Re: [TLS] WG adoption + early code point assignment: draft-mavrogiannopoulos-chacha-tls

Yoav Nir <ynir.ietf@gmail.com> Wed, 20 May 2015 15:14 UTC

Return-Path: <ynir.ietf@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2F4CB1A87BD for <tls@ietfa.amsl.com>; Wed, 20 May 2015 08:14:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BjY0MO20D5cL for <tls@ietfa.amsl.com>; Wed, 20 May 2015 08:13:58 -0700 (PDT)
Received: from mail-wi0-x232.google.com (mail-wi0-x232.google.com [IPv6:2a00:1450:400c:c05::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0C3231A87BC for <tls@ietf.org>; Wed, 20 May 2015 08:13:58 -0700 (PDT)
Received: by wicmc15 with SMTP id mc15so153120293wic.1 for <tls@ietf.org>; Wed, 20 May 2015 08:13:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :message-id:references:to; bh=fBhLgiG2BouMOBHkXPvkcwevsSjHoRDla6NnsZa3ap4=; b=IQxtcLRqCZ/YizmQV4A7KNt9sILcGho3G7Xs52TjjsgnB9nMoJ54G/SVY2+uZz08kh 7AytAmwWHnu7MMBXgYP9tvslakBSCF1jiYzpCDkxGacDSZ8gb0FDWkiFMW3Gv1uU+de0 SWUcUqENTxCGxBWHKxmhUpVACH4kMnPfTSRBwphmu5MMzdhmdW54w5PjVV8KufuUCKv0 UZo1Gr+aLSsL5dr78hPoGONy8IoQivVMkts/OLTxCYr6QscQ+SnKgKd5ogLGNYbOt6sj Gv3gikT0r89beJEkycJKs7T+LB8aUytvztkXCK7x59Zo/ck+Xk3dSSCulsaflvRkIlx1 t8iQ==
X-Received: by 10.180.188.100 with SMTP id fz4mr40259938wic.91.1432134836816; Wed, 20 May 2015 08:13:56 -0700 (PDT)
Received: from [172.24.251.137] (dyn32-131.checkpoint.com. [194.29.32.131]) by mx.google.com with ESMTPSA id 9sm27317437wjr.11.2015.05.20.08.13.55 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Wed, 20 May 2015 08:13:56 -0700 (PDT)
Content-Type: multipart/alternative; boundary="Apple-Mail=_014F9BC8-EE1D-47C0-B18C-5F51D79A5DEE"
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2098\))
From: Yoav Nir <ynir.ietf@gmail.com>
In-Reply-To: <CABcZeBNQQKgBzzoia0TWzbG8PycoOLT+ejOM7dwNNfgNoCqRtA@mail.gmail.com>
Date: Wed, 20 May 2015 18:13:52 +0300
Message-Id: <86AF5010-12A3-410A-AE23-9A0643D536EE@gmail.com>
References: <FD8B7C3F-C3DD-4367-B84D-26B9907F1B9D@ieca.com> <CABcZeBOqnyXS5kp=ZiN2PpKYt_dOg1+L4_S__h-+YP=n6sHk3A@mail.gmail.com> <1269593170.1072986.1432104184832.JavaMail.zimbra@redhat.com> <CABcZeBNQQKgBzzoia0TWzbG8PycoOLT+ejOM7dwNNfgNoCqRtA@mail.gmail.com>
To: Eric Rescorla <ekr@rtfm.com>
X-Mailer: Apple Mail (2.2098)
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/iKAccshuvGXTa82GQr31-oGJRys>
Cc: IETF TLS Working Group <tls@ietf.org>
Subject: Re: [TLS] WG adoption + early code point assignment: draft-mavrogiannopoulos-chacha-tls
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 May 2015 15:14:00 -0000

> On May 20, 2015, at 4:21 PM, Eric Rescorla <ekr@rtfm.com>; wrote:
> 
> 
> 
> On Tue, May 19, 2015 at 11:43 PM, Nikos Mavrogiannopoulos <nmav@redhat.com <mailto:nmav@redhat.com>> wrote:
> ----- Original Message -----
> > I am in favor of this draft.
> >
> > Prior to doing the code point assignment, however, we should resolve
> > the question of the per-record nonce algorithm. The current draft uses
> > an algorithm that is not consistent either with the algorithm we use for
> > GCM or TLS 1.3.
> >
> > - TLS 1.2 GCM: 32-bit fixed salt || 64-bit explicit per-record IV
> > - TLS 1.3: fixed mask XORed with the record sequence number
> > - ChaCha: 32-bit fixed salt || record sequence number
> 
> I think the chacha draft is consistent with the TLS 1.2 GCM draft. The TLS
> 1.2 GCM draft allows as an option (MAY) to have "32-bit fixed salt || record sequence number",
> and in fact all implementations do that. So this draft simply ratifies that
> approach and changes that requirement to MUST.
> 
> Not just that. It also doesn't carry the RSN on the wire, which the GCM one does.

Yes, there’s that. I think that we should leave the record IV (which this draft makes equal to the RSN, while RFC 5288 allows to be chosen in any way)  in the record for TLS 1.2. 
In 1.3 we’re anyway planning to do it differently and omit the IV, so we should do it there for both algorithms
It’s a waste of 8 bytes, but that will give us one more reason to implement 1.3, no?

Yoav