IETF Logo Mail Archive

Re: [TLS] EXTERNAL: TLS 1.3 Authentication and Integrity only Cipher Suites

Eric Rescorla <ekr@rtfm.com> Thu, 11 February 2021 23:12 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AE96B3A0DFE for <tls@ietfa.amsl.com>; Thu, 11 Feb 2021 15:12:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gKMlMQ3UXjjm for <tls@ietfa.amsl.com>; Thu, 11 Feb 2021 15:12:34 -0800 (PST)
Received: from mail-lj1-x22b.google.com (mail-lj1-x22b.google.com [IPv6:2a00:1450:4864:20::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B26B23A0DE7 for <TLS@ietf.org>; Thu, 11 Feb 2021 15:12:33 -0800 (PST)
Received: by mail-lj1-x22b.google.com with SMTP id u4so9423397ljh.6 for <TLS@ietf.org>; Thu, 11 Feb 2021 15:12:33 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=z5f6kxoVuUNRGaoqXPx5hhxzrVKHajPF51FkpmyZxdk=; b=exQXlYM+XdusNnaskq73/JxWEbwrtAX77Nbll4zv7C3gxzHhgwq2n99JdEQU9duovz WcGo+QpgzpmOCkS8fmRWhn2mr0YiW0v6BPTDYnwMfIAAO0OTLDccd8VuMfr165DdBcO/ Fp/RDGElsZPGQ8JPPz28wNRAOD3cpbE8P6jlSfoH76knFugi16ZV2XHMMyIlDppiUwan UpU4k+/A7qdsx+dMaSACKAzFUwt6TxCY/oCrQ2o30/f1CQAm9Z6j1Y99IDMEDvNmikKW hIFKUKcvMEPvWS0m4DDG72oGY5VIoqZ0y/e2LaSYg8ukZgvhe6Z7qzLBA8grYty6OzgL BAWA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=z5f6kxoVuUNRGaoqXPx5hhxzrVKHajPF51FkpmyZxdk=; b=BnwMD7gIqJGkhJ9YaH4XwUh2lrwmgVLfD9d9Cd6na3LrLDs4Y5dq32pWAAJHdmmpI1 2ksxIHwhqLyWU8AXWPN5ItSafnnl+UKiNk44ei+HDZ+1pDJqCfk0ZhxjhWVJHrtcsfl5 +XT/Y3jLdCI465nPMa4h0Vg2i5hFhfQjsY/g6jsBikjnHmZMODENHPCEdFdmDDeKenmW UABPKYpZYbGgWg6j8U/CFYdr/TRHWoN2t1mrCx5kyn6wAj7ZW+hvRv3x1lKeigXjvDj8 8tM4JDAqUEKLp13RR0zSSdJXuz4a7CkDX8hVDO5v0WQkrAphbO/2bnvXsVM61cIlOxlb X+6g==
X-Gm-Message-State: AOAM531l0pa7aFZ81JQvKgyXP8nrzK7UvCwGi7+7fJsC8lJnY0NB7wOb 9E19yafSQLMMGRadr0qqA58gDgeZBLe6AgtT0XomKA==
X-Google-Smtp-Source: ABdhPJxbSX8VcxQOE38fU/CvN9X9M08fnIEFJ5WiOFv6LtqLovpI9KAtjceLZUJCyIdjmjp/+ND8eF1sFA5y0wbZ7T0=
X-Received: by 2002:a2e:9d96:: with SMTP id c22mr57462ljj.109.1613085150784; Thu, 11 Feb 2021 15:12:30 -0800 (PST)
MIME-Version: 1.0
References: <D553EA7A-1B49-4A7F-8992-FEEFC4B7C176@ericsson.com> <CABcZeBMvZyuZKoKykR=sXADDP2Pez6yT+FCGg=10++sNj+LC-A@mail.gmail.com> <DM5PR2201MB1643321F09407F251ADC8CFB998C9@DM5PR2201MB1643.namprd22.prod.outlook.com> <CABcZeBPjTKRE52QsZxAm9NWk_4rrNx583njJ4W-TggTm3SXDyQ@mail.gmail.com> <DM5PR2201MB16431ECC2B24202905CFF810998C9@DM5PR2201MB1643.namprd22.prod.outlook.com>
In-Reply-To: <DM5PR2201MB16431ECC2B24202905CFF810998C9@DM5PR2201MB1643.namprd22.prod.outlook.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Thu, 11 Feb 2021 15:11:54 -0800
Message-ID: <CABcZeBN-mqj1Ejq8FJLp-4KmTgHC_Wc3gK0N-8RX3Fos+XZtVg@mail.gmail.com>
To: Jack Visoky <jmvisoky@ra.rockwell.com>
Cc: John Mattsson <john.mattsson=40ericsson.com@dmarc.ietf.org>, "TLS@ietf.org" <TLS@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000067c10c05bb17a772"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/qJwTxn2Uq_LizzGoWHFwxDjkv3Q>
Subject: Re: [TLS] EXTERNAL: TLS 1.3 Authentication and Integrity only Cipher Suites
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 11 Feb 2021 23:12:36 -0000

On Thu, Feb 11, 2021 at 3:08 PM Jack Visoky <jmvisoky@ra.rockwell.com>
wrote:

> Hi Eric,
>
>
>
> I don’t have numbers offhand but I will say that many platforms I have
> experience with have some sort of HW support, and might include things like
> DMA. In these cases ChaCha20-Poly1305 is way behind in terms of performance
> (which is expected as I believe it was mainly targeted to software-only
> implementations).
>
>
>
> I’ll anticipate that someone might ask if GCM is not better that SHA-256
> with hardware support, and of course I will have to say it depends on the
> platform. For some cases it will be, and others it will not. Here is a link
> to some performance numbers which show SHA-256 is faster than GCM
> https://www.ti.com/lit/an/swra667/swra667.pdf?ts=1613069390182. In other
> cases GCM may not be supported on a platform but SHA256 is, of course
> that’s kind of a strawman but it could occur.
>

I doubt it covers the whole difference, but I'd note that SHA-256 is not
the right comparison point, because what you need here is HMAC, which
requires nested SHA invocations. This is especially relevant if you have to
go back and forth to the hardware each time.

-Ekr

Note I am not endorsing this platform or affiliated with it in any way,
> just want to give an example. And it really is just an example, sorry to
> repeat again but I just want to drive home the point that YMMV on things
> like this.
>
>
>
> Thanks,
>
>
>
> --Jack
>
>
>
>
>
> *From:* Eric Rescorla <ekr@rtfm.com>
> *Sent:* Thursday, February 11, 2021 2:51 PM
> *To:* Jack Visoky <jmvisoky@ra.rockwell.com>
> *Cc:* John Mattsson <john.mattsson=40ericsson.com@dmarc.ietf.org>;
> TLS@ietf.org
> *Subject:* Re: [TLS] EXTERNAL: TLS 1.3 Authentication and Integrity only
> Cipher Suites
>
>
>
>
>
>
>
> On Thu, Feb 11, 2021 at 11:13 AM Jack Visoky <jmvisoky@ra.rockwell.com>
> wrote:
>
> Hi John, Eric,
>
>
>
> Thanks for the input. We will certainly make some changes to the draft
> regarding the inspection case. However, I can’t support removing the
> performance/latency information completely, as I have heard from those who
> have this very concern. That said, we will edit the language to make it
> clear that this is not true in all cases.
>
>
>
> Well, the draft just claims that there are latency concerns, but doesn't
> present details. If you want to make this case, it would be helpful to
> present performance numbers that show that these ciphersuites are
> substantially faster than the alternative algorithms (in particular
> ChaCha20/Poly1305) which is quite fast on many low end platforms.
>
>
>
> -Ekr
>
>
>

v2.23.0 | Report a Bug | By Email