Re: [TLS] AES-OCB in TLS [New Version Notification for draft-zauner-tls-aes-ocb-03.txt]

Aaron Zauner <azet@azet.org> Mon, 01 June 2015 16:23 UTC

Return-Path: <azet@azet.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9780F1B2C00 for <tls@ietfa.amsl.com>; Mon, 1 Jun 2015 09:23:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NTWHYAFlHyAJ for <tls@ietfa.amsl.com>; Mon, 1 Jun 2015 09:23:56 -0700 (PDT)
Received: from mail-wg0-f43.google.com (mail-wg0-f43.google.com [74.125.82.43]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EBD6E1A015F for <tls@ietf.org>; Mon, 1 Jun 2015 09:23:28 -0700 (PDT)
Received: by wgme6 with SMTP id e6so119026774wgm.2 for <tls@ietf.org>; Mon, 01 Jun 2015 09:23:27 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to :cc:subject:references:in-reply-to:content-type; bh=a7Gpk4TqqnVF00ddWnFuDz39PISwx0lC0KVMDjez1Gs=; b=UdMrxv4cEX6d7QtWSDvEwMrhQYKXTzpA+/D/uTQ37YYqgFIVk1TgoBsN3ItLUctlRw nMGGUqB4NYNgN1O9LLj8vADaIq8NumXafdSmc7rTu5qvluSzC/Sf0achHcZ8s6lj1UNJ b9gfulLx5/4dMmaU31bZiCuJmblcHFdnwsbUXPs0QIqFPMsRYWyQcVfHbuPkbxSI7X+y n44tK/o6uA0R0QCQzNINZ4Nx4x3PjWz6t4FMC72lqfSwDF4TQazLpwMen3b069rJdoPG 04JMq+uuRI89TgOo9d4N4JNnYQUSL+G2EB8d2TCmYcW45f5Cs4RGMHz3nTpHzulAaYT0 hwWQ==
X-Gm-Message-State: ALoCoQlPAOE4vxRxPMy/gU8iEtDJ0b7TJf1U6yP4a6SNp3p28YnvcJX5NQ+cNNvAl46ESZNMOSN/
X-Received: by 10.180.211.196 with SMTP id ne4mr11178719wic.23.1433175807716; Mon, 01 Jun 2015 09:23:27 -0700 (PDT)
Received: from [10.0.0.142] (chello080108032135.14.11.univie.teleweb.at. [80.108.32.135]) by mx.google.com with ESMTPSA id k2sm17396548wix.4.2015.06.01.09.23.25 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Mon, 01 Jun 2015 09:23:26 -0700 (PDT)
Message-ID: <556C86FA.3000901@azet.org>
Date: Mon, 01 Jun 2015 18:23:22 +0200
From: Aaron Zauner <azet@azet.org>
User-Agent: Postbox 3.0.11 (Macintosh/20140602)
MIME-Version: 1.0
To: Peter Bowen <pzbowen@gmail.com>
References: <556C4ACD.9040002@azet.org> <CABcZeBNsYmto4F-J0mFoxcq-qfL=NJrvDu67fyY9bpBmRp16mQ@mail.gmail.com> <556C51FC.807@azet.org> <5878037.eTrqDl0Ll5@pintsize.usersys.redhat.com> <556C5881.4080902@azet.org> <CAH8yC8nCCNF9B72yNgM-hOkCYJrc2ZU0PmpeBrnbknKO92OZtA@mail.gmail.com> <556C8320.2010705@azet.org> <CAK6vND9MoyWVnitb5CDZzF_RoChbQJt-b5ue+WhXHHvHmsxJLQ@mail.gmail.com>
In-Reply-To: <CAK6vND9MoyWVnitb5CDZzF_RoChbQJt-b5ue+WhXHHvHmsxJLQ@mail.gmail.com>
X-Enigmail-Version: 1.2.3
Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="------------enig2CF0548FCBE49F65B449E3B8"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/eRvLKf6j5QUHAxaNKWkOVPY8K24>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] AES-OCB in TLS [New Version Notification for draft-zauner-tls-aes-ocb-03.txt]
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 01 Jun 2015 16:23:57 -0000


Peter Bowen wrote:
> On Mon, Jun 1, 2015 at 9:06 AM, Aaron Zauner <azet@azet.org> wrote:
>> I agree, but am unsure to what extent they are used in real life. I'm
>> trying to reduce the number of cipher-suites that would have to be added
>> to the IANA TLS parameter list; since PSK is unsupported with GCM
>> cipher-suites it seems only logical to exclude them here as well.
> 
> Some TLS implementations (notably BoringSSL) have ended up assigning
> non-standard ciphersuites ECDHE+PSK+AES-GCM for this very reason.  I
> think the lack of this combination is more of an oversight than
> anything.
> 

Unsure if RFC5478 got introduced after the fact, but this document seems
to be the one defining those cipher-suites. In addition it defines PSK
cipher-suites in CBC-mode using SHA256+.

https://tools.ietf.org/html/rfc5487

This is all quite confusing and spread over a lot of different
documents. PSK in CBC-mode (with < SHA256) for example is a different
document (RFC4279).

I'll leave it up to long-time TLS-WG members to decide where these PSK
cipher-suites /would/ fit best. I'm not sure that this document is the
right place -- but that's only because, in the past, PSK cipher-suite
were dealt with exclusively in separate documents as it seems.

Aaron