Re: [TLS] Confirming Consensus on supporting only AEAD ciphers
Michael StJohns <msj@nthpermutation.com> Mon, 05 May 2014 18:43 UTC
Return-Path: <msj@nthpermutation.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3419F1A0424 for <tls@ietfa.amsl.com>; Mon, 5 May 2014 11:43:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fi6-WdOceLws for <tls@ietfa.amsl.com>; Mon, 5 May 2014 11:43:52 -0700 (PDT)
Received: from mail-qg0-f46.google.com (mail-qg0-f46.google.com [209.85.192.46]) by ietfa.amsl.com (Postfix) with ESMTP id 664C01A0401 for <tls@ietf.org>; Mon, 5 May 2014 11:43:52 -0700 (PDT)
Received: by mail-qg0-f46.google.com with SMTP id q108so5068160qgd.19 for <tls@ietf.org>; Mon, 05 May 2014 11:43:48 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to :subject:references:in-reply-to:content-type :content-transfer-encoding; bh=LFo3WXfXoV5m1KPDzk7xtH4xeaD349cAPH60rXimiVY=; b=Ka7lWIPWSZNPSYmYS1e5EJNNlMscRJsnSwXbpCecJd1DoQOw6Qo9znDCwfUTIJObg2 JQNHRuG6IfVu89BWl+N1Hf7l1bK0A3k7kjkw4rMWsBE7lVSl2QSgieCm5UFZ+ag1G57m Ti2DrIng+NptsPc7pNVJmNy3lFxRulPFAChcToAYCGb3A4yNyS8jrX8ib9RI8ZxHH22I W+8suzeadaPl/q/8HzSvrVhUZLYSDCJJEb+JDlx1K0lSFFexzr4vXlSrHLMv/W8vbeEJ 2TO7SKOqAkDwVHuXcxsJFgZb/FoN1rWClaln9EgcYFMwQEOigzCaHIyuRN+h3ZkPe7PN nXeg==
X-Gm-Message-State: ALoCoQmPYV/MD8ECymH8ii9DP5MW+u4TGzPPYCs9j2d9Qg6CCBihoojjuIrISLXMO6D7R0MGJSEu
X-Received: by 10.224.172.2 with SMTP id j2mr48207478qaz.83.1399315428781; Mon, 05 May 2014 11:43:48 -0700 (PDT)
Received: from [192.168.1.105] (c-68-34-113-195.hsd1.md.comcast.net. [68.34.113.195]) by mx.google.com with ESMTPSA id 21sm12383317qgh.23.2014.05.05.11.43.48 for <tls@ietf.org> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Mon, 05 May 2014 11:43:48 -0700 (PDT)
Message-ID: <5367DBEB.7030802@nthpermutation.com>
Date: Mon, 05 May 2014 14:43:55 -0400
From: Michael StJohns <msj@nthpermutation.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.5.0
MIME-Version: 1.0
To: tls@ietf.org
References: <86E69268-DC0A-43E7-8CF5-0DAE39FD4FD5@cisco.com> <84C4848E-7843-4372-93AA-C1F017C3E088@cisco.com> <535FE558.2090306@nthpermutation.com>
In-Reply-To: <535FE558.2090306@nthpermutation.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/nfeDFk6xE4B0gx_-2Rk3kxcQFfs
Subject: Re: [TLS] Confirming Consensus on supporting only AEAD ciphers
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 05 May 2014 18:43:54 -0000
I never got an answer or response on the following. Mike On 4/29/2014 1:46 PM, Michael StJohns wrote: > On 4/26/2014 11:24 AM, Joseph Salowey (jsalowey) wrote: >> The consensus from the IETF-89 meeting holds, TLS 1.3 will only use >> record layer protection of type AEAD. The Editor is requested to make >> the appropriate changes to the draft on github. > > Sorry - I'm coming late here. Does this also imply the complete > elimination of the integrity only cipher suites? > > With respect to the AEAD approach and with respect to composited AEAD > cipher suites (e.g. AES_CBC_CMAC reformed as an AEAD cipher per > Guttman for example), does this also imply that the key expansion > phase will never be used to generate MAC keys, and that the cipher > suite has to provide whatever mechanisms that are required to split > the AEAD key into underlying encryption/integrity keys if required? > > Next (reading from the commited editors copy), this refers to 5116 > which uses a one-size fits all approach that doesn't really fit all > sizes, especially for composited AEAD. E.g. the draft describes this > generally as an incrementing value. For AEAD suites that comply with > 5116, that should be part of the suite specification - not TLS. For > TLS, this just needs to be an normatively opaque, per-message > field. Instead, place an Informative section which recommends how > to do this with AEAD suites that currently exist. > > And finally, as I've noted many times before, deriving IV/nonce > material from the master_secret at the same time as deriving keys is > not securely supportable in hardware. > >> >> Joe >> [For the chairs] >> On Mar 26, 2014, at 11:43 AM, Joseph Salowey (jsalowey) >> <jsalowey@cisco.com> wrote: >> >>> TLS has supported a number of different cipher types for protecting >>> the record layer. In TLS 1.3 these include Stream Cipher, CBC >>> Block Cipher and AEAD Cipher. The construction of the CBC mode >>> within TLS has been shown to be flawed and stream ciphers are not >>> generally applicable to DTLS. Using a single mechanism for >>> cryptographic transforms would make security analysis easier. AEAD >>> ciphers can be constructed from stream ciphers and block ciphers and >>> are defined as protocol independent transforms. The consensus in >>> the room at IETF-89 was to only support AEAD ciphers in TLS 1.3. If >>> you have concerns about this decision please respond on the TLS list >>> by April 11, 2014. >>> >>> Thanks, >>> >>> Joe >>> [Speaking for the TLS chairs] >>> _______________________________________________ >>> TLS mailing list >>> TLS@ietf.org >>> https://www.ietf.org/mailman/listinfo/tls >> _______________________________________________ >> TLS mailing list >> TLS@ietf.org >> https://www.ietf.org/mailman/listinfo/tls >> >
- [TLS] Confirming Consensus on supporting only AEA… Joseph Salowey (jsalowey)
- Re: [TLS] Confirming Consensus on supporting only… Russ Housley
- Re: [TLS] Confirming Consensus on supporting only… Joseph Salowey (jsalowey)
- Re: [TLS] Confirming Consensus on supporting only… Peter Gutmann
- Re: [TLS] Confirming Consensus on supporting only… Joseph Salowey (jsalowey)
- Re: [TLS] Confirming Consensus on supporting only… Nikos Mavrogiannopoulos
- Re: [TLS] Confirming Consensus on supporting only… Eric Rescorla
- Re: [TLS] Confirming Consensus on supporting only… Watson Ladd
- Re: [TLS] Confirming Consensus on supporting only… Eric Rescorla
- Re: [TLS] Confirming Consensus on supporting only… Joseph Salowey (jsalowey)
- Re: [TLS] Confirming Consensus on supporting only… Fedor Brunner
- Re: [TLS] Confirming Consensus on supporting only… Peter Gutmann
- Re: [TLS] Confirming Consensus on supporting only… Watson Ladd
- Re: [TLS] Confirming Consensus on supporting only… Peter Bowen
- Re: [TLS] Confirming Consensus on supporting only… Michael D'Errico
- Re: [TLS] Confirming Consensus on supporting only… Martin Thomson
- Re: [TLS] Confirming Consensus on supporting only… Ralph Holz
- Re: [TLS] Confirming Consensus on supporting only… Michael D'Errico
- Re: [TLS] Confirming Consensus on supporting only… Eric Rescorla
- Re: [TLS] Confirming Consensus on supporting only… Michael StJohns
- Re: [TLS] Confirming Consensus on supporting only… Martin Rex
- Re: [TLS] Confirming Consensus on supporting only… Michael StJohns
- Re: [TLS] Confirming Consensus on supporting only… Joseph Salowey (jsalowey)
- Re: [TLS] Confirming Consensus on supporting only… Fedor Brunner
- [TLS] (offline note) Re: Confirming Consensus on … Rene Struik
- Re: [TLS] (offline note) Re: Confirming Consensus… Joseph Salowey (jsalowey)
- Re: [TLS] Confirming Consensus on supporting only… Michael StJohns
- Re: [TLS] (offline note) Re: Confirming Consensus… Martin Rex
- Re: [TLS] (offline note) Re: Confirming Consensus… Michael StJohns
- Re: [TLS] (offline note) Re: Confirming Consensus… Michael StJohns
- Re: [TLS] (offline note) Re: Confirming Consensus… Manuel Pégourié-Gonnard
- Re: [TLS] (offline note) Re: Confirming Consensus… Michael StJohns
- Re: [TLS] Confirming Consensus on supporting only… Manuel Pégourié-Gonnard
- Re: [TLS] Confirming Consensus on supporting only… Eric Rescorla
- Re: [TLS] [PATCH] Clean up removal of all non-AEA… Martin Thomson
- [TLS] [PATCH] Clean up removal of all non-AEAD mo… Daniel Kahn Gillmor
- Re: [TLS] [PATCH] Clean up removal of all non-AEA… Eric Rescorla
- Re: [TLS] [PATCH] Clean up removal of all non-AEA… Daniel Kahn Gillmor
- Re: [TLS] [PATCH] Clean up removal of all non-AEA… Eric Rescorla