Re: [TLS] Confirming Consensus on supporting only AEAD ciphers

Michael StJohns <msj@nthpermutation.com> Mon, 05 May 2014 18:43 UTC

Return-Path: <msj@nthpermutation.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3419F1A0424 for <tls@ietfa.amsl.com>; Mon, 5 May 2014 11:43:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fi6-WdOceLws for <tls@ietfa.amsl.com>; Mon, 5 May 2014 11:43:52 -0700 (PDT)
Received: from mail-qg0-f46.google.com (mail-qg0-f46.google.com [209.85.192.46]) by ietfa.amsl.com (Postfix) with ESMTP id 664C01A0401 for <tls@ietf.org>; Mon, 5 May 2014 11:43:52 -0700 (PDT)
Received: by mail-qg0-f46.google.com with SMTP id q108so5068160qgd.19 for <tls@ietf.org>; Mon, 05 May 2014 11:43:48 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to :subject:references:in-reply-to:content-type :content-transfer-encoding; bh=LFo3WXfXoV5m1KPDzk7xtH4xeaD349cAPH60rXimiVY=; b=Ka7lWIPWSZNPSYmYS1e5EJNNlMscRJsnSwXbpCecJd1DoQOw6Qo9znDCwfUTIJObg2 JQNHRuG6IfVu89BWl+N1Hf7l1bK0A3k7kjkw4rMWsBE7lVSl2QSgieCm5UFZ+ag1G57m Ti2DrIng+NptsPc7pNVJmNy3lFxRulPFAChcToAYCGb3A4yNyS8jrX8ib9RI8ZxHH22I W+8suzeadaPl/q/8HzSvrVhUZLYSDCJJEb+JDlx1K0lSFFexzr4vXlSrHLMv/W8vbeEJ 2TO7SKOqAkDwVHuXcxsJFgZb/FoN1rWClaln9EgcYFMwQEOigzCaHIyuRN+h3ZkPe7PN nXeg==
X-Gm-Message-State: ALoCoQmPYV/MD8ECymH8ii9DP5MW+u4TGzPPYCs9j2d9Qg6CCBihoojjuIrISLXMO6D7R0MGJSEu
X-Received: by 10.224.172.2 with SMTP id j2mr48207478qaz.83.1399315428781; Mon, 05 May 2014 11:43:48 -0700 (PDT)
Received: from [192.168.1.105] (c-68-34-113-195.hsd1.md.comcast.net. [68.34.113.195]) by mx.google.com with ESMTPSA id 21sm12383317qgh.23.2014.05.05.11.43.48 for <tls@ietf.org> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Mon, 05 May 2014 11:43:48 -0700 (PDT)
Message-ID: <5367DBEB.7030802@nthpermutation.com>
Date: Mon, 05 May 2014 14:43:55 -0400
From: Michael StJohns <msj@nthpermutation.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.5.0
MIME-Version: 1.0
To: tls@ietf.org
References: <86E69268-DC0A-43E7-8CF5-0DAE39FD4FD5@cisco.com> <84C4848E-7843-4372-93AA-C1F017C3E088@cisco.com> <535FE558.2090306@nthpermutation.com>
In-Reply-To: <535FE558.2090306@nthpermutation.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/nfeDFk6xE4B0gx_-2Rk3kxcQFfs
Subject: Re: [TLS] Confirming Consensus on supporting only AEAD ciphers
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 05 May 2014 18:43:54 -0000

I never got an answer or response on the following.

Mike


On 4/29/2014 1:46 PM, Michael StJohns wrote:
> On 4/26/2014 11:24 AM, Joseph Salowey (jsalowey) wrote:
>> The consensus from the IETF-89 meeting holds, TLS 1.3 will only use 
>> record layer protection of type AEAD. The Editor is requested to make 
>> the appropriate changes to the draft on github.
>
> Sorry - I'm coming late here.  Does this also imply the complete 
> elimination of the integrity only cipher suites?
>
> With respect to the AEAD approach and with respect to composited AEAD 
> cipher suites (e.g. AES_CBC_CMAC reformed as an AEAD cipher per 
> Guttman for example), does this also imply that the key expansion 
> phase will never be used to generate MAC keys, and that the cipher 
> suite has to provide whatever mechanisms that are required to split 
> the AEAD key into underlying encryption/integrity keys if required?
>
> Next (reading from the commited editors copy), this refers to 5116 
> which uses a one-size fits all approach that doesn't really fit all 
> sizes, especially for composited AEAD.  E.g.  the draft describes this 
> generally as an incrementing value.  For AEAD suites that comply with 
> 5116, that should be part of the suite specification - not TLS.  For 
> TLS, this just needs to be an normatively opaque, per-message 
> field.    Instead,  place an Informative section which recommends how 
> to do this with AEAD suites that currently exist.
>
>  And finally, as I've noted many times before, deriving IV/nonce 
> material from the master_secret at the same time as deriving keys is 
> not securely supportable in hardware.
>
>>
>> Joe
>> [For the chairs]
>> On Mar 26, 2014, at 11:43 AM, Joseph Salowey (jsalowey) 
>> <jsalowey@cisco.com> wrote:
>>
>>> TLS has supported a number of different cipher types for protecting 
>>> the record layer.   In TLS 1.3 these include Stream Cipher, CBC 
>>> Block Cipher and AEAD Cipher.  The construction of the CBC mode 
>>> within TLS has been shown to be flawed and stream ciphers are not 
>>> generally applicable to DTLS. Using a single mechanism for 
>>> cryptographic transforms would make security analysis easier.   AEAD 
>>> ciphers can be constructed from stream ciphers and block ciphers and 
>>> are defined as protocol independent transforms.  The consensus in 
>>> the room at IETF-89 was to only support AEAD ciphers in TLS 1.3. If 
>>> you have concerns about this decision please respond on the TLS list 
>>> by April 11, 2014.
>>>
>>> Thanks,
>>>
>>> Joe
>>> [Speaking for the TLS chairs]
>>> _______________________________________________
>>> TLS mailing list
>>> TLS@ietf.org
>>> https://www.ietf.org/mailman/listinfo/tls
>> _______________________________________________
>> TLS mailing list
>> TLS@ietf.org
>> https://www.ietf.org/mailman/listinfo/tls
>>
>