Re: [TLS] Spec tls13 comments, handshake tampering, mitigation, counter/seq_no predictability: WAS: Do we need DH?
Nikos Mavrogiannopoulos <nmav@redhat.com> Wed, 07 January 2015 09:21 UTC
Return-Path: <nmav@redhat.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B38FF1A898C for <tls@ietfa.amsl.com>; Wed, 7 Jan 2015 01:21:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.912
X-Spam-Level:
X-Spam-Status: No, score=-6.912 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qJXtbzkjKG3h for <tls@ietfa.amsl.com>; Wed, 7 Jan 2015 01:21:33 -0800 (PST)
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 938181A1BD9 for <tls@ietf.org>; Wed, 7 Jan 2015 01:21:33 -0800 (PST)
Received: from int-mx11.intmail.prod.int.phx2.redhat.com (int-mx11.intmail.prod.int.phx2.redhat.com [10.5.11.24]) by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id t079LWGR024091 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Wed, 7 Jan 2015 04:21:32 -0500
Received: from dhcp-2-127.brq.redhat.com (dhcp-2-127.brq.redhat.com [10.34.2.127]) by int-mx11.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id t079LUMG017253 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=NO); Wed, 7 Jan 2015 04:21:31 -0500
Message-ID: <1420622490.7097.36.camel@redhat.com>
From: Nikos Mavrogiannopoulos <nmav@redhat.com>
To: Michael Clark <michael@metaparadigm.com>
Date: Wed, 07 Jan 2015 10:21:30 +0100
In-Reply-To: <54AC7DCF.6070302@metaparadigm.com>
References: <CACsn0cmD=YA4i889f--e_b-OahUVoYdKyQUaiUN--QKOmqn8uA@mail.gmail.com> <54A252EA.1010905@iki.fi> <2348107.Lj21YcAO1u@pintsize.usersys.redhat.com> <DF638EB0-A163-4DBD-B095-43EEDA4D9DB1@gmail.com> <54ABE1D2.7090601@metaparadigm.com> <54AC7DCF.6070302@metaparadigm.com>
Content-Type: text/plain; charset="UTF-8"
Mime-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Scanned-By: MIMEDefang 2.68 on 10.5.11.24
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/gfLyEFwv0xo0gnMxKKqCXP3jMx8
Cc: tls@ietf.org
Subject: Re: [TLS] Spec tls13 comments, handshake tampering, mitigation, counter/seq_no predictability: WAS: Do we need DH?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Jan 2015 09:21:37 -0000
On Wed, 2015-01-07 at 08:29 +0800, Michael Clark wrote: > These ciphers are essentially the four AEAD ciphers that have existing > IETF RFCs or drafts. CCM is a valid AEAD cipher choice and fits within > the draft framework. > However my earlier comment was that EAX (a NIST candidate) has > complementary properties and a security proof. EAX2, the foundation for > AES_EAX provides a generalized framework for Encypt-then-MAC i.e. > EAX2[AES,OMAC2[AES]] > I'm not attached to any of the ciphers and don't have an interest in > CCM, other than having a choice of 3 AEAD ciphers, and one of them from > NTT would be good. My conclusion on reading the literature was that EAX > has better properties than CCM, despite its slightly longer key setup > time (less then GCM) and equivalent performance to CCM. CCM is more like > CBC mode with MAC whereas EAX is more like CTR mode (GCM) with IV > increased entropy in the counter and the use of an alternative cipher > based MAC, making it complementary to the current suite. I also prefer EAX to CCM. CCM is a very special and limited AEAD mode (e.g., it needs to know the size of the encrypted data in advance), and I'd avoid using it when possible. regards, Nikos
- Re: [TLS] Do we need DH? Fedor Brunner
- Re: [TLS] Do we need DH? Tapio Sokura
- [TLS] Do we need DH? Watson Ladd
- Re: [TLS] Do we need DH? Alyssa Rowan
- Re: [TLS] Do we need DH? Yoav Nir
- Re: [TLS] Do we need DH? Peter Gutmann
- Re: [TLS] Do we need DH? Brian Smith
- Re: [TLS] Do we need DH? Maarten Bodewes
- Re: [TLS] Do we need DH? Hubert Kario
- Re: [TLS] Do we need DH? Yoav Nir
- Re: [TLS] Do we need DH? Alyssa Rowan
- Re: [TLS] Do we need DH? Nico Williams
- Re: [TLS] Do we need DH? Yoav Nir
- Re: [TLS] Do we need DH? Florian Weimer
- [TLS] Spec tls13 comments, handshake tampering, m… Michael Clark
- Re: [TLS] Spec tls13 comments, handshake tamperin… Michael Clark
- Re: [TLS] Spec tls13 comments, handshake tamperin… Nikos Mavrogiannopoulos