IETF Logo Mail Archive

Re: [TLS] Comments on

nisse@lysator.liu.se (Niels Möller ) Fri, 14 February 2014 08:42 UTC

Return-Path: <nisse@lysator.liu.se>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7D2F11A0136 for <tls@ietfa.amsl.com>; Fri, 14 Feb 2014 00:42:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.019
X-Spam-Level:
X-Spam-Status: No, score=-1.019 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_SE=0.35, MIME_8BIT_HEADER=0.3, RP_MATCHES_RCVD=-0.548, SPF_NEUTRAL=0.779] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hgB5zA5w2Ryx for <tls@ietfa.amsl.com>; Fri, 14 Feb 2014 00:42:44 -0800 (PST)
Received: from bacon.lysator.liu.se (bacon.lysator.liu.se [IPv6:2001:6b0:17:f0a0::ce]) by ietfa.amsl.com (Postfix) with ESMTP id 08CA41A014C for <tls@ietf.org>; Fri, 14 Feb 2014 00:42:43 -0800 (PST)
Received: from bacon.lysator.liu.se (localhost [127.0.0.1]) by bacon.lysator.liu.se (8.14.5+Sun/8.14.5) with ESMTP id s1E8gS0f004574; Fri, 14 Feb 2014 09:42:28 +0100 (MET)
Received: (from nisse@localhost) by bacon.lysator.liu.se (8.14.5+Sun/8.14.5/Submit) id s1E8gOnG004573; Fri, 14 Feb 2014 09:42:24 +0100 (MET)
X-Authentication-Warning: bacon.lysator.liu.se: nisse set sender to nisse@lysator.liu.se using -f
From: nisse@lysator.liu.se
To: Adam Langley <agl@google.com>
References: <nnha83nwy9.fsf@bacon.lysator.liu.se> <CAL9PXLyWhqSdG5YRyrOprW5wgCYCwHn7_a=R2sb+mN-irkMYbA@mail.gmail.com>
Date: Fri, 14 Feb 2014 09:42:23 +0100
In-Reply-To: <CAL9PXLyWhqSdG5YRyrOprW5wgCYCwHn7_a=R2sb+mN-irkMYbA@mail.gmail.com> (Adam Langley's message of "Thu, 13 Feb 2014 10:52:42 -0500")
Message-ID: <nna9dum6fk.fsf@bacon.lysator.liu.se>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.3 (usg-unix-v)
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/v0DYiBXyMsjhiOoc6y1269SbMN8
X-Mailman-Approved-At: Fri, 14 Feb 2014 06:48:52 -0800
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Comments on
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 14 Feb 2014 08:42:47 -0000

Adam Langley <agl@google.com> writes:

> On Thu, Feb 13, 2014 at 5:11 AM, Niels Möller <nisse@lysator.liu.se> wrote:
>> 1. It would be nice with a couple of additional test cases for
>>    AEAD_CHACHA20_POLY1305. In particular for the corner cases of empty
>>    associated data and/or empty plaintext.
>
> Ack. Yoav pulled out the AEAD bit into
> https://tools.ietf.org/html/draft-nir-cfrg-chacha20-poly1305-01 so
> that it's not TLS specific and that's probably the place for this now.

Thanks for the pointer. This specifies a 96-bit nonce, both for chacha
and chacha20-poly1305. I'm a bit confused by the different definition
of chacha, with a 32-bit counter and 96-bit nonce, rather than 64 bits
each like in the chacha spec.

This discrepancy gives me the feeling that I definitely should consider
my implementation as experimental, and not promise any compatibility
until the dust settles.

> (The lengths were originally prefixes of the data. wtc suggested
> moving them to the end so that the AEAD could be computed without
> knowing the length of the data apriori. Although this does lead to the
> possibility of "streaming" APIs which I would discourage as they
> release unauthenticated plaintext and force others to also.)

I agree that most applications shouldn't use streaming operation, at
least for decryption. But I also think there are valid usecases for
streaming operation, e.g., processing a large file where you really want
a single indication of autenticity for the complete file. In GNU Nettle,
which is a general purpose but pretty low level crypto library, I'd like
to support aead streaming operation whenever possible.

>>    At least in my implementantation, the length(ad) field causes some
>>    additional complexity, so
>
> Could you elaborate on why knowing the length of the AD is problematic?

Knowing it is not a problem, but inserting it at that place in the
poly1305 input is an annoyingly large proportion of the implementation,
even if the total code size and complexity is pretty small.

I have a low-level streaming interface (I'm considering adding a less
general but more easy to use interface on top), with basically these
functions for encryption (decryption is similar), to be called in order:

set_key
  set_nonce         (one or more times per key)
    update          (process ad, zero or more times per nonce)
    encrypt         (process plaintext, zero or more times per nonce
  digest            (produce the authentication tag, once per nonce)

Note that to keep this interface simple, there's no explicit function to
mark the end of the ad; calling either of encrypt or digest implies the
end of the associated data.

Doing a final length field is very straighforward, it is added
unconditionally by the digest function. However, inserting the ad
length, between the ad and the crypto text, gets a bit more scattered.
If encrypt is ever called, inserting the ad length has to be done for
the first call to encrypt (or more precisely, I do it on the first call
to encrypt providing a non-empty segment of plaintext, since for the
bookkeeping I need to ensure that the ad length has been inserted if and
only if the amount of processed plaintext is non-zero). But in case
plaintext is empty, the ad length instead has to be inserted by the
digest function.

For some numbers, my current implementation is 101 non-comment lines of
C (on top of chacha and poly1305 building blocks). Of those, 20% of the
lines and 80% of the if statements are for the insertion of the ad
length.

See
https://git.lysator.liu.se/nettle/nettle/blobs/master/chacha-poly1305.c

(And I'm currently *not* confident that this code is correct, since I
lack tests for the corner cases).

> I suspect that some folks will want reduced round variants since it's
> faster and the reduced round versions are holding up to analysis.

I see. Vaguely related question: Do you see any need for 128-bit chacha
keys? They're not really in the very short chacha paper, but they are in
the reference implementation.

Wan-Teh Chang <wtc@google.com> writes:

> draft-agl-tls-chacha20poly1305 has been merged into
> http://tools.ietf.org/html/draft-mavrogiannopoulos-chacha-tls-01. But
> the specification of the ChaCha20-Poly1305 AEAD cipher suites did not
> change.

Thanks for the pointer. And here, chacha and chacha-poly1305 are both
specified with a 64-bit nonce.

> I'm also curious to know why. What about
>
>     ad | cryptotext | length(ad)

Adequately explained above, I hope. And the variant you propose should
be as nice and simple to implement as ad | cryptotext | length(cryptotext). Or
for that matter, 

  ad | cryptotext | length(ad) | length(cryptotext)

with both lenghts at the end, if for some reason including both length
fields really is desirable.

Regards, 
/Niels

-- 
Niels Möller. PGP-encrypted email is preferred. Keyid C0B98E26.
Internet email is subject to wholesale government surveillance.

v2.23.0 | Report a Bug | By Email