Re: [TLS] Thoughts on Hardware Support
Michael StJohns <msj@nthpermutation.com> Sat, 14 February 2015 23:07 UTC
Return-Path: <msj@nthpermutation.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6757F1A0364 for <tls@ietfa.amsl.com>; Sat, 14 Feb 2015 15:07:29 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, J_CHICKENPOX_66=0.6, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id I3qN06LxymUT for <tls@ietfa.amsl.com>; Sat, 14 Feb 2015 15:07:24 -0800 (PST)
Received: from mail-qg0-f47.google.com (mail-qg0-f47.google.com [209.85.192.47]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7409B1A03FF for <tls@ietf.org>; Sat, 14 Feb 2015 15:07:18 -0800 (PST)
Received: by mail-qg0-f47.google.com with SMTP id q107so18554594qgd.6 for <tls@ietf.org>; Sat, 14 Feb 2015 15:07:17 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to :subject:references:in-reply-to:content-type :content-transfer-encoding; bh=PoMTqG+jrQnmywIg6JODZDsbcliQgOgwJhfB2KBE/60=; b=fz7tXu+jgQo4C5ASRsbQbTMdB/29cSKb3qW4mmRTx8OG+8W+sBhVBMykgu0kV3XCiK PSNMWHv02u/3yMGSnq5VDT5gvjN/fXmXuZga9rxp6Ebt1rpfQUs6vgtwJ1WDUze1ERmy BVuXGbUxE80DthmYTlYnD9r1OyZTH493mR/drxw1y90aYLZmZYry7Q/ve5AzFySawFm1 cX/Oh0yF5bka9q962pg61vf13eO4/g4RyWg9SVaU5yrXmoiqothkdow/zUKx/uMbMmWM jSYVJ7BWdMZ+yEU8f+5QZ1a6dUZUbUGe2Xzjb/gM2pO8geALCKJawqbC+al2f/8SrLE6 fZXw==
X-Gm-Message-State: ALoCoQn1T/Pxo5ANkTNgvsvl4qDyRSNMdA9gte4iRASBi5jyMPbZhU56rDHkbKK1GNF7Neg3q2fm
X-Received: by 10.140.202.141 with SMTP id x135mr11774384qha.96.1423955237622; Sat, 14 Feb 2015 15:07:17 -0800 (PST)
Received: from [192.168.1.105] (c-69-255-115-150.hsd1.md.comcast.net. [69.255.115.150]) by mx.google.com with ESMTPSA id d3sm10422911qaf.13.2015.02.14.15.07.17 for <tls@ietf.org> (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sat, 14 Feb 2015 15:07:17 -0800 (PST)
Message-ID: <54DFD532.5070900@nthpermutation.com>
Date: Sat, 14 Feb 2015 18:07:30 -0500
From: Michael StJohns <msj@nthpermutation.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.4.0
MIME-Version: 1.0
To: tls@ietf.org
References: <CACsn0cnuHDwOXtqrFwqzVvUQTWxawBRea9it9_URVvZJsjHjWg@mail.gmail.com> <54DFAF19.5060501@nthpermutation.com>
In-Reply-To: <54DFAF19.5060501@nthpermutation.com>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/mT1OVV8LRHaDVOmRbm2LBSlaPPU>
Subject: Re: [TLS] Thoughts on Hardware Support
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 14 Feb 2015 23:07:29 -0000
A private message indicated that it might be useful if I clarified my
thoughts below. The problem is the embedded use of the term "IV" in the
TLS documents.
The master_secret expansion (section 6.3 of rfc5246) still refers to the
last part of the data generated as IVs - but TLS1.2 eliminated the use
of these as actual IVs (plus implicit generation of per-message IVs) for
the existing non-AEAD, non-counter modes in favor of explicit
per-message randomly generated IVs.
The AEAD ciphersuite documents resurrected the use of the iv data from
the master secret expansion for use as the per-key (identical for all
TLS messages in a session) nonce.
pure IVs (mostly - check the specific mode) require unpredictability.
Nonces (at least for defined modes) only require uniqueness on a per-key
basis.
Where the mode needs per-message IV unpredictablity, follow section
6.2.3.2 of the TLS1.2 RFC. Where you need to establish a common unique
nonce, use an entropy expansion/extraction from client/server random
without dependency on key material. There shouldn't be any middle cases.
Mike
On 2/14/2015 3:24 PM, Michael StJohns wrote:
> On 2/14/2015 2:23 PM, Watson Ladd wrote:
>> I think the easiest way is to eliminate the IV derivation entirely,
>> and have the record layer send the entire nonce each time. if that's
>> too much a waste of bandwidth, then we can specify entirely the
>> portion that is in TLS 1.2 derived from the MS. I think this is in
>> spirit similar to his proposal, but I don't recall the exact details.
>
> The other way of doing this is to not make IV derivation dependent on
> secret material. Basically, I suggested that instead to use the same
> KDF function, but with a key of zero and a context of the server and
> client randoms. That makes IV (or for most AEAD counter based
> thingies - nonce) derivation a straightforward entropy extraction from
> the two generated random numbers. Alternately, use output of the hash
> of those two concatenated values plus a counter (so you can get more
> than 1 block of extracted data) plus a label (so you can use the same
> randoms for different expansions if you need to).
>
>
> E.g.
>
>
> IVDATA = {};
> label = { <some number of well known bytes> };
> numblocks = CEIL (numBytesNeeded/hashOutputSize);
>
> for (i = 1; i < numblocks; i++) {
> IVDATA = IVDATA || HASH (counter(as uint32 big endian) || label ||
> serverRandom || clientRandom);
> }
>
> return LTRUNC(IVDATA, numBytesNeeded);
>
>
> This uses all public data and functions to produce public data (the IV
> or Nonce).
>
>
> I apologize as I haven't had the cycles to do a pull request and add
> the crypto constructs changes I'm proposing.
>
> Mike
>
>
>
- [TLS] Thoughts on Hardware Support Watson Ladd
- Re: [TLS] Thoughts on Hardware Support Michael StJohns
- Re: [TLS] Thoughts on Hardware Support Michael StJohns
- Re: [TLS] Thoughts on Hardware Support Ilari Liusvaara