Re: [TLS] Confirming Consensus on supporting only AEAD ciphers

[Eric Rescorla <ekr@rtfm.com>]

On Tue, Apr 29, 2014 at 10:32 AM, Ralph Holz <holz@net.in.tum.de> wrote:

> Hi,
>
> On 04/29/2014 10:44 AM, Fedor Brunner wrote:
>
> > The Mandatory Cipher Suite for TLS 1.2 was
> > TLS_RSA_WITH_AES_128_CBC_SHA. What is the mandatory cipher in TLS
> > 1.3 ?
> >
> > Maybe TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 using Curve25519
> > for ECDHE ?
>
> For current TLS 1.2, the UTA BCP [1] suggests
> TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256. It also asks for
> TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
> TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
> TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, and
> TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 to be supported by implementations.
>
> It might be nice to keep the BCP in line with TLS 1.3 suggestions.
>
> As for the symmetric ciphers... I acknowledge there is resistance
> against GCM due to sidechannel issues, but really, with the current
> combination of encryption and MACs, I see no alternative there bar the
> new stream ciphers.
>

Another alternative would be AES-CTR + HMAC....



> Maybe it's time Peter's draft is finally moved forward - although I
> still object to the use of extensions to indicate encrypt-then-mac.
>

The WGLC for this ended Monday. I would expect Peter to produce a new
draft relatively soon and then we should be able to send it to the IESG.

-Ekr


> (Part of my reasoning is that using extensions complicates the
> protocol, which leads to more complexity in implementations)
>
> Ralph
>
> [1] http://datatracker.ietf.org/doc/draft-ietf-uta-tls-bcp/?include_text=1
>
> [2] http://tools.ietf.org/html/draft-gutmann-tls-encrypt-then-mac-05
>
> >
> > Fedor
> >
> > On 26.04.2014 17:24, Joseph Salowey (jsalowey) wrote:
> >> The consensus from the IETF-89 meeting holds, TLS 1.3 will only
> >> use record layer protection of type
> > AEAD. The Editor is requested to make the appropriate changes to
> > the draft on github.
> >
> >> Joe [For the chairs] On Mar 26, 2014, at 11:43 AM, Joseph Salowey
> >> (jsalowey)
> > <jsalowey@cisco.com> wrote:
> >
> >>> TLS has supported a number of different cipher types for
> >>> protecting
> > the record layer.   In TLS 1.3 these include Stream Cipher, CBC
> > Block Cipher and AEAD Cipher.  The construction of the CBC mode
> > within TLS has been shown to be flawed and stream ciphers are not
> > generally applicable to DTLS. Using a single mechanism for
> > cryptographic transforms would make security analysis easier.
> > AEAD ciphers can be constructed from stream ciphers and block
> > ciphers and are defined as protocol independent transforms.  The
> > consensus in the room at IETF-89 was to only support AEAD ciphers
> > in TLS 1.3. If you have concerns about this decision please respond
> > on the TLS list by April 11, 2014.
> >>>
> >>> Thanks,
> >>>
> >>> Joe [Speaking for the TLS chairs]
> >>> _______________________________________________ TLS mailing
> >>> list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
> >
> >> _______________________________________________ TLS mailing list
> >> TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
> >
> >
> >
> > _______________________________________________ TLS mailing list
> > TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
> >
>
> --
> Ralph Holz
> I8 - Network Architectures and Services
> Technische Universität München
> http://www.net.in.tum.de/de/mitarbeiter/holz/
> Phone +49.89.289.18043
> PGP: A805 D19C E23E 6BBB E0C4  86DC 520E 0C83 69B0 03EF
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>