Re: [TLS] Confirming Consensus on supporting only AEAD ciphers
Eric Rescorla <ekr@rtfm.com> Tue, 29 April 2014 17:37 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 476B91A0920 for <tls@ietfa.amsl.com>; Tue, 29 Apr 2014 10:37:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.977
X-Spam-Level:
X-Spam-Status: No, score=-1.977 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Z2ZPf4EoU-_0 for <tls@ietfa.amsl.com>; Tue, 29 Apr 2014 10:37:43 -0700 (PDT)
Received: from mail-we0-f181.google.com (mail-we0-f181.google.com [74.125.82.181]) by ietfa.amsl.com (Postfix) with ESMTP id DD0E31A08DB for <tls@ietf.org>; Tue, 29 Apr 2014 10:37:42 -0700 (PDT)
Received: by mail-we0-f181.google.com with SMTP id q58so560340wes.12 for <tls@ietf.org>; Tue, 29 Apr 2014 10:37:41 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=PFoR38qipQgZApBXpHagUEcdqbHRnItiwHBJGLAHNjQ=; b=ZloXQsjtxRyeqZkrVIRq/ofJfdxLy1GgW0z4ryIzhhVtEwCyTYhTPYoJSlH99WUlww TEEKrQy0ygNp4+3D9m3uZtfZvc4Lw7gCFntXJfMfr/uI0DB33t9UlJeSxhMLlmBmI8D9 2qQbxLELzQkhUiH7ArxE1hnsS5Dywy1gDoRukZZ7EPjtgQfkjhzVb//SQ0vP/0T+zuta gSvpTmmAT27OWOSsmVLzj3xmls9yKajlD1p3feocxYeb+N8IDb9I+G6e4bAlnykB/0nF fjvypWjYQjf7mNPYkm48SO2MBWTJCLODZ2CjgjpZWhVJxi3pAuVwZShshJsZqvyO89+F XiBw==
X-Gm-Message-State: ALoCoQkSNcnetqcYEl1XSC+Q7zlGEvRl8TUGVKTiS/Hc2fJXhaHc0OPk8bnMAwHGnxHmkUYzNZEx
X-Received: by 10.180.13.209 with SMTP id j17mr1614816wic.18.1398793061238; Tue, 29 Apr 2014 10:37:41 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.216.218.198 with HTTP; Tue, 29 Apr 2014 10:37:00 -0700 (PDT)
X-Originating-IP: [63.245.219.54]
In-Reply-To: <535FE210.40909@net.in.tum.de>
References: <86E69268-DC0A-43E7-8CF5-0DAE39FD4FD5@cisco.com> <84C4848E-7843-4372-93AA-C1F017C3E088@cisco.com> <535F6684.1040701@azet.sk> <535FE210.40909@net.in.tum.de>
From: Eric Rescorla <ekr@rtfm.com>
Date: Tue, 29 Apr 2014 10:37:00 -0700
Message-ID: <CABcZeBOKbtzQZtiWx8p-q41w4tVxVv9rWYvBUubhN_E3cafK3w@mail.gmail.com>
To: Ralph Holz <holz@net.in.tum.de>
Content-Type: multipart/alternative; boundary="001a11c2412e87a5d604f831e31a"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/tUDFI0mLY0mWeiPOEwqrLbIeNt0
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Confirming Consensus on supporting only AEAD ciphers
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 29 Apr 2014 17:37:45 -0000
On Tue, Apr 29, 2014 at 10:32 AM, Ralph Holz <holz@net.in.tum.de> wrote: > Hi, > > On 04/29/2014 10:44 AM, Fedor Brunner wrote: > > > The Mandatory Cipher Suite for TLS 1.2 was > > TLS_RSA_WITH_AES_128_CBC_SHA. What is the mandatory cipher in TLS > > 1.3 ? > > > > Maybe TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 using Curve25519 > > for ECDHE ? > > For current TLS 1.2, the UTA BCP [1] suggests > TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256. It also asks for > TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, > TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, > TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, and > TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 to be supported by implementations. > > It might be nice to keep the BCP in line with TLS 1.3 suggestions. > > As for the symmetric ciphers... I acknowledge there is resistance > against GCM due to sidechannel issues, but really, with the current > combination of encryption and MACs, I see no alternative there bar the > new stream ciphers. > Another alternative would be AES-CTR + HMAC.... > Maybe it's time Peter's draft is finally moved forward - although I > still object to the use of extensions to indicate encrypt-then-mac. > The WGLC for this ended Monday. I would expect Peter to produce a new draft relatively soon and then we should be able to send it to the IESG. -Ekr > (Part of my reasoning is that using extensions complicates the > protocol, which leads to more complexity in implementations) > > Ralph > > [1] http://datatracker.ietf.org/doc/draft-ietf-uta-tls-bcp/?include_text=1 > > [2] http://tools.ietf.org/html/draft-gutmann-tls-encrypt-then-mac-05 > > > > > Fedor > > > > On 26.04.2014 17:24, Joseph Salowey (jsalowey) wrote: > >> The consensus from the IETF-89 meeting holds, TLS 1.3 will only > >> use record layer protection of type > > AEAD. The Editor is requested to make the appropriate changes to > > the draft on github. > > > >> Joe [For the chairs] On Mar 26, 2014, at 11:43 AM, Joseph Salowey > >> (jsalowey) > > <jsalowey@cisco.com> wrote: > > > >>> TLS has supported a number of different cipher types for > >>> protecting > > the record layer. In TLS 1.3 these include Stream Cipher, CBC > > Block Cipher and AEAD Cipher. The construction of the CBC mode > > within TLS has been shown to be flawed and stream ciphers are not > > generally applicable to DTLS. Using a single mechanism for > > cryptographic transforms would make security analysis easier. > > AEAD ciphers can be constructed from stream ciphers and block > > ciphers and are defined as protocol independent transforms. The > > consensus in the room at IETF-89 was to only support AEAD ciphers > > in TLS 1.3. If you have concerns about this decision please respond > > on the TLS list by April 11, 2014. > >>> > >>> Thanks, > >>> > >>> Joe [Speaking for the TLS chairs] > >>> _______________________________________________ TLS mailing > >>> list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls > > > >> _______________________________________________ TLS mailing list > >> TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls > > > > > > > > _______________________________________________ TLS mailing list > > TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls > > > > -- > Ralph Holz > I8 - Network Architectures and Services > Technische Universität München > http://www.net.in.tum.de/de/mitarbeiter/holz/ > Phone +49.89.289.18043 > PGP: A805 D19C E23E 6BBB E0C4 86DC 520E 0C83 69B0 03EF > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls >
- [TLS] Confirming Consensus on supporting only AEA… Joseph Salowey (jsalowey)
- Re: [TLS] Confirming Consensus on supporting only… Russ Housley
- Re: [TLS] Confirming Consensus on supporting only… Joseph Salowey (jsalowey)
- Re: [TLS] Confirming Consensus on supporting only… Peter Gutmann
- Re: [TLS] Confirming Consensus on supporting only… Joseph Salowey (jsalowey)
- Re: [TLS] Confirming Consensus on supporting only… Nikos Mavrogiannopoulos
- Re: [TLS] Confirming Consensus on supporting only… Eric Rescorla
- Re: [TLS] Confirming Consensus on supporting only… Watson Ladd
- Re: [TLS] Confirming Consensus on supporting only… Eric Rescorla
- Re: [TLS] Confirming Consensus on supporting only… Joseph Salowey (jsalowey)
- Re: [TLS] Confirming Consensus on supporting only… Fedor Brunner
- Re: [TLS] Confirming Consensus on supporting only… Peter Gutmann
- Re: [TLS] Confirming Consensus on supporting only… Watson Ladd
- Re: [TLS] Confirming Consensus on supporting only… Peter Bowen
- Re: [TLS] Confirming Consensus on supporting only… Michael D'Errico
- Re: [TLS] Confirming Consensus on supporting only… Martin Thomson
- Re: [TLS] Confirming Consensus on supporting only… Ralph Holz
- Re: [TLS] Confirming Consensus on supporting only… Michael D'Errico
- Re: [TLS] Confirming Consensus on supporting only… Eric Rescorla
- Re: [TLS] Confirming Consensus on supporting only… Michael StJohns
- Re: [TLS] Confirming Consensus on supporting only… Martin Rex
- Re: [TLS] Confirming Consensus on supporting only… Michael StJohns
- Re: [TLS] Confirming Consensus on supporting only… Joseph Salowey (jsalowey)
- Re: [TLS] Confirming Consensus on supporting only… Fedor Brunner
- [TLS] (offline note) Re: Confirming Consensus on … Rene Struik
- Re: [TLS] (offline note) Re: Confirming Consensus… Joseph Salowey (jsalowey)
- Re: [TLS] Confirming Consensus on supporting only… Michael StJohns
- Re: [TLS] (offline note) Re: Confirming Consensus… Martin Rex
- Re: [TLS] (offline note) Re: Confirming Consensus… Michael StJohns
- Re: [TLS] (offline note) Re: Confirming Consensus… Michael StJohns
- Re: [TLS] (offline note) Re: Confirming Consensus… Manuel Pégourié-Gonnard
- Re: [TLS] (offline note) Re: Confirming Consensus… Michael StJohns
- Re: [TLS] Confirming Consensus on supporting only… Manuel Pégourié-Gonnard
- Re: [TLS] Confirming Consensus on supporting only… Eric Rescorla
- Re: [TLS] [PATCH] Clean up removal of all non-AEA… Martin Thomson
- [TLS] [PATCH] Clean up removal of all non-AEAD mo… Daniel Kahn Gillmor
- Re: [TLS] [PATCH] Clean up removal of all non-AEA… Eric Rescorla
- Re: [TLS] [PATCH] Clean up removal of all non-AEA… Daniel Kahn Gillmor
- Re: [TLS] [PATCH] Clean up removal of all non-AEA… Eric Rescorla