Re: [TLS] Comments on tales from the TLS interim: TLS 1.3 MTI algorithms
Yoav Nir <ynir.ietf@gmail.com> Mon, 23 March 2015 19:06 UTC
Return-Path: <ynir.ietf@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0FCBB1B29BD for <tls@ietfa.amsl.com>; Mon, 23 Mar 2015 12:06:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LhvSRBDT2wj9 for <tls@ietfa.amsl.com>; Mon, 23 Mar 2015 12:06:33 -0700 (PDT)
Received: from mail-we0-x230.google.com (mail-we0-x230.google.com [IPv6:2a00:1450:400c:c03::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7B6F81B29FC for <tls@ietf.org>; Mon, 23 Mar 2015 12:05:31 -0700 (PDT)
Received: by webck51 with SMTP id ck51so19006871web.2 for <tls@ietf.org>; Mon, 23 Mar 2015 12:05:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=jMJVj1TGZkEcbloqGolBhsMW4LbBQ8Z4nxtePNRNb88=; b=wpER2IcuACx779BedcUJqlVRUa57z7MJx6z3LsRgmvvGhQY1KXIegxVXX/HyXUaK7w rSei2FVC9dIUrhwRQhg4LNkaWFUkdo2JmMwX5SylcptW7v25XZ8LEInVfE8xJhyCqVA5 PQjIaO74btVvFo8ZQT5xZev0q9kofWJlC37QPNLJ/EFD0/m1tFEgrbtLbXlaYE+b0Iz2 t49c5ea98Zp7c51XZmaZdhdWyG0gUF0W4GwBYOZMohhAe7ucveIvUOrw+hiwfbigLOkI wQwNddTZPBAKPqEN2qO1qG0Vn4xNOlJ4S2Eew5iu/cRRAytOIJq+j+PFdIchAfhhPQE/ GJlQ==
X-Received: by 10.180.206.101 with SMTP id ln5mr22388113wic.55.1427137530297; Mon, 23 Mar 2015 12:05:30 -0700 (PDT)
Received: from ?IPv6:2001:67c:370:176:145:3f20:7f79:2bf6? ([2001:67c:370:176:145:3f20:7f79:2bf6]) by mx.google.com with ESMTPSA id lb6sm2672115wjb.22.2015.03.23.12.05.28 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Mon, 23 Mar 2015 12:05:29 -0700 (PDT)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2070.6\))
From: Yoav Nir <ynir.ietf@gmail.com>
In-Reply-To: <20150323185614.GA21432@LK-Perkele-VII>
Date: Mon, 23 Mar 2015 14:05:27 -0500
Content-Transfer-Encoding: quoted-printable
Message-Id: <C78263E5-02CC-4546-97F2-E5077F94C0C4@gmail.com>
References: <551059B3.1020604@po.ntts.co.jp> <CABcZeBNJ-SwWWCubceYkLie2O=ork+wr6treB6hLZvwbp-6miw@mail.gmail.com> <20150323185614.GA21432@LK-Perkele-VII>
To: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
X-Mailer: Apple Mail (2.2070.6)
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/lo3aJWlT6_NGxSijjQSw-re1mrU>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Comments on tales from the TLS interim: TLS 1.3 MTI algorithms
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 23 Mar 2015 19:06:35 -0000
> On Mar 23, 2015, at 1:56 PM, Ilari Liusvaara <ilari.liusvaara@elisanet.fi> wrote: > > On Mon, Mar 23, 2015 at 01:49:16PM -0500, Eric Rescorla wrote: >> On Mon, Mar 23, 2015 at 1:21 PM, KATO Akihiro <kato.akihiro@po.ntts.co.jp> >> wrote: >> >>> Hi All. >>> >>> I will comment TLS 1.3 MTI. I'm holding the following points of view. >>> >>> (a) To be avoided Single points of failure, >>> (b) If possible, back up algorithm suitable for low spec system, >>> (c) Second point algorithm developed by different concept. >>> >>>> o Symmetric: >>>> MUST AES-GCM 128 >>>> [SHOULD ChaCha20-Poly1305] >>> >>> I have no objection, it is AES-GCM is a MUST. Protocols used DTLS (fg. >>> CoAP) can not deploy by ChaCha20, which is not second point cipher for >>> AES. MTI will have second point block cipher using CCM. >>> >> >> Why can't DTLS do ChaCha20? > > I presume KATO Akihiro meant that constrained systems can't do Chacha20, > not that AEAD #29 (Chacha20-Poly1305) has any special problems with > doing DTLS. I don’t know why that would be true. The state for ChaCha20 is 64 bytes (16 32-bit integers) with Poly1305 probably rounding it up to a little over 80, and only about 32 of those need to be kept between packets. AES-GCM requires an expanded key and ghash table that total over 800 bytes. The code for both ChaCha and Poly is small enough for even the most constrained systems. Of course if you anyway have the AES-GCM code, the ChaCha code is extra, but I don’t think it’s a big issue for even the 20 KB class of device. Yoav
- [TLS] Comments on tales from the TLS interim: TLS… KATO Akihiro
- Re: [TLS] Comments on tales from the TLS interim:… Eric Rescorla
- Re: [TLS] Comments on tales from the TLS interim:… Ilari Liusvaara
- Re: [TLS] Comments on tales from the TLS interim:… Yoav Nir