Re: [TLS] Confirming Consensus on supporting only AEAD ciphers

Michael StJohns <msj@nthpermutation.com> Tue, 29 April 2014 17:46 UTC

Return-Path: <msj@nthpermutation.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 84CE21A0933 for <tls@ietfa.amsl.com>; Tue, 29 Apr 2014 10:46:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id q04a5XtZrf8j for <tls@ietfa.amsl.com>; Tue, 29 Apr 2014 10:46:02 -0700 (PDT)
Received: from mail-qg0-f45.google.com (mail-qg0-f45.google.com [209.85.192.45]) by ietfa.amsl.com (Postfix) with ESMTP id 413C01A0927 for <tls@ietf.org>; Tue, 29 Apr 2014 10:46:02 -0700 (PDT)
Received: by mail-qg0-f45.google.com with SMTP id a108so616318qge.4 for <tls@ietf.org>; Tue, 29 Apr 2014 10:46:00 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to :subject:references:in-reply-to:content-type :content-transfer-encoding; bh=5pVD/sSAN2FXrVtrojZVlThVqI6Df+EPHatnj+m3fnQ=; b=QdYZdvMyJAiKNQ5dTULUereL0wcneXBWMz9rpqwpvA2WpOdOsSiq4S8fKp4+obXQIv t0mDrez5ltxxjNkjFz9HlVePBFDP48nMC+UlTnLw1zxsqbcY6GZ6qLeazX1X6TKSwpX0 kCosC20k9vz/E83uU/xETJi+qPte8Aw932Ka86vnBvJVLAhoerZqCDF9EO+rolt6yJ2c Fvq9mPf+lpjf2NM2UPRFFc3uUqmiGH2jakZpsPnIKzO27m9E0VI7gnZyfEXGaPk2kBB5 qcgY55VBDiHvORFiOpj/A53uBkTyzL2a0GenKBh5Vbg40Jj8WeP8sXJCXMehCvcyVsS+ EEbw==
X-Gm-Message-State: ALoCoQkHxmuF/OIoFWeruX0z8PdGQTdymcHfzDdE977OhoUUFY/kMgu8w5zmgx89KGuQiM30AEKk
X-Received: by 10.229.214.74 with SMTP id gz10mr1114193qcb.19.1398793560718; Tue, 29 Apr 2014 10:46:00 -0700 (PDT)
Received: from [192.168.1.105] (c-68-34-113-195.hsd1.md.comcast.net. [68.34.113.195]) by mx.google.com with ESMTPSA id o16sm4735496qax.23.2014.04.29.10.45.59 for <tls@ietf.org> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Tue, 29 Apr 2014 10:45:59 -0700 (PDT)
Message-ID: <535FE558.2090306@nthpermutation.com>
Date: Tue, 29 Apr 2014 13:46:00 -0400
From: Michael StJohns <msj@nthpermutation.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.4.0
MIME-Version: 1.0
To: tls@ietf.org
References: <86E69268-DC0A-43E7-8CF5-0DAE39FD4FD5@cisco.com> <84C4848E-7843-4372-93AA-C1F017C3E088@cisco.com>
In-Reply-To: <84C4848E-7843-4372-93AA-C1F017C3E088@cisco.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/iVJtHdVYOeBpQFI_R4DRdtG8IF0
Subject: Re: [TLS] Confirming Consensus on supporting only AEAD ciphers
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 29 Apr 2014 17:46:07 -0000

On 4/26/2014 11:24 AM, Joseph Salowey (jsalowey) wrote:
> The consensus from the IETF-89 meeting holds, TLS 1.3 will only use record layer protection of type AEAD. The Editor is requested to make the appropriate changes to the draft on github.

Sorry - I'm coming late here.  Does this also imply the complete 
elimination of the integrity only cipher suites?

With respect to the AEAD approach and with respect to composited AEAD 
cipher suites (e.g. AES_CBC_CMAC reformed as an AEAD cipher per Guttman 
for example), does this also imply that the key expansion phase will 
never be used to generate MAC keys, and that the cipher suite has to 
provide whatever mechanisms that are required to split the AEAD key into 
underlying encryption/integrity keys if required?

Next (reading from the commited editors copy), this refers to 5116 which 
uses a one-size fits all approach that doesn't really fit all sizes, 
especially for composited AEAD.  E.g.  the draft describes this 
generally as an incrementing value.  For AEAD suites that comply with 
5116, that should be part of the suite specification - not TLS.  For 
TLS, this just needs to be an normatively opaque, per-message field.    
Instead,  place an Informative section which recommends how to do this 
with AEAD suites that currently exist.

  And finally, as I've noted many times before, deriving IV/nonce 
material from the master_secret at the same time as deriving keys is not 
securely supportable in hardware.

>
> Joe
> [For the chairs]
> On Mar 26, 2014, at 11:43 AM, Joseph Salowey (jsalowey) <jsalowey@cisco.com> wrote:
>
>> TLS has supported a number of different cipher types for protecting the record layer.   In TLS 1.3 these include Stream Cipher, CBC Block Cipher and AEAD Cipher.  The construction of the CBC mode within TLS has been shown to be flawed and stream ciphers are not generally applicable to DTLS. Using a single mechanism for cryptographic transforms would make security analysis easier.   AEAD ciphers can be constructed from stream ciphers and block ciphers and are defined as protocol independent transforms.  The consensus in the room at IETF-89 was to only support AEAD ciphers in TLS 1.3. If you have concerns about this decision please respond on the TLS list by April 11, 2014.
>>
>> Thanks,
>>
>> Joe
>> [Speaking for the TLS chairs]
>> _______________________________________________
>> TLS mailing list
>> TLS@ietf.org
>> https://www.ietf.org/mailman/listinfo/tls
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>