IETF Logo Mail Archive

Re: [TLS] PRF digest function for ChaCha20-Poly1305 cipher suites

Brian Smith <brian@briansmith.org> Mon, 21 December 2015 01:50 UTC

Return-Path: <brian@briansmith.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 75A9A1A8726 for <tls@ietfa.amsl.com>; Sun, 20 Dec 2015 17:50:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.278
X-Spam-Level:
X-Spam-Status: No, score=-1.278 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0rLC97jLaqW1 for <tls@ietfa.amsl.com>; Sun, 20 Dec 2015 17:50:03 -0800 (PST)
Received: from mail-oi0-x234.google.com (mail-oi0-x234.google.com [IPv6:2607:f8b0:4003:c06::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E32F01A8724 for <tls@ietf.org>; Sun, 20 Dec 2015 17:50:02 -0800 (PST)
Received: by mail-oi0-x234.google.com with SMTP id o124so85016927oia.1 for <tls@ietf.org>; Sun, 20 Dec 2015 17:50:02 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=briansmith-org.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=QHvXwhjpK8v3jocNF2kI7R/1k4oXFq+cUYwSJRwjz9g=; b=Ev3fIBjNOQ84iqsHWysO+LGeXM6T0AGq5zC0HMO0/RnwslBkuRJvCcqJZ3RxloXHOd BQBtH4m1KcZtS0mKGQpmnYUtSsrBYOlj1mFZURCrlsEIkFr2vD8mTug8Lh6xKYiLucge MZbnRFh5Fo4sMjudE6cT9vPFzAu5M+glPOMwmD/TCPR2DgYe2jC61vt6GvQ8ni0WrzVk 9sv/U2INv4IxJ9qgc5yXF/P9ZaRiAk9gNodRiX8HH5kqzRAkVvPNreCxLQRQ3u9kEIr5 yYyhR3LOirxgWLa3uHc9512T5YIlO1L1XoXYPOfYbsyZE/9YaK8XYp/n8MPk7QJ/hW8v OX7A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=QHvXwhjpK8v3jocNF2kI7R/1k4oXFq+cUYwSJRwjz9g=; b=NOCRVFESfzIceg886rtFlnfK0i8RPE8ScTWZW7lhSWrtbxCu672A5l2LRJceW5oSM2 /iOV3IGY9fWizm6ulBzo/dR1LdbADMeRkY2PzH9aKxyX++4rOkMx92weO0903O1wqCTG Wvdv9WVvTV5t6zmvHCImWPkkLhaGf2XKMr6M7BCBhDrWA5OTS4FLyO5HlzPiWk02OWC3 1lYjSB9o70RiwzFE9tdneayTXlGg8g8mciaK9HUI47XQzSLDXduDqVMc3daFSqm9mQYP gpVub4FfKBXKBBb8lNW76t7k3vUTcljBmCTtjQR2RU+6TFHdME83F988GJpyzgnOzgS1 5nOw==
X-Gm-Message-State: ALoCoQlf8G50JET6FBuQ++gfZfFPB6EQAtWvVtg8bZPLgyERiYbO2vV0CcI6FXFWIQ+ni6iE7Aos3Blsw4JIjNXjhbxBM/TeIg==
MIME-Version: 1.0
X-Received: by 10.202.90.66 with SMTP id o63mr6041943oib.129.1450662601510; Sun, 20 Dec 2015 17:50:01 -0800 (PST)
Received: by 10.76.62.8 with HTTP; Sun, 20 Dec 2015 17:50:01 -0800 (PST)
In-Reply-To: <CABcZeBOqj5kYfSGhqEdT6ojCVyjF6xXbquU2nPtRok2jj1+BcA@mail.gmail.com>
References: <CAFewVt6=ztWUs-i5EvGaFE=_r_UgHsr_KsOwFyX+ngx6_J-tnA@mail.gmail.com> <CAFewVt7G3FVEyapwL=GE=fZ2HFaaJEYQv0rp-GmA_EdkhyQx=w@mail.gmail.com> <CAMfhd9WV=VPECOJG30cskeFtUkfGN3BM5S-n6ctCXFkW2-38jw@mail.gmail.com> <CAFewVt5aNfUyts=OvDnhXoYA5xerpYsdoLiSmEHDEDHhqAsPDQ@mail.gmail.com> <CABcZeBOqj5kYfSGhqEdT6ojCVyjF6xXbquU2nPtRok2jj1+BcA@mail.gmail.com>
Date: Sun, 20 Dec 2015 15:50:01 -1000
Message-ID: <CAFewVt6KptT9B2Oe0t7XRzZDGsYRUsLapm-MHJjg-zfJ1UqrOw@mail.gmail.com>
From: Brian Smith <brian@briansmith.org>
To: Eric Rescorla <ekr@rtfm.com>
Content-Type: multipart/alternative; boundary="001a113d5da80d666405275eb55a"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/nkFp3XNN87nCu1NL2GMBp8UScuA>
Cc: Adam Langley <agl@imperialviolet.org>, "<tls@ietf.org>" <tls@ietf.org>
Subject: Re: [TLS] PRF digest function for ChaCha20-Poly1305 cipher suites
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 21 Dec 2015 01:50:04 -0000

Eric Rescorla <ekr@rtfm.com> wrote:

> On Sun, Dec 20, 2015 at 5:13 PM, Brian Smith <brian@briansmith.org> wrote:
>
>> Adam Langley <agl@imperialviolet.org> wrote:
>>
>>> On Fri, Dec 18, 2015 at 1:43 PM, Brian Smith <brian@briansmith.org>
>>> wrote:
>>> > That is, it seems it would be better to use HKDF-SHA512 instead of
>>> > **HKDF-SHA256**.
>>>
>>> I assume that you mean for TLS 1.3 since you mention HKDF?
>>
>>
>> No, I mean for all versions of TLS.
>>
>
> Do you mean using SHA-512 in the TLS 1.2 PRF? Or something else?
>

Yes, for TLS 1.2 and TLS 1.3.


> The MTI cipher suites for TLS 1.2 and 1.3 require SHA-256 and
> All the AES-GCM ciphers already require SHA-256 or SHA-384, so it
> seems like the vast majority of implementations are going to require at
> least one of these algorithms in any case.
>

Nobody should pay attention to what the MTI cipher suite for TLS 1.2 is,
because it's obsolete; in fact, one would be making a huge mistake to
deploy it now if one's application didn't have legacy backward
compatibility concerns. And, we should change the MTI cipher suite for TLS
1.3 to the ChaCha20-Poly1305 ones, because they solve a lot of problems.
For example, they remove any question of any need to implement rekeying,
they avoid the weird IV construction hacks that are necessary for 128-bit
cipher suites like AES-GCM, and they can be implemented efficiently in a
safe way, unlike AES-GCM.

Cheers,
Brian
-- 
https://briansmith.org/

v2.23.0 | Report a Bug | By Email