Re: [TLS] (offline note) Re: Confirming Consensus on supporting only AEAD ciphers

Michael StJohns <> Tue, 06 May 2014 17:16 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 6A9541A019C for <>; Tue, 6 May 2014 10:16:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.3
X-Spam-Status: No, score=-2.3 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id rbtGK_pnX5-0 for <>; Tue, 6 May 2014 10:16:30 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id DD3711A0196 for <>; Tue, 6 May 2014 10:16:29 -0700 (PDT)
Received: by with SMTP id r5so3035505qcx.35 for <>; Tue, 06 May 2014 10:16:26 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20130820; h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to :cc:subject:references:in-reply-to:content-type :content-transfer-encoding; bh=u+SMkcBO13UAQ8z3cjlEqUHGwz8XFOQK+b5iATsO/40=; b=m68D48qBSkyHL+Qqwir/o9YhFNa+0s/ge4mV5TP5fy6yQQGXYzqvbQ5ZptXzGEPngj oWXGuUUuAeN6RzrqQT0OUwPLmw5FIW2AFhWTmIO9KWdHhlNj4vKBnknTmZlE+gx+MsBd y5SsBK9b1lbKgVcO/LA8m/i/QIya4I8S3Jk4nWQHAFTDguNEOYdbP28xz2DQQSvMIqRE LzESPCcQlY3jFJ4GGZihTobGaUfMKMd7FvWiRx8AKLu8PqsR2lD3btB+N3qB/mrPQGHH 2rMH35CjXNXR+H7sZD8pg2dkypY8VzUeSb5DpZfo8hKzWHPg5sfh23nNsbgAwX/Ve8MN HAoA==
X-Gm-Message-State: ALoCoQnOfGJeUtpdwuaz0uWnnr3PcynGENaA+4IW34mrr3EcMgObGQTK6Vt1hDUu7NkpVnYV24Uw
X-Received: by with SMTP id e11mr6598375qga.39.1399396585719; Tue, 06 May 2014 10:16:25 -0700 (PDT)
Received: from [] ( []) by with ESMTPSA id 21sm16421225qgh.23.2014. for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Tue, 06 May 2014 10:16:25 -0700 (PDT)
Message-ID: <>
Date: Tue, 06 May 2014 13:16:33 -0400
From: Michael StJohns <>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.5.0
MIME-Version: 1.0
To: =?ISO-8859-1?Q?Manuel_P=E9gouri=E9-Gonnard?= <>, "Joseph Salowey (jsalowey)" <>, Rene Struik <>
References: <> <> <> <> <> <> <> <>
In-Reply-To: <>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 8bit
Cc: "" <>
Subject: Re: [TLS] (offline note) Re: Confirming Consensus on supporting only AEAD ciphers
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 06 May 2014 17:16:31 -0000

On 5/6/2014 1:09 PM, Manuel Pégourié-Gonnard wrote:
> On 06/05/2014 18:24, Michael StJohns wrote:
>> On 5/6/2014 11:11 AM, Joseph Salowey (jsalowey) wrote:
>>> On May 6, 2014, at 5:51 AM, Rene Struik <> wrote:
>>>> Hi Joe:
>>>> In general, an AEAD mode takes as input two strings a and m and a key k, and authenticates a and m, while encrypting m. If m is the empty string, this results in an authentication-only mode.
>>>> Thus, AEAD modes can be used to provide suitable combinations of authentication and/or encryption. Examples hereof include the GCM mode and CCM mode.
>>> [Joe] Yes, but I don't think any of the defined cipher suites for AES-GCM or AES-CCM support an authentication-only mode.  If authentication-only support is desired then additional cipher suites would have to be defined.
>> If a message consists of 100 bytes of AAD and 0 bytes of plaintext, then the output of an AEAD cipher is the integrity tag over the 100 bytes of AAD and no cipher text.  That's pretty much authentication-only.
> Sure, but as Joe said, within TLS you would need new ciphersuites for that.
> While AES-GCM and AES-CCM in general can do authentication-only, in TLS
> currently they can't because there is no way to include the payload in the AAD
> and to send it in the clear.

Ah.  Sorry - didn't understand that was the point being made.   And an 
absolutely correct one.

So the crypto is the same, but how its used by TLS would change as TLS 
currently defines what part of the message is encrypted and what part is 
AAD.  And to do that you'd have to define a variant of the current 
suites - OR - define some sort of extension to negotiate this.



> Manuel.