Re: [TLS] Pull Request: Removing the AEAD explicit IV
Michael StJohns <msj@nthpermutation.com> Tue, 17 March 2015 18:06 UTC
Return-Path: <msj@nthpermutation.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DC0751A87EC for <tls@ietfa.amsl.com>; Tue, 17 Mar 2015 11:06:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yW3R4AxzzbuF for <tls@ietfa.amsl.com>; Tue, 17 Mar 2015 11:06:52 -0700 (PDT)
Received: from mail-qc0-f172.google.com (mail-qc0-f172.google.com [209.85.216.172]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 31CE51A87DB for <tls@ietf.org>; Tue, 17 Mar 2015 11:06:52 -0700 (PDT)
Received: by qcbkw5 with SMTP id kw5so16347100qcb.2 for <tls@ietf.org>; Tue, 17 Mar 2015 11:06:51 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to :subject:references:in-reply-to:content-type; bh=78fzrsexSCmvDeFkVpND+HBqmbgdDamh4wtlVOSeXvQ=; b=Mtz+BagCEiMzsFmG5WUzCaWL78bHga6eEEJwCc6kF80M1qbvt/AoAQBU45BRvhhpNd LQ42N3EjRRVmzUMeRZwMTzorIwxzpgHgIKwyLyc0SGqpkYZAcx3IdFImh/YIX2NYEawY EE6h3np59rSCMetrTWHVrNHxs+4vLJoMQcCK++2dFUAkrJRRqeI1Y2dozu31lAExiKRL 0H1xFoMG4aNXZNkcRomjrR2ugzHO4PTn6JAYFrdqA1BND94p/hyKTgRUZsauB9RhrkWS DQwVTXZ8OwwCgFqThFAiQMbdPe21IMoCnln01aNGVrDfrlJrQZtZNdEOlX3WFDLOhhTM VgtA==
X-Gm-Message-State: ALoCoQmyZfPEe6Kk7iiirTcBIMaFg6PDcFf3Cil2Y9JcH2vB2JmbGxCZvMlcTKHck7q5zvJCQvVc
X-Received: by 10.140.101.22 with SMTP id t22mr83633987qge.9.1426615611364; Tue, 17 Mar 2015 11:06:51 -0700 (PDT)
Received: from ?IPv6:2601:a:2a00:381:1ca7:409d:c366:febf? ([2601:a:2a00:381:1ca7:409d:c366:febf]) by mx.google.com with ESMTPSA id b74sm10127167qga.40.2015.03.17.11.06.50 for <tls@ietf.org> (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 17 Mar 2015 11:06:50 -0700 (PDT)
Message-ID: <55086D3C.5090605@nthpermutation.com>
Date: Tue, 17 Mar 2015 14:06:52 -0400
From: Michael StJohns <msj@nthpermutation.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.5.0
MIME-Version: 1.0
To: tls@ietf.org
References: <CABcZeBPfasM5HmJaATLUHQKRgiSGCreJt1T=UoDBGCbcuzyW8Q@mail.gmail.com>
In-Reply-To: <CABcZeBPfasM5HmJaATLUHQKRgiSGCreJt1T=UoDBGCbcuzyW8Q@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------000207030406010306070407"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/sNgbbQZpEARh_d7mccmBYcSgwv8>
Subject: Re: [TLS] Pull Request: Removing the AEAD explicit IV
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Mar 2015 18:06:55 -0000
Sorry for being pedantic but... The Nonce is the fixed (per connection) part of the quantity of bits that are encrypted to produce one block of cipher text that's XOR'd with the plain text to produce the encrypted message block. The Nonce plus the message sequence number is the per-message initialization vector. The Nonce plus the message sequence number plus the block number is the per block value to be encrypted. At least for CCM and GCM. The Nonce is common across all messages within a session. (*sigh* the more general meaning of nonce is that of a unique per-invocation value but given that all per-message/per-block "nonce" usages contain the per-connection nonce it would be useful to not overload this too much - among other reasons: an IV is not always a nonce but can be, a nonce is not usually an IV but can be, most messages require an IV, most blocks don't). So maybe we call this the "Session Nonce" for clarity? In original TLS, the IV produced during session setup was actually not "the" IV, but "an" IV used for the first message. Then McGrew's AEAD modes repurposed the IV data produced as a nonce for the AEAD modes. So what you're proposing is to eliminate the determination of the Nonce as part of the session negotiation and make it a fixed value. E.g., we have an explicit nonce which is always zero which produces a per-message IV based on the sequence number of '0's | <sequence counter> | <block counter>. As a side effect that also eliminates the per-message IV field (which aren't actually used by the currently defined AEAD modes AFAICT). That works for the currently defined pure AEAD modes (CCM/GCM at least, haven't looked at chacha). Will that work in all cases for constructed AEAD modes? (e.g. where we build an AEAD mode out of an encryption mode and an integrity mode and derive the E and I keys from a single key internal to the constructed mode - say AES-CBC with CMAC for example). Short answer is probably not. Basically, this complete eliminates the ability to use CBC (or any cipher mode that requires an explicit per message IV) from TLS. Not arguing for or against this at this point, but not clear that everyone understands the side effects of this decision. Mike On 3/16/2015 7:54 PM, Eric Rescorla wrote: > PR: https://github.com/tlswg/tls13-spec/pull/155 > Target merge date: 3/21 > > Currently: > > - AES-GCM uses a partially explicit nonce > - The ChaCha20 draft uses the sequence number as the nonce. > > As Stephen Kent has observed, the idea behind the explicit IV is to > allow the > cryptographic module implementing the AEAD algorithm to ensure non-reuse > of the nonce. However, for ChaCha I believe we came to the conclusion > that it > was acceptable to use the sequence number as the nonce, as the module can > check for sequential usage. This saves 8 octets on the wire. > > In the interim in Seattle, we came to the conclusion that we should make > all AEAD algorithms behave this way, which also simplifies the spec some. > I've formatted this into a PR to verify the consensus on the list. > Please comment > here if you object and on the PR if you have editorial comments. > > https://github.com/tlswg/tls13-spec/pull/155 > > -Ekr > > > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls
- [TLS] Pull Request: Removing the AEAD explicit IV Eric Rescorla
- Re: [TLS] Pull Request: Removing the AEAD explici… Eric Rescorla
- Re: [TLS] Pull Request: Removing the AEAD explici… Adam Langley
- Re: [TLS] Pull Request: Removing the AEAD explici… Michael StJohns
- Re: [TLS] Pull Request: Removing the AEAD explici… Yoav Nir
- Re: [TLS] Pull Request: Removing the AEAD explici… Michael StJohns
- Re: [TLS] Pull Request: Removing the AEAD explici… Michael StJohns
- Re: [TLS] Pull Request: Removing the AEAD explici… Eric Rescorla
- Re: [TLS] Pull Request: Removing the AEAD explici… Watson Ladd
- Re: [TLS] Pull Request: Removing the AEAD explici… Watson Ladd
- Re: [TLS] Pull Request: Removing the AEAD explici… Colm MacCárthaigh
- Re: [TLS] Pull Request: Removing the AEAD explici… Martin Thomson
- Re: [TLS] Pull Request: Removing the AEAD explici… Colm MacCárthaigh
- Re: [TLS] Pull Request: Removing the AEAD explici… Michael StJohns
- Re: [TLS] Pull Request: Removing the AEAD explici… Eric Rescorla
- Re: [TLS] Pull Request: Removing the AEAD explici… Brian Smith
- Re: [TLS] Pull Request: Removing the AEAD explici… Watson Ladd
- Re: [TLS] Pull Request: Removing the AEAD explici… Eric Rescorla
- Re: [TLS] Pull Request: Removing the AEAD explici… Watson Ladd
- Re: [TLS] Pull Request: Removing the AEAD explici… Ilari Liusvaara
- Re: [TLS] Pull Request: Removing the AEAD explici… Eric Rescorla
- Re: [TLS] Pull Request: Removing the AEAD explici… Watson Ladd
- Re: [TLS] Pull Request: Removing the AEAD explici… Eric Rescorla
- Re: [TLS] Pull Request: Removing the AEAD explici… Ilari Liusvaara
- Re: [TLS] Pull Request: Removing the AEAD explici… Eric Rescorla
- Re: [TLS] Pull Request: Removing the AEAD explici… Brian Smith
- Re: [TLS] Pull Request: Removing the AEAD explici… Eric Rescorla
- Re: [TLS] Pull Request: Removing the AEAD explici… Brian Smith
- Re: [TLS] Pull Request: Removing the AEAD explici… Ilari Liusvaara
- Re: [TLS] Pull Request: Removing the AEAD explici… Adam Langley
- Re: [TLS] Pull Request: Removing the AEAD explici… Eric Rescorla
- Re: [TLS] Pull Request: Removing the AEAD explici… Ilari Liusvaara
- Re: [TLS] Pull Request: Removing the AEAD explici… Eric Rescorla
- Re: [TLS] Pull Request: Removing the AEAD explici… Adam Langley
- Re: [TLS] Pull Request: Removing the AEAD explici… Eric Rescorla
- Re: [TLS] Pull Request: Removing the AEAD explici… Brian Smith
- Re: [TLS] Pull Request: Removing the AEAD explici… Eric Rescorla
- Re: [TLS] Pull Request: Removing the AEAD explici… Martin Thomson