Re: [TLS] Consensus for AEAD IV

Michael StJohns <msj@nthpermutation.com> Sun, 26 April 2015 20:26 UTC

Return-Path: <msj@nthpermutation.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CF42A1A8F42 for <tls@ietfa.amsl.com>; Sun, 26 Apr 2015 13:26:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nw3PnWU1_GhY for <tls@ietfa.amsl.com>; Sun, 26 Apr 2015 13:26:34 -0700 (PDT)
Received: from mail-vn0-f47.google.com (mail-vn0-f47.google.com [209.85.216.47]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A86671A8F3C for <tls@ietf.org>; Sun, 26 Apr 2015 13:26:34 -0700 (PDT)
Received: by vnbf190 with SMTP id f190so9637656vnb.1 for <tls@ietf.org>; Sun, 26 Apr 2015 13:26:33 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to :cc:subject:references:in-reply-to:content-type :content-transfer-encoding; bh=UFYQeINcuni+1zqCEsv5KPyMlG0BSNc5yHwYW71hnfg=; b=YmjXKogmt/3Sn1u2eN6H+ceBkZdf5QGECh10h9ISsLWyxKccEGIujT5/HYvXD39PT0 gZpMLDLJ5dunx1MQQW8zlafIgzc8wc5YNd/9Y8+BdU4xAACrT3WYPEk+OAMprskCRg6P sytVdqO1NRFcHKEhPKBc3AVKwTH9gd/Boz4sKUaOFTMcrw1XSgaXWiyIzKCnv+YGC69B RjlU3/+nMBKHapu8ZWoJmyz8iuVUBAQLY9qoYVjXlqeglCjm61cEMljjAZb3Ja/87F/z 17h55IVq9lO2clr/fUika7HaPlv/A3VI2FgoLw75y7+IKt9ki/0MtsMoNffPf00gFgP7 fQjg==
X-Gm-Message-State: ALoCoQnHnKNulDCajfbMggmoHRubwPB78ZAXKt/BEWP7L8xayajrlb6sTgYRwunslcBRBnJN01nG
X-Received: by 10.52.135.231 with SMTP id pv7mr20236792vdb.21.1430079993675; Sun, 26 Apr 2015 13:26:33 -0700 (PDT)
Received: from ?IPv6:2601:a:2a00:84:cae:d6cf:19b5:13bc? ([2601:a:2a00:84:cae:d6cf:19b5:13bc]) by mx.google.com with ESMTPSA id h14sm20228343vdj.0.2015.04.26.13.26.33 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 26 Apr 2015 13:26:33 -0700 (PDT)
Message-ID: <553D49F8.10209@nthpermutation.com>
Date: Sun, 26 Apr 2015 16:26:32 -0400
From: Michael StJohns <msj@nthpermutation.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.6.0
MIME-Version: 1.0
To: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
References: <CAOgPGoC14uhjrZAQvDHFQrJoyoVNELpNNd4+Hh==zwf9ipyY5g@mail.gmail.com> <CABkgnnU50pvH+LFsN3BL9LfvYhZOxmJV1JYzODeC=-JpZSh8Lw@mail.gmail.com> <CAOgPGoDNuhmnNpZ7ELCfBHS4rKuj+3j1+YiuxLkST+z1J+tOKQ@mail.gmail.com> <553C59B2.6050000@nthpermutation.com> <7E7D3069-2021-4691-AEA6-70DD1AB4476C@gmail.com> <553D27D0.7040209@nthpermutation.com> <20150426182025.GA3549@LK-Perkele-VII>
In-Reply-To: <20150426182025.GA3549@LK-Perkele-VII>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/rhgB4Nup3paLk9c7-J-s-RIC3RI>
Cc: tls@ietf.org
Subject: Re: [TLS] Consensus for AEAD IV
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 26 Apr 2015 20:26:36 -0000

On 4/26/2015 2:20 PM, Ilari Liusvaara wrote:
>> There is no reason to treat the 96 bit quantity as secret and no one else
>> >does.
> Oh, except SSH. The session nonce is 96 bits and secret.


(I'll get back to the rest of your message later,  but let me dispose of 
the above first).


Not exactly.  It turns out that the IV of each SSH message is the Cipher 
text of the last block of the previous message.  Which - since it's 
cipher text - is transmitted and known to everyone who can intercept the 
message stream.

SSH uses CBC exclusively as far as I can tell.   The fact that the 
mixin  of the first block of the first message (AKA the initial IV) is 
generated via keyed material from the negotiated shared secret is 
actually a problem (similar to the problems in TLS 1.2 and before) and 
doesn't actually provide any security.

Let me be blunt:  IVs are NOT secrets and you should not impute 
additional security by encrypting them or otherwise deriving them in a 
non-public manner.

Mike