Re: [TLS] Confirming Consensus on supporting only AEAD ciphers

[Michael StJohns <msj@nthpermutation.com>]

I never got an answer or response on the following.

Mike


On 4/29/2014 1:46 PM, Michael StJohns wrote:
> On 4/26/2014 11:24 AM, Joseph Salowey (jsalowey) wrote:
>> The consensus from the IETF-89 meeting holds, TLS 1.3 will only use 
>> record layer protection of type AEAD. The Editor is requested to make 
>> the appropriate changes to the draft on github.
>
> Sorry - I'm coming late here.  Does this also imply the complete 
> elimination of the integrity only cipher suites?
>
> With respect to the AEAD approach and with respect to composited AEAD 
> cipher suites (e.g. AES_CBC_CMAC reformed as an AEAD cipher per 
> Guttman for example), does this also imply that the key expansion 
> phase will never be used to generate MAC keys, and that the cipher 
> suite has to provide whatever mechanisms that are required to split 
> the AEAD key into underlying encryption/integrity keys if required?
>
> Next (reading from the commited editors copy), this refers to 5116 
> which uses a one-size fits all approach that doesn't really fit all 
> sizes, especially for composited AEAD.  E.g.  the draft describes this 
> generally as an incrementing value.  For AEAD suites that comply with 
> 5116, that should be part of the suite specification - not TLS.  For 
> TLS, this just needs to be an normatively opaque, per-message 
> field.    Instead,  place an Informative section which recommends how 
> to do this with AEAD suites that currently exist.
>
>  And finally, as I've noted many times before, deriving IV/nonce 
> material from the master_secret at the same time as deriving keys is 
> not securely supportable in hardware.
>
>>
>> Joe
>> [For the chairs]
>> On Mar 26, 2014, at 11:43 AM, Joseph Salowey (jsalowey) 
>> <jsalowey@cisco.com> wrote:
>>
>>> TLS has supported a number of different cipher types for protecting 
>>> the record layer.   In TLS 1.3 these include Stream Cipher, CBC 
>>> Block Cipher and AEAD Cipher.  The construction of the CBC mode 
>>> within TLS has been shown to be flawed and stream ciphers are not 
>>> generally applicable to DTLS. Using a single mechanism for 
>>> cryptographic transforms would make security analysis easier.   AEAD 
>>> ciphers can be constructed from stream ciphers and block ciphers and 
>>> are defined as protocol independent transforms.  The consensus in 
>>> the room at IETF-89 was to only support AEAD ciphers in TLS 1.3. If 
>>> you have concerns about this decision please respond on the TLS list 
>>> by April 11, 2014.
>>>
>>> Thanks,
>>>
>>> Joe
>>> [Speaking for the TLS chairs]
>>> _______________________________________________
>>> TLS mailing list
>>> TLS@ietf.org
>>> https://www.ietf.org/mailman/listinfo/tls
>> _______________________________________________
>> TLS mailing list
>> TLS@ietf.org
>> https://www.ietf.org/mailman/listinfo/tls
>>
>