Re: [TLS] ChaCha and IVs
Alyssa Rowan <akr@akr.io> Wed, 05 March 2014 13:30 UTC
Return-Path: <akr@akr.io>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2C4C51A00AE for <tls@ietfa.amsl.com>; Wed, 5 Mar 2014 05:30:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FGjjfBGt5NRa for <tls@ietfa.amsl.com>; Wed, 5 Mar 2014 05:29:59 -0800 (PST)
Received: from entima.net (entima.net [78.129.143.175]) by ietfa.amsl.com (Postfix) with ESMTP id 7177A1A002A for <tls@ietf.org>; Wed, 5 Mar 2014 05:29:59 -0800 (PST)
Received: from [10.10.42.10] (cpc5-derb12-2-0-cust796.8-3.cable.virginm.net [82.31.91.29]) by entima.net (Postfix) with ESMTPSA id 24F46603CD for <tls@ietf.org>; Wed, 5 Mar 2014 13:29:55 +0000 (GMT)
Message-ID: <5317267F.1070909@akr.io>
Date: Wed, 05 Mar 2014 13:28:31 +0000
From: Alyssa Rowan <akr@akr.io>
MIME-Version: 1.0
To: tls@ietf.org
References: <53160513.20703@bbn.com> <1393955839.20861.20.camel@dhcp-2-127.brq.redhat.com> <53161BA7.3070405@drh-consultancy.co.uk> <CAL9PXLzMiq-WsaAO8Q=kWqbQ3taw-xtuNw_ffuZxjFUXCEEG9A@mail.gmail.com>
In-Reply-To: <CAL9PXLzMiq-WsaAO8Q=kWqbQ3taw-xtuNw_ffuZxjFUXCEEG9A@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/iCqMSQNCJrgaXia_wU_c-VpLXnA
Subject: Re: [TLS] ChaCha and IVs
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 05 Mar 2014 13:30:02 -0000
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 (Just popping by briefly on this one.) On 04/03/2014 18:56, Adam Langley wrote: > I feel this is a problem that FIPS needs to sort out (they don't > have a concept of an AEAD, I assume). I'm unwilling to have the > whole world waste bandwidth, and have a more dangerous > specification, because of a bureaucratic problem. A strong +1 on this. Random IVs risk collision earlier, burn valuable entropy faster, and are far more fragile. Sequential IVs are deterministic, verifiable, debuggable, and implicit. It is crystal-clear to me that sequential IVs are the correct approach. I would be interested to hear NIST's reasons for recommending otherwise. ChaCha20 and Poly1305 are, of course, not in the FIPS catalogue, so it's moot. In a wider sense, given recent discoveries about extremely critical parts of widely-used TLS stacks, perhaps limiting the scope of reviews to crypto primitives would be unwise in any event: certified crypto doesn't do any good when it's skipped over. - -- /akr -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJTFyZ+AAoJEOyEjtkWi2t6uyIP/3Gl18noWkYo28+1WQ6qFxAG L0t30TiMSTxZpRsMH5Z21wrrYvNb+5R9Pv3RqBVNMl6Svhz5u3HAqLvXQf1qtZr5 z5C6qejElVGKBFapkdl8QZ6WKn2PLUfF0/elCc9OPfL9WBRousEB8UTOVQ73Hfut kkLTdk2FTJUGnt2DaZwInvUQFqjdC3uvMq2/pyUUL4RTmckc3h5LCET4nBpYdZAJ Oq2XLIKzdIrtDQVHPYq2xLs+Ul6/CZPkp4/h9/zOIKxSK/XI72KYxc5H+sz+g2xz CwX8AYycs4nQ6NAQ/VgcDviIR5h8D94OUcawWrdxzstgjDadfPevLH5XPZOnDBAw TTEiNkzpaqTwm24++bf/MhC5ZEH6MktBXUyUl6rN0zwc7vcNBOFNs5rxCbpD+Di2 wQdZbUj9Tanh3yn5upWKDC6rt4sPYmdF/Mhv6YM1LP3H4JpVziHPozj24wUVkXuO 6FDLbJxTSOHwRmQzQ5vgtOBHzDz9af7kCq9fKEwoH5Dv21lYI/X3fvWuLjW3Nqya CI9+or1uN2qKDgTWfhGrj42Iu3PVJ/zpR77UqcYPElezacKHvrD7vJbYeU9XeCkE yHE6qoIyDLLa5QWkQoBPF1C7bwATaJfXB5Zj3QZ4qXwU/ZyJju6HS07wUEaXRS8g mZoa6PrFjSGwwWTZ1YzS =/uMb -----END PGP SIGNATURE-----
- Re: [TLS] ChaCha and IVs Adam Langley
- [TLS] ChaCha and IVs Stephen Kent
- Re: [TLS] ChaCha and IVs Watson Ladd
- Re: [TLS] ChaCha and IVs Nikos Mavrogiannopoulos
- Re: [TLS] ChaCha and IVs Stephen Kent
- Re: [TLS] ChaCha and IVs Salz, Rich
- Re: [TLS] ChaCha and IVs Dr Stephen Henson
- Re: [TLS] ChaCha and IVs Adam Langley
- Re: [TLS] ChaCha and IVs Adam Langley
- Re: [TLS] ChaCha and IVs Adam Langley
- Re: [TLS] ChaCha and IVs Wan-Teh Chang
- Re: [TLS] ChaCha and IVs Dr Stephen Henson
- Re: [TLS] ChaCha and IVs Dr Stephen Henson
- Re: [TLS] ChaCha and IVs Salz, Rich
- Re: [TLS] ChaCha and IVs Brian Smith
- Re: [TLS] ChaCha and IVs Adam Langley
- Re: [TLS] ChaCha and IVs Brian Smith
- Re: [TLS] ChaCha and IVs Salz, Rich
- Re: [TLS] ChaCha and IVs Nikos Mavrogiannopoulos
- Re: [TLS] ChaCha and IVs Nikos Mavrogiannopoulos
- Re: [TLS] ChaCha and IVs Alyssa Rowan
- Re: [TLS] ChaCha and IVs Adam Langley
- Re: [TLS] ChaCha and IVs Dr Stephen Henson
- Re: [TLS] ChaCha and IVs Sandeep Kumar
- Re: [TLS] ChaCha and IVs Robert Cragie
- Re: [TLS] ChaCha and IVs Dr Stephen Henson
- Re: [TLS] ChaCha and IVs Bodo Moeller
- Re: [TLS] ChaCha and IVs Nico Williams
- Re: [TLS] ChaCha and IVs Andy Lutomirski
- Re: [TLS] ChaCha and IVs Nico Williams
- Re: [TLS] ChaCha and IVs Bodo Moeller
- Re: [TLS] ChaCha and IVs Bodo Moeller
- Re: [TLS] ChaCha and IVs Nico Williams
- Re: [TLS] ChaCha and IVs Dr Stephen Henson
- Re: [TLS] ChaCha and IVs Bodo Moeller