Re: [TLS] ChaCha and IVs
Nico Williams <nico@cryptonector.com> Thu, 06 March 2014 00:59 UTC
Return-Path: <nico@cryptonector.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A72961A0010 for <tls@ietfa.amsl.com>; Wed, 5 Mar 2014 16:59:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.903
X-Spam-Level:
X-Spam-Status: No, score=0.903 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, IP_NOT_FRIENDLY=0.334, J_CHICKENPOX_64=0.6, RCVD_IN_BL_SPAMCOP_NET=1.347] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6L9T9xDwoKy5 for <tls@ietfa.amsl.com>; Wed, 5 Mar 2014 16:59:10 -0800 (PST)
Received: from homiemail-a103.g.dreamhost.com (agjbgdcfdbea.dreamhost.com [69.163.253.140]) by ietfa.amsl.com (Postfix) with ESMTP id A22841A0031 for <tls@ietf.org>; Wed, 5 Mar 2014 16:59:10 -0800 (PST)
Received: from homiemail-a103.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a103.g.dreamhost.com (Postfix) with ESMTP id 19DA32005D106 for <tls@ietf.org>; Wed, 5 Mar 2014 16:59:07 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h= mime-version:in-reply-to:references:date:message-id:subject:from :to:cc:content-type; s=cryptonector.com; bh=5ht+XLU6F7Faa38WQpQM 96+j374=; b=NM8ivcuKsoor2diV9IOHZwsuVrlDjRb1s/EUt868npshqqU5mQJP 41dXSERiVXD8Kb03ln0kMeocn5kaROurY770jqO/znZrxdTEot9EkWpJyVI4iC/K IhNKzkjbXFvd45Bza1L4mHn2k5qnoxPSmbX0gxF5N0k/oqc4n1Bw2p8=
Received: from mail-we0-f180.google.com (mail-we0-f180.google.com [74.125.82.180]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by homiemail-a103.g.dreamhost.com (Postfix) with ESMTPSA id C21062005D105 for <tls@ietf.org>; Wed, 5 Mar 2014 16:59:06 -0800 (PST)
Received: by mail-we0-f180.google.com with SMTP id p61so2209217wes.25 for <tls@ietf.org>; Wed, 05 Mar 2014 16:59:05 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=JBMoWZfxiHoGvDFNjLG7hXmAA6Y/BswHHdugnLxYHRM=; b=dcLWhxkNkUXonPwaJU0GjhMLR0IdD9Ghr6GlL3Pxmlm7EFAfTv60ObbD0qaw/3gJo9 DzCNCbwEwQvHelbE3aYhPeWDL3wNQpagyQPr/ZvbGeiiyGf5cXHEUdIR16l2xGLMi6GD 7VmSXOC3prHKaKjcSf7uRqVBjO8g10t4E6iTy2p9511ZxBZOR3t17iS94zOasM4BZgwo C/Qic1jZhA1fDc+HaFii/0WSqw9TF/E676ixxeLq2SUdQ6W+cq58J7hZd3go4FAPT8TX 1zKsiR1LuCeId9MM55D30twBo2Y6PEVVUwRqNaCBCnCA99FuAcMFcMQX30Nv3AQ+TMLD hfVQ==
MIME-Version: 1.0
X-Received: by 10.194.250.34 with SMTP id yz2mr5682548wjc.18.1394067545415; Wed, 05 Mar 2014 16:59:05 -0800 (PST)
Received: by 10.216.199.6 with HTTP; Wed, 5 Mar 2014 16:59:05 -0800 (PST)
In-Reply-To: <CADMpkcLqWOr6kq4VjTatpDGW8Ryf73V+YziOf3Op3waciG9o4w@mail.gmail.com>
References: <53160513.20703@bbn.com> <1393955839.20861.20.camel@dhcp-2-127.brq.redhat.com> <53161825.7060409@bbn.com> <CADMpkcLqWOr6kq4VjTatpDGW8Ryf73V+YziOf3Op3waciG9o4w@mail.gmail.com>
Date: Wed, 05 Mar 2014 18:59:05 -0600
Message-ID: <CAK3OfOg5pqF_sEmKYJVxqmiekkPrycqbA1sbK8H7=EAtWFQMrw@mail.gmail.com>
From: Nico Williams <nico@cryptonector.com>
To: Bodo Moeller <bmoeller@acm.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/mH-rJus-v3JqRrycoWex2Q0kR8k
Cc: Stephen Kent <kent@bbn.com>, "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] ChaCha and IVs
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Mar 2014 00:59:11 -0000
On Wed, Mar 5, 2014 at 6:35 PM, Bodo Moeller <bmoeller@acm.org> wrote: > I suppose if this becomes an actual concern for evaluation, you could create > a more easily evaluable module that accepts explicit IVs but checks that > these increase monotonically between invocations. (Accepting *explicit* IVs > doesn't mean you have to accept *arbitrary* IVs.) This. However in the DTLS case there's no way to make the sequence numbers be monotonic. What the module could do is keep its own IV sequence number window and reject the use of sequence numbers that are too old or reused... ...but note that in the decrypt case it may still be useful to know that a message is a replay and yet get the authentication tag state and plaintext outputs. The GSS-API's GSS_Unwrap() function supports this. Having a sequence number window in the algorithm module is a PITA, but much less a PITA than having to validate all of a TLS implementation. > (Implicitly, this would also enforce the TLS requirement that sequence > numbers are not allowed to wrap around once you're beyond 2^64 records.) And if the IV must initially be randomly chosen, let the module generate it but let the user (TLS) furnish the sequence numbers to add to the initial IV to get the actual IV. Of course, this does mean that on decrypt the algorithm module will have to output the sequence number/IV. So this is really an exercise in designing an API to the cipher+mode that allows the provider to be validated separately from the user application, and still provide desired assurances to the validator. Nico -- T
- Re: [TLS] ChaCha and IVs Adam Langley
- [TLS] ChaCha and IVs Stephen Kent
- Re: [TLS] ChaCha and IVs Watson Ladd
- Re: [TLS] ChaCha and IVs Nikos Mavrogiannopoulos
- Re: [TLS] ChaCha and IVs Stephen Kent
- Re: [TLS] ChaCha and IVs Salz, Rich
- Re: [TLS] ChaCha and IVs Dr Stephen Henson
- Re: [TLS] ChaCha and IVs Adam Langley
- Re: [TLS] ChaCha and IVs Adam Langley
- Re: [TLS] ChaCha and IVs Adam Langley
- Re: [TLS] ChaCha and IVs Wan-Teh Chang
- Re: [TLS] ChaCha and IVs Dr Stephen Henson
- Re: [TLS] ChaCha and IVs Dr Stephen Henson
- Re: [TLS] ChaCha and IVs Salz, Rich
- Re: [TLS] ChaCha and IVs Brian Smith
- Re: [TLS] ChaCha and IVs Adam Langley
- Re: [TLS] ChaCha and IVs Brian Smith
- Re: [TLS] ChaCha and IVs Salz, Rich
- Re: [TLS] ChaCha and IVs Nikos Mavrogiannopoulos
- Re: [TLS] ChaCha and IVs Nikos Mavrogiannopoulos
- Re: [TLS] ChaCha and IVs Alyssa Rowan
- Re: [TLS] ChaCha and IVs Adam Langley
- Re: [TLS] ChaCha and IVs Dr Stephen Henson
- Re: [TLS] ChaCha and IVs Sandeep Kumar
- Re: [TLS] ChaCha and IVs Robert Cragie
- Re: [TLS] ChaCha and IVs Dr Stephen Henson
- Re: [TLS] ChaCha and IVs Bodo Moeller
- Re: [TLS] ChaCha and IVs Nico Williams
- Re: [TLS] ChaCha and IVs Andy Lutomirski
- Re: [TLS] ChaCha and IVs Nico Williams
- Re: [TLS] ChaCha and IVs Bodo Moeller
- Re: [TLS] ChaCha and IVs Bodo Moeller
- Re: [TLS] ChaCha and IVs Nico Williams
- Re: [TLS] ChaCha and IVs Dr Stephen Henson
- Re: [TLS] ChaCha and IVs Bodo Moeller