Re: [TLS] open issues for draft-ietf-tls-chacha20-poly1305-00

Wan-Teh Chang <wtc@google.com> Tue, 04 August 2015 17:24 UTC

Return-Path: <wtc@google.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C40431A1F1D for <tls@ietfa.amsl.com>; Tue, 4 Aug 2015 10:24:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.389
X-Spam-Level:
X-Spam-Status: No, score=-1.389 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Yd8KeXnWNj9M for <tls@ietfa.amsl.com>; Tue, 4 Aug 2015 10:24:16 -0700 (PDT)
Received: from mail-wi0-x22b.google.com (mail-wi0-x22b.google.com [IPv6:2a00:1450:400c:c05::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B00171A1EEA for <tls@ietf.org>; Tue, 4 Aug 2015 10:24:16 -0700 (PDT)
Received: by wijp15 with SMTP id p15so15412892wij.0 for <tls@ietf.org>; Tue, 04 Aug 2015 10:24:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=h9qAUkMRKGATIcM9K9FVNLnOY67oHhj+Mo158Dh+e9E=; b=RZK09D+iS4bBaVa4TB5IxdTTVbQtEq31L8DmsQeGJMIh+i8D4sRf71uqT8LOWThECC oyZ7MQa2Sj92ytvCauWMeAl/c4VpWSEH7gLnYl8bVKilf7YTfmfL12fUfHbqOJU28Plk BkzMWRdO/4BkqfCJ6IcUO3ZtMh3ta4rpN9I+EFVZuCTmiDhgEM+FZPsm/DNnXnOe3pMX A5a0a4nHAEnz0josbSwdvjGVJhir+nnrqya+A5zZxJvGZXXsKA773NK61ngKBIbpVU/x iacxofXgzToaotcNZkbZeUY44dRKWBVVgm5Kf78MmJyUAIeePVYnIUJ6qiI/IpN7CW/e uC7w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=h9qAUkMRKGATIcM9K9FVNLnOY67oHhj+Mo158Dh+e9E=; b=BwcX3eZUTM9u1FtqHBrF9j8N9afxPzk+tvDR8cYGiqADVwxGOBIxJwuwnBoRXUiPnF 1yxRlP0Uw9Zq8hLZQLxbgvh3naZ7qC2qix73dXgNIuOJUqiYqLSG/NzkO3DL6dcHQRMk Ff2tErr7SEP76CD1rDi7OkEVHEAjzNtyZ0ILaqi9QsXtNfFP78yRo4D3gZPuY3GARYyq yj6Pw/BVRfj5lwLnZljvCzCxAqiLyxnTw7ULsnp85YnRZbLb4lhTzKlmk7DEhVKkWPB2 5Arvwjw1VplcyJWU/WH3taOU1UEdM5uJcIadBFcEmBHuYe6fnqlK5cO2yQvwFgbMHKEr Zx+g==
X-Gm-Message-State: ALoCoQnNgFJIk4DFy/bM4JPwAQyUhdIIAilt68Qo2Pol/ECHE++S6e0VanP7unp0IuZ3r2hsmJtv
MIME-Version: 1.0
X-Received: by 10.180.73.2 with SMTP id h2mr10320329wiv.72.1438709055322; Tue, 04 Aug 2015 10:24:15 -0700 (PDT)
Received: by 10.28.63.198 with HTTP; Tue, 4 Aug 2015 10:24:15 -0700 (PDT)
In-Reply-To: <CABkgnnVLahWvJ1ONUW7RLTuUVj1nrGVwgxBGsh2A58r1Gjf3aw@mail.gmail.com>
References: <1438691824.10777.9.camel@redhat.com> <CABkgnnVLahWvJ1ONUW7RLTuUVj1nrGVwgxBGsh2A58r1Gjf3aw@mail.gmail.com>
Date: Tue, 4 Aug 2015 10:24:15 -0700
Message-ID: <CALTJjxFpKCSbzBB=kFF7FUMvDyR0ZiNGgyvBz4EG3UpVotUAvg@mail.gmail.com>
From: Wan-Teh Chang <wtc@google.com>
To: Martin Thomson <martin.thomson@gmail.com>
Content-Type: text/plain; charset=UTF-8
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/p6TWvbx1kqhbzTBDXfRNxmWgpcs>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] open issues for draft-ietf-tls-chacha20-poly1305-00
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 04 Aug 2015 17:24:17 -0000

On Tue, Aug 4, 2015 at 9:15 AM, Martin Thomson <martin.thomson@gmail.com> wrote:
>
> Personally, I would rather see the nonce construction follow the form
> defined in the respective TLS version.  That means including redundant
> bytes in TLS 1.2 and only getting the full advantage when we move to
> TLS 1.3.

Martin,

In TLS 1.2, the explicit part of the nonce
(GenericAEADCipher.nonce_explicit in
https://tools.ietf.org/html/rfc5246#section-6.2.3.3) is allowed to be
zero-length. So it seems reasonable for
draft-ietf-tls-chacha20-poly1305 to use the draft-TLS 1.3 nonce
mechanism for TLS 1.2. The consistency you want to see seems to be
consistency with the AES GCM cipher suites, rather than with TLS 1.2.

My only concern with adopting the draft-TLS 1.3 nonce mechanism for
TLS 1.2 is that it is not final. It will be bad if
draft-ietf-tls-chacha20-poly1305 becomes an RFC before TLS 1.3 does,
and the final TLS 1.3 nonce mechanism is different.

Wan-Teh