IETF Logo Mail Archive

Re: [TLS] draft-badra-tls-psk-new-mac-aes-gcm as WG item (was: RE: Re: TLS document status update)

badra@isima.fr Tue, 06 May 2008 07:33 UTC

Return-Path: <tls-bounces@ietf.org>
X-Original-To: tls-archive@ietf.org
Delivered-To: ietfarch-tls-archive@core3.amsl.com
Received: from core3.amsl.com (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id F1CF53A6A50; Tue, 6 May 2008 00:33:57 -0700 (PDT)
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 8A97B3A69E0 for <tls@core3.amsl.com>; Tue, 6 May 2008 00:33:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.666
X-Spam-Level:
X-Spam-Status: No, score=-0.666 tagged_above=-999 required=5 tests=[AWL=1.283, BAYES_00=-2.599, HELO_EQ_FR=0.35, MIME_8BIT_HEADER=0.3]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OCjEHVoHFJ6k for <tls@core3.amsl.com>; Tue, 6 May 2008 00:33:55 -0700 (PDT)
Received: from sp.isima.fr (sp.isima.fr [193.55.95.1]) by core3.amsl.com (Postfix) with ESMTP id 163C03A6A51 for <tls@ietf.org>; Tue, 6 May 2008 00:33:54 -0700 (PDT)
Received: from www.isima.fr (www-data@www.isima.fr [193.55.95.79]) by sp.isima.fr (8.13.8/8.13.8) with SMTP id m468URYv250092; Tue, 6 May 2008 09:30:27 +0100
Received: from 78.113.143.138 (SquirrelMail authenticated user badra) by www.isima.fr with HTTP; Tue, 6 May 2008 09:29:43 +0200 (CEST)
Message-ID: <54924.78.113.143.138.1210058983.squirrel@www.isima.fr>
In-Reply-To: <dea40f930805051509g1cb3cfa1obe47a21f8a703559@mail.gmail.com>
References: <mailman.71.1210014013.3107.tls@ietf.org> <dea40f930805051509g1cb3cfa1obe47a21f8a703559@mail.gmail.com>
Date: Tue, 06 May 2008 09:29:43 +0200
From: badra@isima.fr
To: Hasnaa� Moustafa� <hasnaa.moustafa@gmail.com>
User-Agent: SquirrelMail/1.4.2
MIME-Version: 1.0
X-Priority: 3
Importance: Normal
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-3.0 (sp.isima.fr [193.55.95.1]); Tue, 06 May 2008 09:30:28 +0100 (WEST)
Cc: ah@TR-Sys.de, tls@ietf.org
Subject: Re: [TLS] draft-badra-tls-psk-new-mac-aes-gcm as WG item (was: RE: Re: TLS document status update)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
Sender: tls-bounces@ietf.org
Errors-To: tls-bounces@ietf.org

> I have read the draft-badra-tls-psk-new-mac-aes-gcm-02. I think that there
> is no significant issues that need consideration in this phase of the
> draft.
>
> I just have a small comment concerning the 2nd table of section 3.2: the
> following could be added,
>
> CipherSuite MAC PRF
>
> TLS_DHE_PSK_WITH_NULL_SHA256 HMAC-SHA-256 P_SHA-256
>
> TLS_DHE_PSK_WITH_NULL_SHA384 HMAC-SHA-384 P_SHA-384
> Kind regards,
> Hassnaa Moustafa

Dear Hassnaa,

Thank you for your review. I will insert the two ciphersuites in the table.

I have received the same comment from Alfred Hines who revised the initial
and revised versions of the document (two mails below).

Best regards,
Badra

---------- Forwarded message ----------
From: Alfred HÎnes <ah@tr-sys.de>
Date: Fri, May 2, 2008 at 3:11 PM
Subject: RE: draft-badra-tls-pdk-new-mac-aes-gcm-02
To: badra@isima.fr


Hello,
your note has triggered me to look
into the -02, which apparently has been brought in line
with the other related drafts in a much better manner now.

I stumbled over a detail, where (due to lack of time)
it is currently not clear to me whether *I* have missed
something or the draft is missing two lines:

The table at the end of section 3.2 only lists *four*
Ciphersuites, whereas the first table in this section
lists *six*.  Don't we need another two lines for the
TLS_DHE_PSK_WITH_NULL_SHAnnn Ciphersuites, as in Section 3
of RFC 4785 (second item in the list there)?

Please check.  Thanks.

Kind regards.
 Alfred.




---------- Forwarded message ----------
From: Alfred HÎnes <ah@tr-sys.de>
Date: Sun, Mar 30, 2008 at 6:04 PM
Subject: draft-badra-tls-psk-new-mac-aes-gcm-01
To: badra@isima.fr


   draft-badra-tls-psk-new-mac-aes-gcm-01


(1)  Section 1, 2nd paragraph

I suggest to change, for added clarity and precision, ...

  This document also specifies PSK cipher suites for TLS which replace
  SHA-256 and SHA-384 rather than SHA-1.  [...]

to either:

  This document also specifies PSK cipher suites for TLS which replace
|  SHA-1 by SHA-256 or SHA-384.  [...]
  ^^^^^^^^^        ^^        ^
or:

  This document also specifies PSK cipher suites for TLS which
|  substitute SHA-256 or SHA-384 for SHA-1.  [...]
  ^^^^^^^^^^         ^^         ^^^

(2)  Section 2

Below the initial list, the draft says:

  These cipher suites use authenticated encryption with additional
  data algorithms AEAD_AES_128_GCM and AEAD_AES_256_GCM described in
  RFC 5116.  [...]

To better visibly group the words, and to tintroduce the abbreviation,
I suggest to add "(AEAD)" as follows:

  These cipher suites use authenticated encryption with additional
|  data (AEAD) algorithms AEAD_AES_128_GCM and AEAD_AES_256_GCM
       ^^^^^^^
  described in RFC 5116.  [...]


(3)  Section 3 ff.

There are a couple of arguments to more sparingly use the acronym
"MAC":
  -  acronym overload: also heavily used for "Media Access Control",
     in particular in the context of IEEE 802.* (Ethernet etc.);
     now that EAP-TLS has brought TLS terminology to layer 2,
     that's sometime becoming a nightmare of confusion.
  -  lack of terminological precision:  There are voices in the
     cryptographic literature (I believe to recall that Steve
     Bellovin was one of these) that pointed out that all three
     parts of the term "Message Authentication Code" are misleading;
  -  stylistic aspects in the text (HMAC might suffice), and
  -  uniform use of terminology.

Many parts of the draft already use "hash", in accordance to
many TLS documents.
Therefore, I suggest to change the text in section 3 ...

  The cipher suites described in this section use AES [AES] in CBC
|  [CBC] mode with an HMAC-based MAC.
                                ^^^
to either:

  The cipher suites described in this section use AES [AES] in CBC
|  [CBC] mode with an HMAC-based cryptographic hash.
                                ^^^^^^^^^^^^^^^^^^
or simply:

  The cipher suites described in this section use AES [AES] in CBC
|  [CBC] mode with an HMAC-based hash.
                                ^^^^
... and to replace "MAC" by "Hash" in all table headings in 3.*.


(4)  Section 5.2

I do not want to restart the discussions I had in the past
on details, or the utility of the (inherited) lengthy
elaboration on this specific implementation scenario.
(IMO, that's too much 'noise' in the IETF; the general uniqueness
nonce requirements should in practice suffice, and there are
other valid methods to ensure conformance to it in that scenario.)


Kind regards,
 Alfred HÎnes.

--

+------------------------+--------------------------------------------+
| TR-Sys Alfred Hoenes   |  Alfred Hoenes   Dipl.-Math., Dipl.-Phys.  |
| Gerlinger Strasse 12   |  Phone: (+49)7156/9635-0, Fax: -18         |
| D-71254  Ditzingen     |  E-Mail:  ah@TR-Sys.de                     |
+------------------------+--------------------------------------------+
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

v2.23.0 | Report a Bug | By Email