Re: [TLS] Consensus for AEAD IV
Michael StJohns <msj@nthpermutation.com> Sun, 26 April 2015 20:26 UTC
Return-Path: <msj@nthpermutation.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CF42A1A8F42 for <tls@ietfa.amsl.com>; Sun, 26 Apr 2015 13:26:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nw3PnWU1_GhY for <tls@ietfa.amsl.com>; Sun, 26 Apr 2015 13:26:34 -0700 (PDT)
Received: from mail-vn0-f47.google.com (mail-vn0-f47.google.com [209.85.216.47]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A86671A8F3C for <tls@ietf.org>; Sun, 26 Apr 2015 13:26:34 -0700 (PDT)
Received: by vnbf190 with SMTP id f190so9637656vnb.1 for <tls@ietf.org>; Sun, 26 Apr 2015 13:26:33 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to :cc:subject:references:in-reply-to:content-type :content-transfer-encoding; bh=UFYQeINcuni+1zqCEsv5KPyMlG0BSNc5yHwYW71hnfg=; b=YmjXKogmt/3Sn1u2eN6H+ceBkZdf5QGECh10h9ISsLWyxKccEGIujT5/HYvXD39PT0 gZpMLDLJ5dunx1MQQW8zlafIgzc8wc5YNd/9Y8+BdU4xAACrT3WYPEk+OAMprskCRg6P sytVdqO1NRFcHKEhPKBc3AVKwTH9gd/Boz4sKUaOFTMcrw1XSgaXWiyIzKCnv+YGC69B RjlU3/+nMBKHapu8ZWoJmyz8iuVUBAQLY9qoYVjXlqeglCjm61cEMljjAZb3Ja/87F/z 17h55IVq9lO2clr/fUika7HaPlv/A3VI2FgoLw75y7+IKt9ki/0MtsMoNffPf00gFgP7 fQjg==
X-Gm-Message-State: ALoCoQnHnKNulDCajfbMggmoHRubwPB78ZAXKt/BEWP7L8xayajrlb6sTgYRwunslcBRBnJN01nG
X-Received: by 10.52.135.231 with SMTP id pv7mr20236792vdb.21.1430079993675; Sun, 26 Apr 2015 13:26:33 -0700 (PDT)
Received: from ?IPv6:2601:a:2a00:84:cae:d6cf:19b5:13bc? ([2601:a:2a00:84:cae:d6cf:19b5:13bc]) by mx.google.com with ESMTPSA id h14sm20228343vdj.0.2015.04.26.13.26.33 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 26 Apr 2015 13:26:33 -0700 (PDT)
Message-ID: <553D49F8.10209@nthpermutation.com>
Date: Sun, 26 Apr 2015 16:26:32 -0400
From: Michael StJohns <msj@nthpermutation.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.6.0
MIME-Version: 1.0
To: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
References: <CAOgPGoC14uhjrZAQvDHFQrJoyoVNELpNNd4+Hh==zwf9ipyY5g@mail.gmail.com> <CABkgnnU50pvH+LFsN3BL9LfvYhZOxmJV1JYzODeC=-JpZSh8Lw@mail.gmail.com> <CAOgPGoDNuhmnNpZ7ELCfBHS4rKuj+3j1+YiuxLkST+z1J+tOKQ@mail.gmail.com> <553C59B2.6050000@nthpermutation.com> <7E7D3069-2021-4691-AEA6-70DD1AB4476C@gmail.com> <553D27D0.7040209@nthpermutation.com> <20150426182025.GA3549@LK-Perkele-VII>
In-Reply-To: <20150426182025.GA3549@LK-Perkele-VII>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/rhgB4Nup3paLk9c7-J-s-RIC3RI>
Cc: tls@ietf.org
Subject: Re: [TLS] Consensus for AEAD IV
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 26 Apr 2015 20:26:36 -0000
On 4/26/2015 2:20 PM, Ilari Liusvaara wrote: >> There is no reason to treat the 96 bit quantity as secret and no one else >> >does. > Oh, except SSH. The session nonce is 96 bits and secret. (I'll get back to the rest of your message later, but let me dispose of the above first). Not exactly. It turns out that the IV of each SSH message is the Cipher text of the last block of the previous message. Which - since it's cipher text - is transmitted and known to everyone who can intercept the message stream. SSH uses CBC exclusively as far as I can tell. The fact that the mixin of the first block of the first message (AKA the initial IV) is generated via keyed material from the negotiated shared secret is actually a problem (similar to the problems in TLS 1.2 and before) and doesn't actually provide any security. Let me be blunt: IVs are NOT secrets and you should not impute additional security by encrypting them or otherwise deriving them in a non-public manner. Mike
- [TLS] Consensus for AEAD IV Joseph Salowey
- Re: [TLS] Consensus for AEAD IV Martin Thomson
- Re: [TLS] Consensus for AEAD IV Joseph Salowey
- Re: [TLS] Consensus for AEAD IV Martin Thomson
- Re: [TLS] Consensus for AEAD IV Russ Housley
- Re: [TLS] Consensus for AEAD IV Michael StJohns
- Re: [TLS] Consensus for AEAD IV Yoav Nir
- Re: [TLS] Consensus for AEAD IV Michael StJohns
- Re: [TLS] Consensus for AEAD IV Ilari Liusvaara
- Re: [TLS] Consensus for AEAD IV Brian Smith
- Re: [TLS] Consensus for AEAD IV Michael StJohns
- Re: [TLS] Consensus for AEAD IV Ilari Liusvaara
- Re: [TLS] Consensus for AEAD IV Michael StJohns
- Re: [TLS] Consensus for AEAD IV Michael StJohns
- Re: [TLS] Consensus for AEAD IV Yoav Nir
- Re: [TLS] Consensus for AEAD IV Michael StJohns
- Re: [TLS] Consensus for AEAD IV Yoav Nir
- Re: [TLS] Consensus for AEAD IV Michael StJohns
- Re: [TLS] Consensus for AEAD IV Yoav Nir
- Re: [TLS] Consensus for AEAD IV Eric Rescorla
- Re: [TLS] Consensus for AEAD IV Nikos Mavrogiannopoulos