Re: [TLS] Confirming Consensus on supporting only AEAD ciphers

Eric Rescorla <ekr@rtfm.com> Tue, 29 April 2014 17:37 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 476B91A0920 for <tls@ietfa.amsl.com>; Tue, 29 Apr 2014 10:37:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.977
X-Spam-Level:
X-Spam-Status: No, score=-1.977 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Z2ZPf4EoU-_0 for <tls@ietfa.amsl.com>; Tue, 29 Apr 2014 10:37:43 -0700 (PDT)
Received: from mail-we0-f181.google.com (mail-we0-f181.google.com [74.125.82.181]) by ietfa.amsl.com (Postfix) with ESMTP id DD0E31A08DB for <tls@ietf.org>; Tue, 29 Apr 2014 10:37:42 -0700 (PDT)
Received: by mail-we0-f181.google.com with SMTP id q58so560340wes.12 for <tls@ietf.org>; Tue, 29 Apr 2014 10:37:41 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=PFoR38qipQgZApBXpHagUEcdqbHRnItiwHBJGLAHNjQ=; b=ZloXQsjtxRyeqZkrVIRq/ofJfdxLy1GgW0z4ryIzhhVtEwCyTYhTPYoJSlH99WUlww TEEKrQy0ygNp4+3D9m3uZtfZvc4Lw7gCFntXJfMfr/uI0DB33t9UlJeSxhMLlmBmI8D9 2qQbxLELzQkhUiH7ArxE1hnsS5Dywy1gDoRukZZ7EPjtgQfkjhzVb//SQ0vP/0T+zuta gSvpTmmAT27OWOSsmVLzj3xmls9yKajlD1p3feocxYeb+N8IDb9I+G6e4bAlnykB/0nF fjvypWjYQjf7mNPYkm48SO2MBWTJCLODZ2CjgjpZWhVJxi3pAuVwZShshJsZqvyO89+F XiBw==
X-Gm-Message-State: ALoCoQkSNcnetqcYEl1XSC+Q7zlGEvRl8TUGVKTiS/Hc2fJXhaHc0OPk8bnMAwHGnxHmkUYzNZEx
X-Received: by 10.180.13.209 with SMTP id j17mr1614816wic.18.1398793061238; Tue, 29 Apr 2014 10:37:41 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.216.218.198 with HTTP; Tue, 29 Apr 2014 10:37:00 -0700 (PDT)
X-Originating-IP: [63.245.219.54]
In-Reply-To: <535FE210.40909@net.in.tum.de>
References: <86E69268-DC0A-43E7-8CF5-0DAE39FD4FD5@cisco.com> <84C4848E-7843-4372-93AA-C1F017C3E088@cisco.com> <535F6684.1040701@azet.sk> <535FE210.40909@net.in.tum.de>
From: Eric Rescorla <ekr@rtfm.com>
Date: Tue, 29 Apr 2014 10:37:00 -0700
Message-ID: <CABcZeBOKbtzQZtiWx8p-q41w4tVxVv9rWYvBUubhN_E3cafK3w@mail.gmail.com>
To: Ralph Holz <holz@net.in.tum.de>
Content-Type: multipart/alternative; boundary=001a11c2412e87a5d604f831e31a
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/tUDFI0mLY0mWeiPOEwqrLbIeNt0
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Confirming Consensus on supporting only AEAD ciphers
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 29 Apr 2014 17:37:45 -0000

On Tue, Apr 29, 2014 at 10:32 AM, Ralph Holz <holz@net.in.tum.de> wrote:

> Hi,
>
> On 04/29/2014 10:44 AM, Fedor Brunner wrote:
>
> > The Mandatory Cipher Suite for TLS 1.2 was
> > TLS_RSA_WITH_AES_128_CBC_SHA. What is the mandatory cipher in TLS
> > 1.3 ?
> >
> > Maybe TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 using Curve25519
> > for ECDHE ?
>
> For current TLS 1.2, the UTA BCP [1] suggests
> TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256. It also asks for
> TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
> TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
> TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, and
> TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 to be supported by implementations.
>
> It might be nice to keep the BCP in line with TLS 1.3 suggestions.
>
> As for the symmetric ciphers... I acknowledge there is resistance
> against GCM due to sidechannel issues, but really, with the current
> combination of encryption and MACs, I see no alternative there bar the
> new stream ciphers.
>

Another alternative would be AES-CTR + HMAC....



> Maybe it's time Peter's draft is finally moved forward - although I
> still object to the use of extensions to indicate encrypt-then-mac.
>

The WGLC for this ended Monday. I would expect Peter to produce a new
draft relatively soon and then we should be able to send it to the IESG.

-Ekr


> (Part of my reasoning is that using extensions complicates the
> protocol, which leads to more complexity in implementations)
>
> Ralph
>
> [1] http://datatracker.ietf.org/doc/draft-ietf-uta-tls-bcp/?include_text=1
>
> [2] http://tools.ietf.org/html/draft-gutmann-tls-encrypt-then-mac-05
>
> >
> > Fedor
> >
> > On 26.04.2014 17:24, Joseph Salowey (jsalowey) wrote:
> >> The consensus from the IETF-89 meeting holds, TLS 1.3 will only
> >> use record layer protection of type
> > AEAD. The Editor is requested to make the appropriate changes to
> > the draft on github.
> >
> >> Joe [For the chairs] On Mar 26, 2014, at 11:43 AM, Joseph Salowey
> >> (jsalowey)
> > <jsalowey@cisco.com> wrote:
> >
> >>> TLS has supported a number of different cipher types for
> >>> protecting
> > the record layer.   In TLS 1.3 these include Stream Cipher, CBC
> > Block Cipher and AEAD Cipher.  The construction of the CBC mode
> > within TLS has been shown to be flawed and stream ciphers are not
> > generally applicable to DTLS. Using a single mechanism for
> > cryptographic transforms would make security analysis easier.
> > AEAD ciphers can be constructed from stream ciphers and block
> > ciphers and are defined as protocol independent transforms.  The
> > consensus in the room at IETF-89 was to only support AEAD ciphers
> > in TLS 1.3. If you have concerns about this decision please respond
> > on the TLS list by April 11, 2014.
> >>>
> >>> Thanks,
> >>>
> >>> Joe [Speaking for the TLS chairs]
> >>> _______________________________________________ TLS mailing
> >>> list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
> >
> >> _______________________________________________ TLS mailing list
> >> TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
> >
> >
> >
> > _______________________________________________ TLS mailing list
> > TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
> >
>
> --
> Ralph Holz
> I8 - Network Architectures and Services
> Technische Universität München
> http://www.net.in.tum.de/de/mitarbeiter/holz/
> Phone +49.89.289.18043
> PGP: A805 D19C E23E 6BBB E0C4  86DC 520E 0C83 69B0 03EF
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>