IETF Logo Mail Archive

[TLS] Re: Concerns about the current draft.

David Benjamin <davidben@chromium.org> Wed, 03 September 2025 02:19 UTC

Return-Path: <davidben@google.com>
X-Original-To: tls@mail2.ietf.org
Delivered-To: tls@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 389D85C6C310 for <tls@mail2.ietf.org>; Tue, 2 Sep 2025 19:19:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -9.483
X-Spam-Level:
X-Spam-Status: No, score=-9.483 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.017, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, USER_IN_DEF_SPF_WL=-7.5] autolearn=unavailable autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (1024-bit key) header.d=chromium.org
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kX-mG67UNPuQ for <tls@mail2.ietf.org>; Tue, 2 Sep 2025 19:19:38 -0700 (PDT)
Received: from mail-ej1-x62d.google.com (mail-ej1-x62d.google.com [IPv6:2a00:1450:4864:20::62d]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 232A05C6C2EE for <tls@ietf.org>; Tue, 2 Sep 2025 19:19:38 -0700 (PDT)
Received: by mail-ej1-x62d.google.com with SMTP id a640c23a62f3a-aff0775410eso3034366b.0 for <tls@ietf.org>; Tue, 02 Sep 2025 19:19:38 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1756865977; x=1757470777; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=u7zNVoGcKfr8LY6qS62I54UggrKOdSFUmxjwEEQLC8w=; b=PBi393ihOea5bu0IWLdapybhmzG1iNof/leo6lgqGsY9Q8GRBEgqYRAVFAV6ySyT02 ymIJ4ld7rmpSi2lpLip/OfrmBMsCd/Yghf+sA2qYkmKPk8v2HpVoRsLB70NDta/DiFrt kEQDi+ny94P/zxZyawMA4Tb3HM9PKlTxgrawQ=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1756865977; x=1757470777; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=u7zNVoGcKfr8LY6qS62I54UggrKOdSFUmxjwEEQLC8w=; b=pTBnFFt+BJial3KLwko25tTQUyojbbFZt5YJm4YWxi7PgUvRiJOL2WNnKJBU44g3o4 1Iq2NjTAAiZHhirf5WDOmfJRKJYnpZqqW5hYQMo5KPReQS1CPsJRuF8d++OrYk+/7bLU E9ywLi41Y80CMsc2M/7/b2/aCABM1k/qEratRPIlfviYP8uPSg7lWnsZY7+F9qB0U6Hy kkhmltDSpcUMBu1LBvjGNY4oh5/N+f4OpK5EJCrJpjJBfg+4SnFofLJTRDmxcb1ni6xM XmoTIp+Hhz6w9BD8fNgSlDYj4PL5aC73Dr3ozLRd6JqXYBhJ0KUlEmd56/N6vcLZ9iIp RbJQ==
X-Forwarded-Encrypted: i=1; AJvYcCXL8FTorBrmQY9qHV0qjJOBDsU2be3z8MinHGmVU3ZC6ScohxPwGvgd0bwq8/qraL57k6E=@ietf.org
X-Gm-Message-State: AOJu0Yz3MNbiA2bj59xPscjQt5P2FmcDTwcd05eo5epSe7SIDiBmN+jT EONh6QuOLyikuVoNO8Yc87Ni1UKK4flL2bZXAAKgf1yyazsbIduNIaVjkJsAYMbPKvcf1bNII0D vnLT6rK7FIwEHUnmD8kngURJG26B3mZwiiKLJyFk=
X-Gm-Gg: ASbGncsInS9WUULmsx51+Fz/toHXwIpjsn/8aCbqcNO/KnX3RcY+VPG7+711vEc/fY8 IOC9zw6KOkKGKupf+vtB1pPuPgkUWGXUxOCYObyi62ltltmuHFvmiVNXX5DUOsopCZxnVuDlLNz e8beygWvRUiWPma+c0x1GD42K+Vv8l8rqTGYkBYpOIcgwzd3OUq7z/0akht6JGnXy7DMDmPScA4 sP3ZxxlmCxDmh8m7eOIddHZb+1QWvY+AA==
X-Google-Smtp-Source: AGHT+IEli8ndUxRbrXnrWYaiLFYovX2jfRfMlWw/laqj7EzJ/qgh+pOSVmUMZvphBYbCciLG8kpG6tNLSXQg0+/osXk=
X-Received: by 2002:a17:906:c10b:b0:afe:df86:4551 with SMTP id a640c23a62f3a-b01d9754415mr1527806066b.20.1756865976912; Tue, 02 Sep 2025 19:19:36 -0700 (PDT)
MIME-Version: 1.0
References: <CAEEbLAaJ6-hFTJQHMQ1qwWVWEFWp9hTXjZwQR4SDmRFFHbW=EA@mail.gmail.com> <20250829174621.213770.qmail@cr.yp.to> <GVXPR07MB9678CF53A08828BFB66A4600893AA@GVXPR07MB9678.eurprd07.prod.outlook.com> <CAEEbLAYm39hg6VA4Upbr6147syTdLzKiBFcKFRL8HqtCPsAT_w@mail.gmail.com> <SN7PR14MB64926B236A62E8F565D862128306A@SN7PR14MB6492.namprd14.prod.outlook.com> <cae69874-d886-4906-bfd2-2bc267dedfd3@betaapp.fastmail.com>
In-Reply-To: <cae69874-d886-4906-bfd2-2bc267dedfd3@betaapp.fastmail.com>
From: David Benjamin <davidben@chromium.org>
Date: Tue, 02 Sep 2025 22:19:24 -0400
X-Gm-Features: Ac12FXz8QePr8yDpnbA08vGkdD8od0q9PR6fZLGUcjwQbVNiVTsRqVewBgDumsA
Message-ID: <CAF8qwaAVoxJ-0dbweM1UgzOGzUOhcsJ6trkAf-FhXuE2Bv5hZg@mail.gmail.com>
To: Martin Thomson <mt@lowentropy.net>
Content-Type: multipart/alternative; boundary="000000000000795128063ddc3cdf"
Message-ID-Hash: HT57PH5WZ5XX2TFHTZATJ2D47EXVIKN3
X-Message-ID-Hash: HT57PH5WZ5XX2TFHTZATJ2D47EXVIKN3
X-MailFrom: davidben@google.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Tim Hollebeek <tim.hollebeek=40digicert.com@dmarc.ietf.org>, Sophie Schmieg <sschmieg=40google.com@dmarc.ietf.org>, John Mattsson <john.mattsson=40ericsson.com@dmarc.ietf.org>, "<tls@ietf.org>" <tls@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] Re: Concerns about the current draft.
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/hTSzis4Ksd7jIDQevmm-9usP4Zo>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>

On Tue, Sep 2, 2025, 21:09 Martin Thomson <mt@lowentropy.net> wrote:

> On Wed, Sep 3, 2025, at 03:12, Tim Hollebeek wrote:
> > In particular, X-ECB is horribly broken and these days probably should
> > not be used by anyone, ever. That advice is already a decade old or
> > more, at this point.
>
> Total distraction, but RFC 9001 uses ECB.  Defensibly so, I believe.
> Though perhaps you might consider the use as part of a more advanced mode,
> HN-1.  Now for the tongue-in-cheek version: Absolute statements are always
> wrong.
>

To add to the distraction, this is really an example of compounded
confusion in how to define things, not a legitimately good use of ECB.

RFC 9001 doesn't really use ECB. It uses the AES block cipher, a function
that takes a fixed-length 16-byte input to a fixed-length 16-byte output.
It's just that some (but not all!) cryptography libraries don't have an API
for that, instead insisting on jamming unrelated objects into the same
interface. That leads to always having a variable-length Mode(TM) on
everything. (This kind of thinking leads to the infamous "RSA/ECB/..."
APIs.)

Then the (not common) applications that actually need the underlying
fixed-length block cipher are stuck using variable-length ECB as the only
way to get at it, even though actually making use of the variable-length
aspect would be a problem.

To that end, RFC 9001 would have been written better to say it used the
block cipher, with a little bit of implementation guidance that, if you
don't have an API for that, you might be able to call an ECB API instead.
Indeed I remember, when I was helping folks implement this, the ECB wording
caused a lot of confusion and I had to direct them to the block cipher
functions instead. No sense in materializing all the extra machinery for a
true variable-length ECB when you were just going to run the block cipher
once.

David

>

v2.37.1 | Report a Bug | By Email | System Status