Re: [TLS] Thoughts on Hardware Support
Michael StJohns <msj@nthpermutation.com> Sat, 14 February 2015 20:24 UTC
Return-Path: <msj@nthpermutation.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CCA2F1A003A for <tls@ietfa.amsl.com>; Sat, 14 Feb 2015 12:24:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, J_CHICKENPOX_66=0.6, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id McmesaXx8u0p for <tls@ietfa.amsl.com>; Sat, 14 Feb 2015 12:24:45 -0800 (PST)
Received: from mail-qa0-f44.google.com (mail-qa0-f44.google.com [209.85.216.44]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9D8751A001B for <tls@ietf.org>; Sat, 14 Feb 2015 12:24:45 -0800 (PST)
Received: by mail-qa0-f44.google.com with SMTP id n8so17136548qaq.3 for <tls@ietf.org>; Sat, 14 Feb 2015 12:24:44 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to :subject:references:in-reply-to:content-type :content-transfer-encoding; bh=ZoRRPhggYG1/jof31NNj3qy4V8Mq1Z5Kxpcxx87uB4M=; b=E3Q1dSSj+ZfkagR6/ETRqSrTF56geDwYwJKlzQXbV+iCYAWDMkZOGgjqkO4gNXaCqj G7K/u8Tg/AQIwE5w7m0RbLJrYjKXyVAKgINUU5kBA6AP3azZQPapOSYVMT/+rqcF0blI ywQY3nATzbHYSYMj61E4vWpFbNtmN0Uja87J4NLv1ChphJiSiJcMFNYRMP5m+wlsL4LM VoMu51wUIrCadY8EYGHoCeF9S4UxjFVNrLlHrMv++r7D3wAHWWUY+3U2O1X6aByRNyt4 hsgKHOcVtxu9oq8A5PW/ozePXLrElgODVoxU+tOiOMoH6R1Ka/Qk773uPQHKTgfSlMbn 0T8w==
X-Gm-Message-State: ALoCoQlIvd+u578qH71Z+1wdpM81C7wQijS5EYunBSudaBs+H7CsP/p44ZsNovff80MIODl6UGc+
X-Received: by 10.140.133.21 with SMTP id 21mr10757308qhf.10.1423945484679; Sat, 14 Feb 2015 12:24:44 -0800 (PST)
Received: from [192.168.1.103] (c-69-255-115-150.hsd1.md.comcast.net. [69.255.115.150]) by mx.google.com with ESMTPSA id e13sm10158726qaw.8.2015.02.14.12.24.44 for <tls@ietf.org> (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sat, 14 Feb 2015 12:24:44 -0800 (PST)
Message-ID: <54DFAF19.5060501@nthpermutation.com>
Date: Sat, 14 Feb 2015 15:24:57 -0500
From: Michael StJohns <msj@nthpermutation.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.4.0
MIME-Version: 1.0
To: tls@ietf.org
References: <CACsn0cnuHDwOXtqrFwqzVvUQTWxawBRea9it9_URVvZJsjHjWg@mail.gmail.com>
In-Reply-To: <CACsn0cnuHDwOXtqrFwqzVvUQTWxawBRea9it9_URVvZJsjHjWg@mail.gmail.com>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/fdoKxH6r2K3jp4enWVYKYaMhPf0>
Subject: Re: [TLS] Thoughts on Hardware Support
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 14 Feb 2015 20:24:48 -0000
On 2/14/2015 2:23 PM, Watson Ladd wrote:
> I think the easiest way is to eliminate the IV derivation entirely,
> and have the record layer send the entire nonce each time. if that's
> too much a waste of bandwidth, then we can specify entirely the
> portion that is in TLS 1.2 derived from the MS. I think this is in
> spirit similar to his proposal, but I don't recall the exact details.
The other way of doing this is to not make IV derivation dependent on
secret material. Basically, I suggested that instead to use the same
KDF function, but with a key of zero and a context of the server and
client randoms. That makes IV (or for most AEAD counter based thingies
- nonce) derivation a straightforward entropy extraction from the two
generated random numbers. Alternately, use output of the hash of those
two concatenated values plus a counter (so you can get more than 1 block
of extracted data) plus a label (so you can use the same randoms for
different expansions if you need to).
E.g.
IVDATA = {};
label = { <some number of well known bytes> };
numblocks = CEIL (numBytesNeeded/hashOutputSize);
for (i = 1; i < numblocks; i++) {
IVDATA = IVDATA || HASH (counter(as uint32 big endian) || label ||
serverRandom || clientRandom);
}
return LTRUNC(IVDATA, numBytesNeeded);
This uses all public data and functions to produce public data (the IV
or Nonce).
I apologize as I haven't had the cycles to do a pull request and add the
crypto constructs changes I'm proposing.
Mike
- [TLS] Thoughts on Hardware Support Watson Ladd
- Re: [TLS] Thoughts on Hardware Support Michael StJohns
- Re: [TLS] Thoughts on Hardware Support Michael StJohns
- Re: [TLS] Thoughts on Hardware Support Ilari Liusvaara