Re: [TLS] About TLS 1.2 AEAD ciphers definition

Russ Housley <housley@vigilsec.com> Fri, 28 May 2010 14:13 UTC

Return-Path: <housley@vigilsec.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 17AB53A6A2F for <tls@core3.amsl.com>; Fri, 28 May 2010 07:13:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -100.287
X-Spam-Level:
X-Spam-Status: No, score=-100.287 tagged_above=-999 required=5 tests=[AWL=0.823, BAYES_05=-1.11, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9+eKvjeE-rHv for <tls@core3.amsl.com>; Fri, 28 May 2010 07:13:35 -0700 (PDT)
Received: from odin.smetech.net (mail.smetech.net [208.254.26.82]) by core3.amsl.com (Postfix) with ESMTP id 27F083A6912 for <tls@ietf.org>; Fri, 28 May 2010 07:13:35 -0700 (PDT)
Received: from localhost (unknown [208.254.26.81]) by odin.smetech.net (Postfix) with ESMTP id A453B9A4743 for <tls@ietf.org>; Fri, 28 May 2010 10:13:25 -0400 (EDT)
X-Virus-Scanned: amavisd-new at smetech.net
Received: from odin.smetech.net ([208.254.26.82]) by localhost (ronin.smetech.net [208.254.26.81]) (amavisd-new, port 10024) with ESMTP id qcS4iVBsUqZL for <tls@ietf.org>; Fri, 28 May 2010 10:13:24 -0400 (EDT)
Received: from [192.168.2.100] (pool-96-255-145-51.washdc.fios.verizon.net [96.255.145.51]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by odin.smetech.net (Postfix) with ESMTP id 12E0B9A4728 for <tls@ietf.org>; Fri, 28 May 2010 10:13:25 -0400 (EDT)
Message-ID: <4BFFCF9F.8040703@vigilsec.com>
Date: Fri, 28 May 2010 10:13:51 -0400
From: Russ Housley <housley@vigilsec.com>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.9) Gecko/20100317 Thunderbird/3.0.4
MIME-Version: 1.0
To: tls@ietf.org
References: <4BFE8FC5.4070509@iki.fi> <AANLkTilTmkQh6RzCX50L35Jt2IkQq8mzylIkQbnDY7gS@mail.gmail.com> <0CB6D965-5252-4112-A933-D3F390EB0F9A@iki.fi> <4BFEA808.3030704@travelocity.com>
In-Reply-To: <4BFEA808.3030704@travelocity.com>
X-Enigmail-Version: 1.0.1
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Subject: Re: [TLS] About TLS 1.2 AEAD ciphers definition
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 28 May 2010 14:13:38 -0000

>> The only currently defined AEAD ciphers seem to be AES_128_GCM and
>> AES_256_GCM defined by RFC 5288. I'm a bit surprised that AES
>> encryption doesn't introduce padding though, it might be just me
>> misunderstanding the GCM process but I thought it still needs to
>> pad the input data to match the block size, doesn't it? The TLSv1
>> explicit padding of CBC ciphers is not present in the AEAD ciphers
>> at all. RFC 5288 doesn't define any kind of padding either, which
>> makes me wonder how it is actually implemented...
>
> Aren't all AEAD ciphers derivatives of "COUNTER" mode?  My understanding
> of "COUNTER" mode was that it flipped the initialization vector around
> (encrypted the IV rather than the input block) so that no padding was
> ever necessary.

No, not all AEAD ciphers use counter mode.  However, all AEAD ciphers
that are used to protect the data stream in TLS at this moment make use
of counter mode for the encryption.

AES-CCM and AES-GCM both used counter mode for encryption, but they get
authentication in very different ways.

AES-Key-Wrap and AES-Key-Wrap-with-Pad are both AEAD ciphers, and they
do not use counter mode.

Russ