Re: [TLS] Confirming Consensus on supporting only AEAD ciphers

"Joseph Salowey (jsalowey)" <> Tue, 06 May 2014 05:32 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 591CC1A072F for <>; Mon, 5 May 2014 22:32:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -15.152
X-Spam-Status: No, score=-15.152 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.651, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 8E_r2XoiAMjX for <>; Mon, 5 May 2014 22:32:18 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id C70081A072D for <>; Mon, 5 May 2014 22:32:17 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;;; l=3914; q=dns/txt; s=iport; t=1399354334; x=1400563934; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-id:content-transfer-encoding: mime-version; bh=rPURbpC9A7wnXDkNUwms2sO80uMdWv7Y8zhgHe6S/HQ=; b=buICLzxPedTLg3rgRRxEAkMDWIal5wX2EcDeaEBZW6d1iqKhG0oWhMyu u4MAjFQ6ghmQyuM2jwAQXJXN5LkXUyMAHzbMApYsn/bgIfgPxH1o9svzw ka8VcplYm35Jh4mYTyLnsE6033UoXJO5cSECLMdeDLY/CaWW07xxRCkRz 0=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AgUFAC9zaFOtJA2B/2dsb2JhbABYgwZPWL0chzuBGRZ0giUBAQEDAQEBATc0CwULAgEIGB4QJwslAgQOBYg5CA3NaRMEjh8zB4MqgRUEmTeSeIM0gi8
X-IronPort-AV: E=Sophos;i="4.97,994,1389744000"; d="scan'208";a="322642561"
Received: from ([]) by with ESMTP; 06 May 2014 05:32:14 +0000
Received: from ( []) by (8.14.5/8.14.5) with ESMTP id s465WDvK025250 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Tue, 6 May 2014 05:32:13 GMT
Received: from ([]) by ([]) with mapi id 14.03.0123.003; Tue, 6 May 2014 00:32:13 -0500
From: "Joseph Salowey (jsalowey)" <>
To: Michael StJohns <>
Thread-Topic: [TLS] Confirming Consensus on supporting only AEAD ciphers
Thread-Index: AQHPSSM6qiIeFUDRHUase0LCUT6SLpskiL+AgATejwCACjNNAA==
Date: Tue, 6 May 2014 05:32:13 +0000
Message-ID: <>
References: <> <> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
x-originating-ip: []
Content-Type: text/plain; charset="us-ascii"
Content-ID: <>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "" <>
Subject: Re: [TLS] Confirming Consensus on supporting only AEAD ciphers
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 06 May 2014 05:32:20 -0000

On Apr 29, 2014, at 10:46 AM, Michael StJohns <> wrote:

> On 4/26/2014 11:24 AM, Joseph Salowey (jsalowey) wrote:
>> The consensus from the IETF-89 meeting holds, TLS 1.3 will only use record layer protection of type AEAD. The Editor is requested to make the appropriate changes to the draft on github.
> Sorry - I'm coming late here.  Does this also imply the complete elimination of the integrity only cipher suites?

[Joe] Its possible to have AEAD modes that provide only authentication, however I don't think that the currently defined AEAD ciphers support authentication only so its possible that some modification may need to be made to support this.  

> With respect to the AEAD approach and with respect to composited AEAD cipher suites (e.g. AES_CBC_CMAC reformed as an AEAD cipher per Guttman for example), does this also imply that the key expansion phase will never be used to generate MAC keys, and that the cipher suite has to provide whatever mechanisms that are required to split the AEAD key into underlying encryption/integrity keys if required?
[Joe] Yes, the cipher suite would be responsible for deriving the appropriate keys from the key material it is given. 

> Next (reading from the commited editors copy), this refers to 5116 which uses a one-size fits all approach that doesn't really fit all sizes, especially for composited AEAD. E.g.  the draft describes this generally as an incrementing value.  For AEAD suites that comply with 5116, that should be part of the suite specification - not TLS.  For TLS, this just needs to be an normatively opaque, per-message field.    Instead,  place an Informative section which recommends how to do this with AEAD suites that currently exist.
[Joe] I think I'm missing your point here. I thought the existing cipher suites did define how the nonce is generated and the TLS document just provides some guidance on nonce generation.    

> And finally, as I've noted many times before, deriving IV/nonce material from the master_secret at the same time as deriving keys is not securely supportable in hardware.

[Joe]  So currently with AES-GCM and AES-CCM then nonce is  partially derived from the Client and Server IV.   If I remember correctly the TLS derivation by splitting up the derived key material into secret keys and IVs is problematic.  Can this part of the problem be solved by changing the way TLS derives keys and IVs? 

>> Joe
>> [For the chairs]
>> On Mar 26, 2014, at 11:43 AM, Joseph Salowey (jsalowey) <> wrote:
>>> TLS has supported a number of different cipher types for protecting the record layer.   In TLS 1.3 these include Stream Cipher, CBC Block Cipher and AEAD Cipher. The construction of the CBC mode within TLS has been shown to be flawed and stream ciphers are not generally applicable to DTLS. Using a single mechanism for cryptographic transforms would make security analysis easier.   AEAD ciphers can be constructed from stream ciphers and block ciphers and are defined as protocol independent transforms.  The consensus in the room at IETF-89 was to only support AEAD ciphers in TLS 1.3. If you have concerns about this decision please respond on the TLS list by April 11, 2014.
>>> Thanks,
>>> Joe
>>> [Speaking for the TLS chairs]
>>> _______________________________________________
>>> TLS mailing list
>> _______________________________________________
>> TLS mailing list
> _______________________________________________
> TLS mailing list