Re: [TLS] where IVs come from (and other mysteries ...)

Stephen Kent <kent@bbn.com> Tue, 18 March 2014 16:05 UTC

Return-Path: <kent@bbn.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 231D91A0410 for <tls@ietfa.amsl.com>; Tue, 18 Mar 2014 09:05:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.748
X-Spam-Level:
X-Spam-Status: No, score=-4.748 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.547, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PhT8U4bTPsmM for <tls@ietfa.amsl.com>; Tue, 18 Mar 2014 09:05:27 -0700 (PDT)
Received: from smtp.bbn.com (smtp.bbn.com [128.33.1.81]) by ietfa.amsl.com (Postfix) with ESMTP id 69D321A040A for <tls@ietf.org>; Tue, 18 Mar 2014 09:05:27 -0700 (PDT)
Received: from dhcp89-089-218.bbn.com ([128.89.89.218]:53086) by smtp.bbn.com with esmtp (Exim 4.77 (FreeBSD)) (envelope-from <kent@bbn.com>) id 1WPwW2-00077z-7s; Tue, 18 Mar 2014 12:05:22 -0400
Message-ID: <53286EBA.5090308@bbn.com>
Date: Tue, 18 Mar 2014 12:05:14 -0400
From: Stephen Kent <kent@bbn.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:24.0) Gecko/20100101 Thunderbird/24.3.0
MIME-Version: 1.0
To: Sandeep Kumar <ietf@sandeep.de>
References: <5318A8A6.50201@bbn.com> <CACsn0cmXj+t4_k=V4u4JGfZBVzbgQiKzMw8mMPzvtZHaGS2ZtQ@mail.gmail.com> <CADMpkcK8UEnCX59=CBvhLsbU4TPAEyBaPnv1-WwPdwufDx8csA@mail.gmail.com> <CAH51uSctbShOktV8NaSWjVzXe6YohwNWSeY8j4CwZwoLNEfK4g@mail.gmail.com>
In-Reply-To: <CAH51uSctbShOktV8NaSWjVzXe6YohwNWSeY8j4CwZwoLNEfK4g@mail.gmail.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/keRJXHIHDM_eCUKrP533CczfF4Q
Cc: "tls@ietf.org" <tls@ietf.org>, Steve Kent <kent@bbn.com>
Subject: Re: [TLS] where IVs come from (and other mysteries ...)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Mar 2014 16:05:29 -0000

Sandeep,

Sorry to be so late in replying.
> ....
>
> RFC5288 states that
>    struct {
>                 opaque salt[4];
>                 opaque nonce_explicit[8];
>              } GCMNonce;
>
> ...the salt is generated as part of the handshake
>    process: it is either the client_write_IV (when the client is
>    sending) or the server_write_IV (when the server is sending).
>
> Does it mean that the module generates the nonce_explicit or the whole 
> GCMNonce. If it's the latter then the sequence number checking on 
> the TLS packet will not help.
The part of the structure labeled "salt" above is called the "fixed 
field" in NIST 800-38.
The FIPS 140-2 implementation guidance doc says that if one generates 
the explicit nonce
deterministically, e.g., using a counter or LFSR, then the fixed field 
represents the
"name" of the module and the name needs to be long enough to allow for 
at least 2**32
distinct values. The name need not be generated internal to the module; 
according to
Additional Comment #2, page 136, this field may be assigned by a user. 
So, in the context
of interest, TLS could supply the salt to an evaluated module, but the 
module would
generate the explicit nonce internally. There is separate test guidance 
if the whole IV
were to be generated randomly, but we're not discussing that approach 
here, based on
the RFC 5288 description you cited above.

Steve