVPGMFVfHQaoesdoSa3Q9 DRwcSsZlBD76VxLRpzeC5lCnC3bq5nQlnqF2WiZSlAjeLX3P4y+vf1gAHq+XIKcS7I7m Znr+GRzxRvql5lL2sAapHT6TKD/0CFmyUbcvuFD0/rL14guMswDoikDQvxm33cbqcWDd X5nnmO0VRg6x+6Ish9yQ0Jagh7SmmgG1Ss+MCbBgvMmAM7N+qJMPn3WG0RQWgE95iRP1 MigA==
X-Received: by 10.55.55.7 with SMTP id e7mr5128141qka.52.1428073842981; Fri, 03 Apr 2015 08:10:42 -0700 (PDT)
Received: from dave-laptop.localnet (pool-96-245-254-195.phlapa.fios.verizon.net. [96.245.254.195]) by mx.google.com with ESMTPSA id b73sm2042912qge.5.2015.04.03.08.10.42 (version=TLSv1 cipher=RC4-SHA bits=128/128); Fri, 03 Apr 2015 08:10:42 -0700 (PDT)
From: Dave Garrett <davemgarrett@gmail.com>
To: tls@ietf.org
Date: Fri, 03 Apr 2015 11:10:40 -0400
User-Agent: KMail/1.13.5 (Linux/2.6.32-73-generic-pae; KDE/4.4.5; i686; ; )
References: <CAOgPGoBk+E=cNV1ufBaQ0n7=CJQ34zukPixKCEdpmMLBX=Kg_w@mail.gmail.com> <20150402184849.GF10960@localhost> <CACsn0ckhsx4ZqpknoMwS6OmYhy-Q0AQdD6SmmF0krAp9s2ngyQ@mail.gmail.com>
In-Reply-To: <CACsn0ckhsx4ZqpknoMwS6OmYhy-Q0AQdD6SmmF0krAp9s2ngyQ@mail.gmail.com>
MIME-Version: 1.0
Content-Type: Text/Plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Message-Id: <201504031110.41062.davemgarrett@gmail.com>
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/d9NhgKZbmyVHGdiBTcong7Fl5ng>
Subject: Re: [TLS] Consensus Call on MTI Algorithms
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 03 Apr 2015 15:10:45 -0000

On Friday, April 03, 2015 09:55:32 am Watson Ladd wrote:
> On Apr 2, 2015 11:49 AM, "Nico Williams" <nico@cryptonector.com> wrote:
> > On Wed, Apr 01, 2015 at 11:12:19AM -0700, Joseph Salowey wrote:
> > > o Symmetric:
> > >         MUST AES-GCM 128
> > >         SHOULD ChaCha20-Poly1305
> >
> > I would like at least two modes for AES to be required: one AEAD
> > (probably GCM) and one AEAD-by-generic-construction (e.g., using HMAC).
> 
> OCB is a better fit constrained devices. CCM requires two passes.

So, at this point in the discussion, this is sounding like what might get closer to agreement:

o Symmetric:
        MUST AES-OCB 128 (or 256?)
        MUST ChaCha20-Poly1305
        OPTIONAL AES-GCM 128, but MUST if supporting TLS 1.2

This is essentially 2 MTI for TLS 1.3, with a required amendment to the TLS 1.2 spec to add an AEAD MTI. Without this, when falling back a version there'd be a higher likelihood of having to downgrade to CBC. (current draft has a SHOULD for using AEAD with TLS 1.2, if available)

The question is, however: is the WG willing to specify two new MTI? Not having one that's currently in widespread use might slow adoption. Then again, ChaChaPoly is getting out there from Google's pushing of it. Or, all 3 could just be MUSTs.


Dave