IETF Logo Mail Archive

Re: [TLS] AEAD only for TLS1.3 revisit

Michael StJohns <msj@nthpermutation.com> Wed, 01 October 2014 18:15 UTC

Return-Path: <msj@nthpermutation.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9D5BB1A1B43 for <tls@ietfa.amsl.com>; Wed, 1 Oct 2014 11:15:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6n8hwa1bPtEE for <tls@ietfa.amsl.com>; Wed, 1 Oct 2014 11:15:33 -0700 (PDT)
Received: from mail-qc0-f171.google.com (mail-qc0-f171.google.com [209.85.216.171]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9D2231A1B40 for <tls@ietf.org>; Wed, 1 Oct 2014 11:15:33 -0700 (PDT)
Received: by mail-qc0-f171.google.com with SMTP id i17so867152qcy.16 for <tls@ietf.org>; Wed, 01 Oct 2014 11:15:32 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to :cc:subject:references:in-reply-to:content-type :content-transfer-encoding; bh=LUug7t1wGya/+5I3hDYmWihq2Q33sqYGVrCPxLTMPok=; b=WtnaZa4/60qPU0GhzSvc05HAxzqn65K1xh4pVyL9YspJN7u//XFPwHvJbj9AsgL0Pm jM+S7hfb3IDqejuH55vIFuzkLCOzJzuavjnU2yQPHK1cvBR5CAox5GCE3dCZQdG5lDM6 Dsvj2Pr4sSBF/gUbGPGprj4cPUs5Xuita+2zK4z5MVBjw8rrrOhPmmBcFusDUiu1GzWH KQ8Y/2heDMKzGyh0HQoHV/P4BQ3hQwL3IXoh7PwojCDPxr90bpXX5PViyCGyrTXq3IZq b/H7YBq0HOKW/e0KdTQCrjCHHg0Nd5qB8n1NPDR/AcHKbldStYdcN096qnb9/eZ7E3kF xeVQ==
X-Gm-Message-State: ALoCoQmWHNSFaRK24SjUg8ESY0hPCfTTUI8ykIlA85eROgSxsrVKSBid0m4S6bXD+Y+55j6aMBse
X-Received: by 10.229.219.65 with SMTP id ht1mr47207025qcb.2.1412187332397; Wed, 01 Oct 2014 11:15:32 -0700 (PDT)
Received: from ?IPv6:2601:a:2a00:226:5d8b:d39a:536a:43ec? ([2601:a:2a00:226:5d8b:d39a:536a:43ec]) by mx.google.com with ESMTPSA id n88sm1243934qge.12.2014.10.01.11.15.31 for <multiple recipients> (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 01 Oct 2014 11:15:31 -0700 (PDT)
Message-ID: <542C44CB.6020707@nthpermutation.com>
Date: Wed, 01 Oct 2014 14:15:39 -0400
From: Michael StJohns <msj@nthpermutation.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.1.2
MIME-Version: 1.0
To: Dan Harkins <dharkins@lounge.org>
References: <542988C5.8050307@nthpermutation.com> <A46BA862-DEE1-46CF-9193-40D1EAAA14BE@cisco.com> <D05080B2.1ABB6%uri@ll.mit.edu> <44A2498B-D0CB-415C-A1D8-2E362FD8BDF0@cisco.com> <542B450C.5010304@cs.tcd.ie> <542C2D85.7000705@nthpermutation.com> <2A0EFB9C05D0164E98F19BB0AF3708C71D2F8F7B6B@USMBX1.msg.corp.akamai.com> <542C362A.4010802@nthpermutation.com> <c3a437da7cbc50ef1448640f7afcdf82.squirrel@www.trepanning.net>
In-Reply-To: <c3a437da7cbc50ef1448640f7afcdf82.squirrel@www.trepanning.net>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/v5TEPn-ms5ldNme9rO-AmfajPJU
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] AEAD only for TLS1.3 revisit
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Oct 2014 18:15:35 -0000

On 10/1/2014 1:36 PM, Dan Harkins wrote:
>    Hi Mike,
Hi Dan -

The issue I'm describing is not intractable, just inelegant. There's 
about 100 different ways of solving it, but most require new TLS1.3 
cipher suites.  SIV is a possibility, McGrew's draft is a better 
possibility simply because its further along.  Any AEAD mode with key 
diversity is a candidate. Or we can stick with TLS1.2 or IPSEC  or build 
our own.   All are more work than just being able to grab an already 
existing key.

Mike


> On Wed, October 1, 2014 10:13 am, Michael StJohns wrote:
>> On 10/1/2014 12:47 PM, Salz, Rich wrote:
>>> I don’t understand why you can’t sell those customers TLS 1.2.
>>>
>>> Algebraically, I view
>>>
>>> TLS 1.3 = TLS 1.2 + various_predefined_extensions –
>>> some_crypto_mechanisms + epsilon
>>>
>>> Is there something so important in that epsilon? Or is it just a case
>>> of “we must have the latest”?
>>>
>>> --
>>>
>>> Principal Security Engineer, Akamai Technologies
>>>
>>> IM: rsalz@jabber.me <mailto:rsalz@jabber.me> Twitter: RichSalz
>>>
>> Hi Rich -
>>
>> TLS1.0 and 1.1 are "obsolete" for some value of obsolete.  Once TLS1.3
>> is published, TLS1.2 will also be obsolete.  That's as much reality as
>> marketing and that causes problems with customers doing check box
>> requirements.  They say "TLS" and they mean "TLS, the latest and
>> greatest" and explaining why you're offering TLS1.2 becomes a painful
>> and sometimes business losing proposition.
>>
>> In your equation above, with respect to this thread only, the actual
>> problem is not the " + epsilon" but the "- some_crypto_mechanisms" which
>> took away all the mechanisms where the integrity key can be isolated
>> from the encryption key.  Trying to define new AEAD mechanisms that
>> provide this capability *AND* make it in to sufficient commercial stacks
>> becomes an interesting problem (and frankly a great deal of work in
>> TLS1.3 that's not necessary in TLS1.2).
>    Such an AEAD mechanism has already been defined. RFC 5297
> specifies AES in SIV mode. SIV takes a single key but it is of the "double
> wide" variety where the first half is for the integrity check key and the
> second half is the encryption key. So it's possible to isolate one half
> from the other assuming that the PRF that generated the double wide
> key prevents inferring anything about the first half from knowledge
> of the second half (I believe that will be the case for TLS 1.3).
>
>    SIV is a perfectly valid AEAD mechanism and is part of the RFC 5116
> registry. You'd just need to specify it as a TLS1.3 cipher suite.
>
>    It would be very regrettable if SIV became known as the "escrowed
> AEAD mode" especially as it has other highly desirable properties, like not
> requiring a counter and being robust in the presence of counter misuse,
> if one is provided. On the other hand, it's likely that the people requiring
> this kind of snooping are some of the very same people that really dislike
> SIV mode (and oppose its adoption in standards) so maybe this would be
> justice of the poetic kind.
>
>    Be that as it may, I think SIV solves your problem.
>
>    regards,
>
>    Dan.
>
>> We may end up with TLS1.2, or with another IETF security protocol
>> (IPSEC?) or even with something proprietary.
>>
>> The discussion really is about how we're making a number of structural
>> changes to TLS in the TLS1.3 draft.  Some of them have interesting and
>> possibly unintended consequences (cf the discussion on encrypting the
>> handshake with respect to encrypting the SNI extension; or the
>> discussion about doing the hash of the handshake mixin with key
>> derivation interacting badly with the desire for 1rtt); this particular
>> change had an unintended consequence that didn't come to light (at least
>> for me) until I got a specific request and tried to figure out how to
>> satisfy it.
>>
>> Later, Mike
>>
>> _______________________________________________
>> TLS mailing list
>> TLS@ietf.org
>> https://www.ietf.org/mailman/listinfo/tls
>>
>
>

v2.23.0 | Report a Bug | By Email