[TLS] MTI suite (was Re: Inclusion of OCB mode in TLS 1.3)
Watson Ladd <watsonbladd@gmail.com> Thu, 15 January 2015 05:14 UTC
Return-Path: <watsonbladd@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1CDAB1B2ADA for <tls@ietfa.amsl.com>; Wed, 14 Jan 2015 21:14:51 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.1
X-Spam-Level:
X-Spam-Status: No, score=-0.1 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ud94rsEThXfC for <tls@ietfa.amsl.com>; Wed, 14 Jan 2015 21:14:49 -0800 (PST)
Received: from mail-yh0-x229.google.com (mail-yh0-x229.google.com [IPv6:2607:f8b0:4002:c01::229]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8833F1ACEF6 for <tls@ietf.org>; Wed, 14 Jan 2015 21:14:49 -0800 (PST)
Received: by mail-yh0-f41.google.com with SMTP id a41so6418640yho.0 for <tls@ietf.org>; Wed, 14 Jan 2015 21:14:48 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:cc:content-type; bh=yu+N3JXE0suJh0GoHm33DWiltF9/Wv/UwMeJWTXC0yk=; b=amM47bppPZ6kqUaZMlYf7xuF2iopu9INeJTQfkpBCJ4AS7uK99PWWECBgvwJBpNniI 0D7Zck3QrOvqb0zi1mfSuBmXZ3oyuSxpGwYj0M0DuppNhCwffvQ6Q4TYy4/z7ziUcODt OqF+bqScb7bkdH5d6iFMOnrhCaP2gcojOKR0Eg9f8FvzzzKAbKxVaEV49XsFFB5JGfZq ZHyUJlyFdiT4Nlzn3xs7qQ6wRlL+K8VDiRatsoj/3Ju2osb+am5kF+/P1ZmFUwROQQpi WEfRnZisNN3aDb8HPNvqU99+FPVwvO8cS6LOKqo/XcHgc+qQR1FR0t+vS8In85Xj55P4 P+qg==
MIME-Version: 1.0
X-Received: by 10.236.63.6 with SMTP id z6mr4688578yhc.65.1421298888693; Wed, 14 Jan 2015 21:14:48 -0800 (PST)
Received: by 10.170.207.6 with HTTP; Wed, 14 Jan 2015 21:14:48 -0800 (PST)
Date: Wed, 14 Jan 2015 21:14:48 -0800
Message-ID: <CACsn0ckaNWPQvGM-SpRAQtBwiTPnjSTyRWi6GMyGEwHS5O9bsg@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: Eric Rescorla <ekr@rtfm.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/uiXxuHIQPVgVd5y1Bo2fSAfTyvQ>
Cc: TLS Mailing List <tls@ietf.org>
Subject: [TLS] MTI suite (was Re: Inclusion of OCB mode in TLS 1.3)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 15 Jan 2015 05:14:51 -0000
On Wed, Jan 14, 2015 at 9:02 AM, Eric Rescorla <ekr@rtfm.com> wrote: > > > On Wed, Jan 14, 2015 at 6:46 AM, Aaron Zauner <azet@azet.org> wrote: >> >> Hi Stephen, >> >> Stephen Farrell wrote: >> > <no-hats> >> > >> > On 13/01/15 18:25, Paul Lambert wrote: >> >> This should not stop inclusion of OCB as an optional mode in TLS, >> > >> > I don't get why additional options are at all attractive. In >> > fact, I think they're ugly. >> > >> > TLS has about 327 ciphersuites. That's just stupid. (I'm not >> > saying any person is stupid there btw, but we have gotten >> > ourselves into a stupid place.) >> >> Yup. Having different naming schemes for different >> libraries/implementations beyond that makes it almost impossible to give >> good recommendations to end-users (admins, management) as we've noticed >> in the bettercrypto.org project. >> >> > >> > If we have a really better thing, they why not make it MTI? If >> > we do not have something sufficiently better then I'd argue to >> > exclude as much as possible, and certainly against adding >> > anything that is just nice to have. >> > >> > I'd even like to make almost all current ciphersuites a MUST NOT >> > (or start a new registry) for TLS1.3 and to not add any new >> > ciphersuites at all, and just stick with two MTI ciphersuites >> > that are as genetically different as possible and cover as many >> > implementations (h/w AES or not) as possible. >> > >> > So my suggestion is to reduce the ciphersuite field to be >> > 2 bits wide in TLS 1.3, with 00 being default, 01 backup, 02 >> > being "proprietary" and 03 reserved. If either 00 or 01 needs >> > to be changed then I'd say rev the TLS version. (I don't care >> > if we did s/default/has-AES-hw/ and s/backup/just-sw-crypto/ >> > that'd also be fine.) >> > >> > And yes, I realise that's not likely to get traction, but >> > turning 327 into 427 is even dumber when reality shows that >> > only a few of 'em are used or needed. >> >> Just as a suggestion, how about a document that does only include >> forward-secret cipher-suites that are valid for TLS 1.3? That would >> drastically remove the number of OCB ciphersuites that I would have to >> add in case of TLS 1.2. >> >> One issue though: as far as I can tell (from the recent RWC presentation >> by EKR) there are still going to be three block ciphers in TLS 1.3: AES, >> CAMELLIA, ARIA. > > > To be clear, this is just a statement of fact. I.e., TLS 1.3 can only be > used > with AEAD and these are the AEAD ciphers that are presently defined. > The WG could adopt more AEAD ciphers or conversely, remove ones that > currently exist. > > Speaking only for myself, it seems like AES-GCM is the leading candidate > for the MTI for TLS 1.3, based on the fact that it's the most common > AEAD algorithm with 1.2. In my view that may be mistake. AES-CCM is supportable everywhere with AES, while AES-GCM requires hardware multiplier support, which in the embedded world can be less common. AES-GCM as MTI creates an effective lower bound on devices that is quite high. The range of hardware that can support it securely and efficiently is very narrow. ChaCha20-Poly1305 is rare, but easy to support everywhere. We have a similar balancing act with respect to ECC, although there P256 is a much more obvious seeming choice. Sincerely, Watson Ladd > > -Ekr > > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls > -- "Those who would give up Essential Liberty to purchase a little Temporary Safety deserve neither Liberty nor Safety." -- Benjamin Franklin