Re: Review (Re: [TLS] I-D ACTION:draft-ietf-tls-ctr-00.txt)
nagendra modadugu <nagendra@cs.stanford.edu> Mon, 20 March 2006 08:45 UTC
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1FLG17-00043N-9q; Mon, 20 Mar 2006 03:45:33 -0500
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1FLG15-00043I-8K for tls@ietf.org; Mon, 20 Mar 2006 03:45:31 -0500
Received: from agp.stanford.edu ([171.67.73.10]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1FLG14-0000TT-Sn for tls@ietf.org; Mon, 20 Mar 2006 03:45:31 -0500
Received: from theory.stanford.edu ([171.64.78.10]) by agp.stanford.edu with esmtps (TLSv1:DES-CBC3-SHA:168) (Exim 4.43) id 1FLG14-000313-Gz for tls@ietf.org; Mon, 20 Mar 2006 00:45:30 -0800
Received: from mail by theory.Stanford.EDU with spam-scanned (Exim 4.30) id 1FLG13-0006uq-Nz for tls@ietf.org; Mon, 20 Mar 2006 00:45:30 -0800
Received: from cipher.stanford.edu ([171.64.78.146]) by theory.Stanford.EDU with esmtp (TLSv1:AES256-SHA:256) (Exim 4.30) id 1FLG11-0006uW-FI; Mon, 20 Mar 2006 00:45:27 -0800
Received: from cipher.Stanford.EDU (localhost.localdomain [127.0.0.1]) by cipher.Stanford.EDU (8.13.4/8.12.11) with ESMTP id k2K8jRB7031857; Mon, 20 Mar 2006 00:45:27 -0800
Received: (from nagendra@localhost) by cipher.Stanford.EDU (8.13.4/8.13.4/Submit) id k2K8jRK6031856; Mon, 20 Mar 2006 00:45:27 -0800
X-Authentication-Warning: cipher.Stanford.EDU: nagendra set sender to nagendra@cs.stanford.edu using -f
Date: Mon, 20 Mar 2006 00:45:27 -0800
From: nagendra modadugu <nagendra@cs.stanford.edu>
To: Lakshminath Dondeti <ldondeti@qualcomm.com>
Subject: Re: Review (Re: [TLS] I-D ACTION:draft-ietf-tls-ctr-00.txt)
Message-ID: <20060320084527.GB30961@cs.stanford.edu>
References: <E1FEEbS-0006vT-DQ@stiedprstage1.ietf.org> <6.2.5.6.2.20060303142705.051f7078@qualcomm.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <6.2.5.6.2.20060303142705.051f7078@qualcomm.com>
User-Agent: Mutt/1.4.1i
X-Scan-Signature: 2d1a4fa5d0150c38835749a59b44c419
X-Spam-Checker-Version: SpamAssassin 3.0.4-cs-csdcf (2005-06-05) on cs-smtp-2.Stanford.EDU
X-Spam-Level:
X-Spam-Status: No, score=-104.9 required=7.0 tests=BAYES_00, USER_IN_WHITELIST autolearn=no version=3.0.4-cs-csdcf
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 39bd8f8cbb76cae18b7e23f7cf6b2b9f
Cc: David McGrew <mcgrew@cisco.com>, tls@ietf.org
X-BeenThere: tls@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/tls>
List-Post: <mailto:tls@lists.ietf.org>
List-Help: <mailto:tls-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
Errors-To: tls-bounces@lists.ietf.org
> I have a few questions and thoughts on the TLS-CTR mode I-D: > > On the IV construction: > > I see that the nonce is 48 bits in length. My recollection of David > McGrew's analysis of CTR mode is that 64 bits of nonce would provide > 128-bit security (for a 128bit key and CTR mode). My question is on > the level of security 48-bit nonces provide. I see that 3686 uses a > 32-bit nonce. I am confused at what is the right length for the > nonce. Some discussion on that might be appropriate in the SEC > considerations section. Perhaps David might help clarify (I may have > misread his paper). My understanding is that 32-bits of nonce are sufficient to accomodate for pre-computation attacks on CTR mode. Though, if there is a problem here, then it would apply equally to 3686. > On the block level counter, 3686 specifies a 32-bit counter citing > IPv6 Jumbograms' requirement. SRTP makes a note that for multimedia > apps, that might be safely ignored. Could you also make a similar > note in this document, or perhaps you might also want to support > jumbograms? (Perhaps IPv6 historians might tell us whether there are > practical uses for jumbograms). The limit on the counter here is to support a TLS record of 2^14 octets. > I don't think it is sufficient to refer to 3686's security > considerations. Those notes are written for a different protocol and > context. Perhaps you might copy and paste from there and edit the > text, if you want to reuse text. Good point. That's probably the right thing to do. Thanks, nagendra _______________________________________________ TLS mailing list TLS@lists.ietf.org https://www1.ietf.org/mailman/listinfo/tls
- [TLS] I-D ACTION:draft-ietf-tls-ctr-00.txt Internet-Drafts
- Review (Re: [TLS] I-D ACTION:draft-ietf-tls-ctr-0… Lakshminath Dondeti
- [TLS] some more questions and comments on draft-i… Nikos Mavrogiannopoulos
- Re: Review (Re: [TLS] I-D ACTION:draft-ietf-tls-c… nagendra modadugu
- Re: [TLS] some more questions and comments on dra… nagendra modadugu
- Re: [TLS] some more questions and comments on dra… Nikos Mavrogiannopoulos
- Re: Review (Re: [TLS] I-D ACTION:draft-ietf-tls-c… David Hopwood