IETF Logo Mail Archive

Re: [TLS] Inclusion of OCB mode in TLS 1.3

Eric Rescorla <ekr@rtfm.com> Wed, 14 January 2015 17:03 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A27041A90E3 for <tls@ietfa.amsl.com>; Wed, 14 Jan 2015 09:03:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.977
X-Spam-Level:
X-Spam-Status: No, score=-1.977 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tfS7Eaa8GUi2 for <tls@ietfa.amsl.com>; Wed, 14 Jan 2015 09:03:03 -0800 (PST)
Received: from mail-wg0-f44.google.com (mail-wg0-f44.google.com [74.125.82.44]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 60C061A90D4 for <tls@ietf.org>; Wed, 14 Jan 2015 09:02:58 -0800 (PST)
Received: by mail-wg0-f44.google.com with SMTP id y19so10116927wgg.3 for <tls@ietf.org>; Wed, 14 Jan 2015 09:02:57 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=Vmop082sFdAezLuYrTAITQoVMDvaA4EQBKeymUUCGkE=; b=A/l33rEeVtHHkgAhDSxFCledkG1Aa2JPzphOeT/FGqYxYSwW0HexoHnj01gjPU+f41 fFWocCFuYxXhzZG1AlTdTmnKQCXEnu3g7663LFVF1ZvSAECT6yfPeVr6Kl8Gb0MSJtiW K/shsKDJXPtR0beS9HkmPsHfBwhJxnso6MBVMStebym/8GsoZRxYyDEBe7Y1ndv2q3Zb JYsOc2zIe6iPXTCxY0E1HRPR3BT13/t4N1HUIlER6JpadHA+7tvC4HdPJQ/6gNuB22Ct dnKJZ7FYZvSR4WXCkdaYEixOls7QuJma+WwSSmYucU/EVGnOrknQejsrW81hvGaWvOcg 6F3w==
X-Gm-Message-State: ALoCoQldZiar6awnNGLJ+4+fOyg5lriG1NGYbjIKagxkHC7xswukNxkUUg9Z9J8KaVYmV8K2tsM/
X-Received: by 10.180.207.66 with SMTP id lu2mr10489839wic.13.1421254977042; Wed, 14 Jan 2015 09:02:57 -0800 (PST)
MIME-Version: 1.0
Received: by 10.27.142.215 with HTTP; Wed, 14 Jan 2015 09:02:16 -0800 (PST)
In-Reply-To: <54B6815A.7060102@azet.org>
References: <54B5501A.4070402@azet.org> <D0DA96DB.58455%paul@marvell.com> <54B58F5B.2010704@cs.tcd.ie> <54B6815A.7060102@azet.org>
From: Eric Rescorla <ekr@rtfm.com>
Date: Wed, 14 Jan 2015 09:02:16 -0800
Message-ID: <CABcZeBOkabo85Hv73MM1koeGnVYDJtPHc6uwk5b1BkPDRu=RGg@mail.gmail.com>
To: Aaron Zauner <azet@azet.org>
Content-Type: multipart/alternative; boundary="001a11c3d8ee0ae1d8050c9fb65e"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/eU_UI4TvzWwUQSE7bcR1jYmXgtg>
Cc: TLS Mailing List <tls@ietf.org>
Subject: Re: [TLS] Inclusion of OCB mode in TLS 1.3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Jan 2015 17:03:09 -0000

On Wed, Jan 14, 2015 at 6:46 AM, Aaron Zauner <azet@azet.org> wrote:

> Hi Stephen,
>
> Stephen Farrell wrote:
> > <no-hats>
> >
> > On 13/01/15 18:25, Paul Lambert wrote:
> >> This should not stop inclusion of OCB as an optional mode in TLS,
> >
> > I don't get why additional options are at all attractive. In
> > fact, I think they're ugly.
> >
> > TLS has about 327 ciphersuites. That's just stupid. (I'm not
> > saying any person is stupid there btw, but we have gotten
> > ourselves into a stupid place.)
>
> Yup. Having different naming schemes for different
> libraries/implementations beyond that makes it almost impossible to give
> good recommendations to end-users (admins, management) as we've noticed
> in the bettercrypto.org project.
>
> >
> > If we have a really better thing, they why not make it MTI? If
> > we do not have something sufficiently better then I'd argue to
> > exclude as much as possible, and certainly against adding
> > anything that is just nice to have.
> >
> > I'd even like to make almost all current ciphersuites a MUST NOT
> > (or start a new registry) for TLS1.3 and to not add any new
> > ciphersuites at all, and just stick with two MTI ciphersuites
> > that are as genetically different as possible and cover as many
> > implementations (h/w AES or not) as possible.
> >
> > So my suggestion is to reduce the ciphersuite field to be
> > 2 bits wide in TLS 1.3, with 00 being default, 01 backup, 02
> > being "proprietary" and 03 reserved. If either 00 or 01 needs
> > to be changed then I'd say rev the TLS version. (I don't care
> > if we did s/default/has-AES-hw/ and s/backup/just-sw-crypto/
> > that'd also be fine.)
> >
> > And yes, I realise that's not likely to get traction, but
> > turning 327 into 427 is even dumber when reality shows that
> > only a few of 'em are used or needed.
>
> Just as a suggestion, how about a document that does only include
> forward-secret cipher-suites that are valid for TLS 1.3? That would
> drastically remove the number of OCB ciphersuites that I would have to
> add in case of TLS 1.2.
>
> One issue though: as far as I can tell (from the recent RWC presentation
> by EKR) there are still going to be three block ciphers in TLS 1.3: AES,
> CAMELLIA, ARIA.


To be clear, this is just a statement of fact. I.e., TLS 1.3 can only be
used
with AEAD and these are the AEAD ciphers that are presently defined.
The WG could adopt more AEAD ciphers or conversely, remove ones that
currently exist.

Speaking only for myself, it seems like AES-GCM is the leading candidate
for the MTI for TLS 1.3, based on the fact that it's the most common
AEAD algorithm with 1.2.

-Ekr

v2.23.0 | Report a Bug | By Email