IETF Logo Mail Archive

Re: [TLS] Re: SIV as WG item?

mcgrew <mcgrew@cisco.com> Fri, 18 January 2008 07:50 UTC

Return-path: <tls-bounces@lists.ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1JFlzv-0007uY-Af; Fri, 18 Jan 2008 02:50:43 -0500
Received: from tls by megatron.ietf.org with local (Exim 4.43) id 1JFZeO-00040w-WA for tls-confirm+ok@megatron.ietf.org; Thu, 17 Jan 2008 13:39:41 -0500
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1JFZeO-0003z6-Jj for tls@ietf.org; Thu, 17 Jan 2008 13:39:40 -0500
Received: from rtp-iport-2.cisco.com ([64.102.122.149]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1JFZeN-0002LF-Ia for tls@ietf.org; Thu, 17 Jan 2008 13:39:40 -0500
Received: from rtp-dkim-2.cisco.com ([64.102.121.159]) by rtp-iport-2.cisco.com with ESMTP; 17 Jan 2008 13:39:39 -0500
Received: from rtp-core-2.cisco.com (rtp-core-2.cisco.com [64.102.124.13]) by rtp-dkim-2.cisco.com (8.12.11/8.12.11) with ESMTP id m0HIddwo027953; Thu, 17 Jan 2008 13:39:39 -0500
Received: from xbh-rtp-201.amer.cisco.com (xbh-rtp-201.cisco.com [64.102.31.12]) by rtp-core-2.cisco.com (8.12.10/8.12.6) with ESMTP id m0HIdDNY014420; Thu, 17 Jan 2008 18:39:33 GMT
Received: from xmb-rtp-20c.amer.cisco.com ([64.102.31.57]) by xbh-rtp-201.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.1830); Thu, 17 Jan 2008 13:39:27 -0500
Received: from 10.32.254.214 ([10.32.254.214]) by xmb-rtp-20c.amer.cisco.com ([64.102.31.57]) with Microsoft Exchange Server HTTP-DAV ; Thu, 17 Jan 2008 18:39:27 +0000
User-Agent: Microsoft-Entourage/11.2.4.060510
Date: Thu, 17 Jan 2008 10:39:34 -0800
Subject: Re: [TLS] Re: SIV as WG item?
From: mcgrew <mcgrew@cisco.com>
To: Dan Harkins <dharkins@lounge.org>, tls@ietf.org
Message-ID: <C3B4E0E6.37DF%mcgrew@cisco.com>
Thread-Topic: [TLS] Re: SIV as WG item?
Thread-Index: AchYaXRrugKbZ1IcQlKhzkbna4MaxAAMF2mAACee9Yk=
In-Reply-To: <AC1CFD94F59A264488DC2BEC3E890DE5051C41FC@xmb-sjc-225.amer.cisco.com>
Mime-version: 1.0
Content-type: text/plain; charset="US-ASCII"
Content-transfer-encoding: 7bit
X-OriginalArrivalTime: 17 Jan 2008 18:39:27.0581 (UTC) FILETIME=[4A1240D0:01C85938]
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; l=9375; t=1200595179; x=1201459179; c=relaxed/simple; s=rtpdkim2001; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=mcgrew@cisco.com; z=From:=20mcgrew=20<mcgrew@cisco.com> |Subject:=20Re=3A=20[TLS]=20Re=3A=20SIV=20as=20WG=20item? |Sender:=20 |To:=20Dan=20Harkins=20<dharkins@lounge.org>,=20<tls@ietf.o rg>; bh=StuIJwAvIP216z8E4dsgGuR7Q3YQXeCfmIF0jgKAEfY=; b=KHE2ErC33h9L37IUf+DVuxadRIdHXBg46Pia1yQmjSzsM63D4u7JDRCkU5 1mWP6lG3MpsfXMtwOMi+5DewoF1U21K+EmylgaWbDtfHcymIAhto0XfeDoGE Xxw7S2HDU6;
Authentication-Results: rtp-dkim-2; header.From=mcgrew@cisco.com; dkim=pass ( sig from cisco.com/rtpdkim2001 verified; );
X-Spam-Score: -3.1 (---)
X-Scan-Signature: f2984bf50fb52a9e56055f779793d783
X-Mailman-Approved-At: Fri, 18 Jan 2008 02:50:42 -0500
Cc:
X-BeenThere: tls@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/tls>
List-Post: <mailto:tls@lists.ietf.org>
List-Help: <mailto:tls-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
Errors-To: tls-bounces@lists.ietf.org

Hi Dan,

You seem to be arguing that SIV should be added to TLS because GCM is
deficient.   This line of thinking would sell both of those algorithms
short.

GCM is efficient at high data rates and high connection densities, and has
become the preferred algorithm for such uses.  It should be added to TLS so
that protocol gets those benefits.   It requires distinct nonces, but the
protocol can easily provide these.  You may be right in pointing out that in
some implementation environments, it is burdensome to provide distinct
nonces, but the efficiencies provided by GCM make it a good tradeoff in many
other environments.

It would be wrong to argue that SIV should be adopted because nonce
management for GCM and CTR are tricky.  This line of reasoning ignores other
ciphersuites, such as those using CBC mode, which have no nonce management
requirements, and it misses the fact that SIV does not have the efficiency
advantages of GCM and CTR.

You've pointed out the performance difference yourself in
draft-dharkins-siv-aes, where you say that "SIV can not perform at the same
high throughput rates that other authenticated encryption schemes can (e.g.
[GCM] or [OCB]), due to the requirement for two passes of the data but for
situations where performance is not a limiting factor-- e.g. control plane
applications-- it can provide a robust alternative, especially when
considering its resistance to nonce re-use."   In
draft-harkins-tls-rsa-aes-siv-00, you mention the CAPWAP as an example of a
control plane application where performance is not a limiting factor.  So
maybe we're not in disagreement here, though since TLS is mostly not limited
to control-plane applications, I think something got lost in the discussion
below.  

Now, returning to the comparison between SIV and the use of CBC in TLS, SIV
does well in this competition.  It has the advantage that it does not
require any initialization vector.  It avoids the vulnerabilities that CBC
has to chosen-plaintext attacks whenever the IV is predictable (as it
unfortunately can be in TLS), while not requiring a random IV and not
requiring any nonce management.  Not requiring any random source is a nice
property.  It would be interesting to see if we can put together a
ciphersuite that completely avoids the need for a random source.  Such a
thing could be useful in some constrained environments.  (However, a random
source is fundamental to DHE and to DSA signatures, and is used in RSA
encryption, so this idea needs more research.)   SIV is less appealing than
CBC for hardware implementations, but perhaps this doesn't matter so much
since there are other methods better than both CBC and SIV in that
application.  (Though it is worth noting out that we know that there are
algorithms that are more performance-friendly than SIV mode, such as the one
that uses a polynomial hash, as we'd discussed on the CFRG list.)

I suppose that, for completeness, one should compare SIV based TLS
ciphersuites to ones that use RC4.  I expect that people would agree that it
is desirable to have alternatives to RC4, so the fact that RC4 does not
require a random IV nor a distinct nonce should not really matter in the
discussion of SIV.

On a more positive note, I think that it is useful work to define how to add
a different AEAD to TLS.  It will test out the generality of the AEAD
interface that we've defined for TLS-GCM, and no doubt will improve our
"algorithm agility" story.

Best regards,

David

> -----Original Message-----
> From: Dan Harkins [mailto:dharkins@lounge.org]
> Sent: Wednesday, January 16, 2008 9:58 AM
> To: Yoav Nir
> Cc: Simon Josefsson; tls@ietf.org
> Subject: Re: [TLS] Re: SIV as WG item?
> 
> 
>   The GCM ciphersuites for TLS use the deterministic nonce construction.
> You can ignore the other one in SP 800-38D. Just pay attention to the
> sections I listed.
> 
>   Like I said, if you think that GCM cannot be implemented in TLS in
> such a way that it could fall under any of the topics SP 800-38D
> addresses then SIV is not for you.
> 
>   I, on the other hand, doubt that "IT professionals" on whom the
> security of GCM depends (according to SP 800-38D) will understand the
> nuance around IV management. In fact, experience shows that "IT
> professionals" will routinely cut corners with security to make things
> be more scalable-- group pre-shared keys anyone? If all you care about
> when deploying a security system is to merely get your boss off your
> back then the special circumstances surrounding the particular module in
> the system you deploy is not of paramount concern.
> 
>   But it's fine. If you think that it is impossible to misuse your GCM
> implementation then bully for you. Do you also think that it is
> impossible to misuse _ANY_ TLS implementation of GCM? Is there something
> in TLS that makes SP 800-38D not apply?
> 
>   Dan.
> 
> On Wed, January 16, 2008 1:38 am, Yoav Nir wrote:
>> I've re-read the section in SP 800-38D and all it says is that the
>> same combination of key and IV should never be re-used.
>> 
>> Section 8.2.1 suggests two methods for IV construction: a counter and
>> a LFSR. Both should be easy enough to implement in the cryptographic
>> library so that the IT professional doesn't need to worry about
>> anything. As for keys, that would depend on the IT professional, or at
> 
>> least on getting good entropy for the TLS library, but that is no
>> different for CBC or SIV.
>> 
>> So I'm not sure I understand what problem SIV solves. We could have
>> standards for GCM require either the counter or LFSR, but this can
>> also be just recommended.
>> 
>> On Jan 16, 2008, at 5:25 AM, Dan Harkins wrote:
>> 
>>> 
>>>  Hi Yoav,
>>> 
>>>  Actually NIST has commented on this, it's SP 800-38D. GCM is not
>>> flawed provided you abide by the recommendations in that document.
>>> Specifically section 8.2.1 for the deterministic construction of the
>>> IV (which is used by the GCM ciphersuites for TLS). Since the nonce
>>> construction in draft-ietf-tls-rsa-aes-gcm-01.txt is partially
>>> implicit the recommendations in section 8.3 should be interpreted
>>> appropriately.
>>> 
>>>  It is also important to look at section 9.1 regarding design
>>> consideration. For instance the module responsible for construction
>>> of the nonce must be inside the FIPS140 cryptographic boundary.
>>> And in the case of power loss of an entity implementing GCM, "for
>>> [the TLS GCM ciphersuite] all of the deterministic elements that are
>>> necessary to construct the IV would have to be available when the
>>> power is restored. For example, these elements could be stored in
>>> non-volatile memory."
>>> 
>>>  There are also operational considerations in section 9.2 that lists
>>> questions that must be answered when deploying a GCM implementation.
>>> It states, "Compliance with the uniqueness requirement on IVs, and
>>> hence THE SECURITY OF GCM, ultimately DEPENDS ON THE IT PROFESSIONAL
>>> WHO CONFIGURES, DEPLOYS, AND MAINTAINS THE GCM MODULESS within a
>>> particular system." (emphasis mine and I apologize for screaming).
>>> 
>>>  So yes, defer to NIST. If you read SP 800-38D and are satisfied that
> 
>>> all of the relevant requirements are adhered to then GCM is secure.
>>> If you don't feel it's possible to guarantee that all of those
>>> requirements can be met or if you don't feel comfortable placing the
>>> security of the system in the hands of "the IT professional" who
>>> configures it then maybe it's not for you.
>>> 
>>>  Now, back to my screaming above for a second. It is this notice in
>>> SP 800-38D that really makes the SIV ciphersuites attractive. All of
>>> the text in SP 800-38D (approx 8 pages of it) do not apply to SIV
>>> because it is secure even in the presence of IV misuse. That is, if
>>> the IT professional intentionally or unintentionally misconfigures,
>>> misdeploys or improperly maintains a GCM module security is voided
>>> but if that module had been a SIV module security would not be voided
> 
>>> (assuming, of course, that the misuse by the IT professional results
>>> in IV misuse which is the a valid assumption since that's the topic
>>> of the quote above).
>>> 
>>>  The need for a SIV-based ciphersuites depends on whether you have
>>> any discomfort with any of the numerous requirements placed on proper
> 
>>> use of GCM. If you think that the design considerations of SP 800-38D
> 
>>> are met due to the nature of the TLS protocol and that the deployment
> 
>>> considerations either don't apply ("it's your problem if you
>>> misconfigure it so tough luck") or are similarly met due to the
>>> nature of the TLS protocol then SIV-based ciphersuites are probably
>>> not important enough to bring to the WG. If, on the other hand, these
> 
>>> design and deployment considerations make you uncomfortable and that
>>> a TLS module implementing GCM might be too fragile then a
>>> misuse-resistant alternative like SIV becomes important and
>>> attractive.
>>> 
>>>  regards,
>>> 
>>>  Dan.
>> 
>> 
> 
> 
> 
> 
> _______________________________________________
> TLS mailing list
> TLS@lists.ietf.org
> https://www1.ietf.org/mailman/listinfo/tls



_______________________________________________
TLS mailing list
TLS@lists.ietf.org
https://www1.ietf.org/mailman/listinfo/tls

v2.23.0 | Report a Bug | By Email