IETF Logo Mail Archive

Re: [TLS] AEAD only for TLS1.3 revisit

Michael StJohns <msj@nthpermutation.com> Tue, 30 September 2014 20:23 UTC

Return-Path: <msj@nthpermutation.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 86B161A894B for <tls@ietfa.amsl.com>; Tue, 30 Sep 2014 13:23:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id O89SzL-k0Td8 for <tls@ietfa.amsl.com>; Tue, 30 Sep 2014 13:23:49 -0700 (PDT)
Received: from mail-qc0-f169.google.com (mail-qc0-f169.google.com [209.85.216.169]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 903DB1A8949 for <tls@ietf.org>; Tue, 30 Sep 2014 13:23:48 -0700 (PDT)
Received: by mail-qc0-f169.google.com with SMTP id x13so2249720qcv.28 for <tls@ietf.org>; Tue, 30 Sep 2014 13:23:47 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to :cc:subject:references:in-reply-to:content-type :content-transfer-encoding; bh=2WyLdSAwZ7TIDcBhnqnS2WsOyWWJ5z6m/vbJFyi/SmA=; b=g3w44yHKeEa0sHOwh412wuHgUiHPxVpBWbFdNbYkFhmSVTR2q460/FIyXVb6+vgKDD mpRRDN3VGydDqL9GEKz2R5HsGGsY0JX1uLTJ/3LHctO37vfMk1lSuUqk7hpR6dI352kx Cz8fy2vD0V1P5rSmKalklVLIEoUCD2yBhK2oBAMEs7Nv90a0BRY57yS6zBcrZOVjKD76 Ox/YBoH7AtHadE6RzqtaSco46aIaTQRihrRWeKnHyXGxqIHRGESVP/4JHFLDdkf7ETlB ebGc7OJ0MNB36JCj0oImrEqlj0jbjaef121YAeEUjRust8OSzKY5vZkZ0SF36//EVhOx g3Bw==
X-Gm-Message-State: ALoCoQn+rvj+eMX2JCAf5CCZlnheJC5+osBpM/TuI57MsQk47ups9of8GhzWvTMBJT9OGlol7/c7
X-Received: by 10.224.22.18 with SMTP id l18mr9483695qab.84.1412108626317; Tue, 30 Sep 2014 13:23:46 -0700 (PDT)
Received: from [192.168.1.116] (c-68-34-113-195.hsd1.md.comcast.net. [68.34.113.195]) by mx.google.com with ESMTPSA id b43sm14605023qge.24.2014.09.30.13.23.45 for <multiple recipients> (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 30 Sep 2014 13:23:45 -0700 (PDT)
Message-ID: <542B1158.4050203@nthpermutation.com>
Date: Tue, 30 Sep 2014 16:23:52 -0400
From: Michael StJohns <msj@nthpermutation.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.1.2
MIME-Version: 1.0
To: "Joseph Salowey (jsalowey)" <jsalowey@cisco.com>
References: <542988C5.8050307@nthpermutation.com> <A46BA862-DEE1-46CF-9193-40D1EAAA14BE@cisco.com>
In-Reply-To: <A46BA862-DEE1-46CF-9193-40D1EAAA14BE@cisco.com>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/so_St7T_YRJWKa6wgfAEZkBZuaM
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] AEAD only for TLS1.3 revisit
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Sep 2014 20:23:50 -0000

On 9/30/2014 3:44 PM, Joseph Salowey (jsalowey) wrote:
>   Allowing for man-in-the-middle and passive monitoring is in opposition to our current mandate.   As an aside, if this becomes a requirement in the future I don't think that AEAD actually limits either of these possibilities, although your choice of cipher may.



It depends on the cipher mode.  Unfortunately, the 
restriction/limitation  applies to both CCM and GCM; the only "native" 
AEAD ciphers in the TLS toolchest.  For CCM, the key used for encryption 
is the same one used for integrity.  For GCM, the key used for integrity 
is CIPH[sub K](128 bits of zero) where K is the encryption key - if you 
have the encryption key, you can generate the integrity key.

The only other AEAD cipher suite we have in progress is 
https://datatracker.ietf.org/doc/draft-mcgrew-aead-aes-cbc-hmac-sha2/ 
which is a constructed AEAD cipher.  That basically splits the input K 
linearly into two pieces - the HMAC and AES keys, so it would be 
possible to reveal the AES subkey without revealing the HMAC key.

So the choice of AEAD effectively limits these possibilities.  For all 
the non-AEAD suites, the integrity and encryption keys are individually 
derived.

Mike

v2.23.0 | Report a Bug | By Email