IETF Logo Mail Archive

Re: [TLS] ChaCha and IVs

Nico Williams <nico@cryptonector.com> Thu, 06 March 2014 00:59 UTC

Return-Path: <nico@cryptonector.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A72961A0010 for <tls@ietfa.amsl.com>; Wed, 5 Mar 2014 16:59:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.903
X-Spam-Level:
X-Spam-Status: No, score=0.903 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, IP_NOT_FRIENDLY=0.334, J_CHICKENPOX_64=0.6, RCVD_IN_BL_SPAMCOP_NET=1.347] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6L9T9xDwoKy5 for <tls@ietfa.amsl.com>; Wed, 5 Mar 2014 16:59:10 -0800 (PST)
Received: from homiemail-a103.g.dreamhost.com (agjbgdcfdbea.dreamhost.com [69.163.253.140]) by ietfa.amsl.com (Postfix) with ESMTP id A22841A0031 for <tls@ietf.org>; Wed, 5 Mar 2014 16:59:10 -0800 (PST)
Received: from homiemail-a103.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a103.g.dreamhost.com (Postfix) with ESMTP id 19DA32005D106 for <tls@ietf.org>; Wed, 5 Mar 2014 16:59:07 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h= mime-version:in-reply-to:references:date:message-id:subject:from :to:cc:content-type; s=cryptonector.com; bh=5ht+XLU6F7Faa38WQpQM 96+j374=; b=NM8ivcuKsoor2diV9IOHZwsuVrlDjRb1s/EUt868npshqqU5mQJP 41dXSERiVXD8Kb03ln0kMeocn5kaROurY770jqO/znZrxdTEot9EkWpJyVI4iC/K IhNKzkjbXFvd45Bza1L4mHn2k5qnoxPSmbX0gxF5N0k/oqc4n1Bw2p8=
Received: from mail-we0-f180.google.com (mail-we0-f180.google.com [74.125.82.180]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by homiemail-a103.g.dreamhost.com (Postfix) with ESMTPSA id C21062005D105 for <tls@ietf.org>; Wed, 5 Mar 2014 16:59:06 -0800 (PST)
Received: by mail-we0-f180.google.com with SMTP id p61so2209217wes.25 for <tls@ietf.org>; Wed, 05 Mar 2014 16:59:05 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=JBMoWZfxiHoGvDFNjLG7hXmAA6Y/BswHHdugnLxYHRM=; b=dcLWhxkNkUXonPwaJU0GjhMLR0IdD9Ghr6GlL3Pxmlm7EFAfTv60ObbD0qaw/3gJo9 DzCNCbwEwQvHelbE3aYhPeWDL3wNQpagyQPr/ZvbGeiiyGf5cXHEUdIR16l2xGLMi6GD 7VmSXOC3prHKaKjcSf7uRqVBjO8g10t4E6iTy2p9511ZxBZOR3t17iS94zOasM4BZgwo C/Qic1jZhA1fDc+HaFii/0WSqw9TF/E676ixxeLq2SUdQ6W+cq58J7hZd3go4FAPT8TX 1zKsiR1LuCeId9MM55D30twBo2Y6PEVVUwRqNaCBCnCA99FuAcMFcMQX30Nv3AQ+TMLD hfVQ==
MIME-Version: 1.0
X-Received: by 10.194.250.34 with SMTP id yz2mr5682548wjc.18.1394067545415; Wed, 05 Mar 2014 16:59:05 -0800 (PST)
Received: by 10.216.199.6 with HTTP; Wed, 5 Mar 2014 16:59:05 -0800 (PST)
In-Reply-To: <CADMpkcLqWOr6kq4VjTatpDGW8Ryf73V+YziOf3Op3waciG9o4w@mail.gmail.com>
References: <53160513.20703@bbn.com> <1393955839.20861.20.camel@dhcp-2-127.brq.redhat.com> <53161825.7060409@bbn.com> <CADMpkcLqWOr6kq4VjTatpDGW8Ryf73V+YziOf3Op3waciG9o4w@mail.gmail.com>
Date: Wed, 05 Mar 2014 18:59:05 -0600
Message-ID: <CAK3OfOg5pqF_sEmKYJVxqmiekkPrycqbA1sbK8H7=EAtWFQMrw@mail.gmail.com>
From: Nico Williams <nico@cryptonector.com>
To: Bodo Moeller <bmoeller@acm.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/mH-rJus-v3JqRrycoWex2Q0kR8k
Cc: Stephen Kent <kent@bbn.com>, "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] ChaCha and IVs
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Mar 2014 00:59:11 -0000

On Wed, Mar 5, 2014 at 6:35 PM, Bodo Moeller <bmoeller@acm.org> wrote:
> I suppose if this becomes an actual concern for evaluation, you could create
> a more easily evaluable module that accepts explicit IVs but checks that
> these increase monotonically between invocations.  (Accepting *explicit* IVs
> doesn't mean you have to accept *arbitrary* IVs.)

This.

However in the DTLS case there's no way to make the sequence numbers
be monotonic.  What the module could do is keep its own IV sequence
number window and reject the use of sequence numbers that are too old
or reused...

...but note that in the decrypt case it may still be useful to know
that a message is a replay and yet get the authentication tag state
and plaintext outputs.  The GSS-API's GSS_Unwrap() function supports
this.

Having a sequence number window in the algorithm module is a PITA, but
much less a PITA than having to validate all of a TLS implementation.

> (Implicitly, this would also enforce the TLS requirement that sequence
> numbers are not allowed to wrap around once you're beyond 2^64 records.)

And if the IV must initially be randomly chosen, let the module
generate it but let the user (TLS) furnish the sequence numbers to add
to the initial IV to get the actual IV.

Of course, this does mean that on decrypt the algorithm module will
have to output the sequence number/IV.

So this is really an exercise in designing an API to the cipher+mode
that allows the provider to be validated separately from the user
application, and still provide desired assurances to the validator.

Nico
-- T

v2.23.0 | Report a Bug | By Email