Re: [TLS] tales from the TLS interim: TLS 1.3 MTI algorithms

Yoav Nir <ynir.ietf@gmail.com> Wed, 18 March 2015 22:56 UTC

Return-Path: <ynir.ietf@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 937CF1A8925 for <tls@ietfa.amsl.com>; Wed, 18 Mar 2015 15:56:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mqRzpc50ZR8q for <tls@ietfa.amsl.com>; Wed, 18 Mar 2015 15:56:02 -0700 (PDT)
Received: from mail-wg0-x22b.google.com (mail-wg0-x22b.google.com [IPv6:2a00:1450:400c:c00::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 637671A8908 for <tls@ietf.org>; Wed, 18 Mar 2015 15:56:02 -0700 (PDT)
Received: by wggv3 with SMTP id v3so47674409wgg.1 for <tls@ietf.org>; Wed, 18 Mar 2015 15:56:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :message-id:references:to; bh=pZtOt9ZaeEJ3mnxhW/JtgSdXs1mfBlGJiPtlY3necHw=; b=GFvcxjg83iP8LvXXu8rltHAxecm4VBZPPvzfRKJPulB03a5U9na0HqNwDMjmYr6KyP e0VXeh325xLGdkXXrhCtQPgmtRl1kN6vDRE8EcyNSOc+6/xyCex91U4qMd6+W2Pdx9mY 2T4ZNV57c8Yxq7kah3rvd7vm/gJFoinoOKwS5cKt6nLP23svxnCONV03ZNSuNgBkgYyw Yh5KDWcfdYW2S87R0MPNHRDpd/e/kawyxr6kcpUl08tuY71dEiOiK9E0VRS/4vhvTO+/ yk28bb7R0JHk7ERYyKmVeKg9ux7owERQnD8EQ5aBGVo21tk1TFIIxmKbj+vr50RrLn6k GctQ==
X-Received: by 10.180.102.130 with SMTP id fo2mr11025997wib.30.1426719361150; Wed, 18 Mar 2015 15:56:01 -0700 (PDT)
Received: from [192.168.1.13] ([46.120.13.132]) by mx.google.com with ESMTPSA id e18sm26340040wjz.27.2015.03.18.15.55.59 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Wed, 18 Mar 2015 15:56:00 -0700 (PDT)
Content-Type: multipart/alternative; boundary="Apple-Mail=_1015C41E-111D-49D8-AE7B-B27602DC46D2"
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2070.6\))
From: Yoav Nir <ynir.ietf@gmail.com>
In-Reply-To: <CABcZeBMa_oCAGNaPaARvGgxVi5PO1JYk_RN+SviVuu674NGRFg@mail.gmail.com>
Date: Thu, 19 Mar 2015 00:55:58 +0200
Message-Id: <D7D27758-CB9B-4C40-AD02-5276A49423DE@gmail.com>
References: <7B0B2402-6D04-48B3-BB25-1B6FC6FBC61D@ieca.com> <90A9B6DC-A775-4E4C-BA58-E40260F9BF55@gmail.com> <55094150.2010800@comodo.com> <CABcZeBMa_oCAGNaPaARvGgxVi5PO1JYk_RN+SviVuu674NGRFg@mail.gmail.com>
To: Eric Rescorla <ekr@rtfm.com>
X-Mailer: Apple Mail (2.2070.6)
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/r8QLJQNfFdgRIBWwXUwLHnVMzGs>
Cc: "TLS@ietf.org \(tls@ietf.org\)" <tls@ietf.org>
Subject: Re: [TLS] tales from the TLS interim: TLS 1.3 MTI algorithms
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Mar 2015 22:56:04 -0000

> On Mar 18, 2015, at 11:05 PM, Eric Rescorla <ekr@rtfm.com>; wrote:
> 
> 
> On Wed, Mar 18, 2015 at 2:11 AM, Rob Stradling <rob.stradling@comodo.com <mailto:rob.stradling@comodo.com>> wrote:
> On 18/03/15 07:38, Yoav Nir wrote:
> On Mar 18, 2015, at 12:11 AM, Sean Turner <TurnerS@ieca.com <mailto:TurnerS@ieca.com>> wrote:
> <snip>
> Please note that CFRG is already done with ChaCha20-Poly1305. The document is approved and in the RFC Editor’s queue.
> 
> The ball is not in this working group’s court. It’s time to decide about draft-mavrogiannopoulos-chacha-tls.
> 
> I await the chair's action on this.
> 
> In the meantime, I see that we have developed a conflict between this draft and
> 
> https://github.com/tlswg/tls13-spec/pull/155 <https://github.com/tlswg/tls13-spec/pull/155>
> 
> Because this PR prescribes a specific mechanism for generating the nonce
> (left-padding the record sequence number) which conflicts with the one for
> this draft. Assuming that people feel that the approach we arrived at in
> the interim is appropriate, we will probably want to adjust this draft prior
> to acceptance.

The draft is suitable for TLS 1.2 as well, so I’m not sure it needs to comply with the nonce generation procedure of TLS 1.3.  It’s better for it to be like other AEADs such as AES-GCM, and then get adapted to TLS 1.3 just like AES-GCM.

Yoav