Re: [TLS] AEAD only for TLS1.3 revisit
Michael StJohns <msj@nthpermutation.com> Wed, 01 October 2014 18:15 UTC
Return-Path: <msj@nthpermutation.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9D5BB1A1B43 for <tls@ietfa.amsl.com>; Wed, 1 Oct 2014 11:15:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6n8hwa1bPtEE for <tls@ietfa.amsl.com>; Wed, 1 Oct 2014 11:15:33 -0700 (PDT)
Received: from mail-qc0-f171.google.com (mail-qc0-f171.google.com [209.85.216.171]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9D2231A1B40 for <tls@ietf.org>; Wed, 1 Oct 2014 11:15:33 -0700 (PDT)
Received: by mail-qc0-f171.google.com with SMTP id i17so867152qcy.16 for <tls@ietf.org>; Wed, 01 Oct 2014 11:15:32 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to :cc:subject:references:in-reply-to:content-type :content-transfer-encoding; bh=LUug7t1wGya/+5I3hDYmWihq2Q33sqYGVrCPxLTMPok=; b=WtnaZa4/60qPU0GhzSvc05HAxzqn65K1xh4pVyL9YspJN7u//XFPwHvJbj9AsgL0Pm jM+S7hfb3IDqejuH55vIFuzkLCOzJzuavjnU2yQPHK1cvBR5CAox5GCE3dCZQdG5lDM6 Dsvj2Pr4sSBF/gUbGPGprj4cPUs5Xuita+2zK4z5MVBjw8rrrOhPmmBcFusDUiu1GzWH KQ8Y/2heDMKzGyh0HQoHV/P4BQ3hQwL3IXoh7PwojCDPxr90bpXX5PViyCGyrTXq3IZq b/H7YBq0HOKW/e0KdTQCrjCHHg0Nd5qB8n1NPDR/AcHKbldStYdcN096qnb9/eZ7E3kF xeVQ==
X-Gm-Message-State: ALoCoQmWHNSFaRK24SjUg8ESY0hPCfTTUI8ykIlA85eROgSxsrVKSBid0m4S6bXD+Y+55j6aMBse
X-Received: by 10.229.219.65 with SMTP id ht1mr47207025qcb.2.1412187332397; Wed, 01 Oct 2014 11:15:32 -0700 (PDT)
Received: from ?IPv6:2601:a:2a00:226:5d8b:d39a:536a:43ec? ([2601:a:2a00:226:5d8b:d39a:536a:43ec]) by mx.google.com with ESMTPSA id n88sm1243934qge.12.2014.10.01.11.15.31 for <multiple recipients> (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 01 Oct 2014 11:15:31 -0700 (PDT)
Message-ID: <542C44CB.6020707@nthpermutation.com>
Date: Wed, 01 Oct 2014 14:15:39 -0400
From: Michael StJohns <msj@nthpermutation.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.1.2
MIME-Version: 1.0
To: Dan Harkins <dharkins@lounge.org>
References: <542988C5.8050307@nthpermutation.com> <A46BA862-DEE1-46CF-9193-40D1EAAA14BE@cisco.com> <D05080B2.1ABB6%uri@ll.mit.edu> <44A2498B-D0CB-415C-A1D8-2E362FD8BDF0@cisco.com> <542B450C.5010304@cs.tcd.ie> <542C2D85.7000705@nthpermutation.com> <2A0EFB9C05D0164E98F19BB0AF3708C71D2F8F7B6B@USMBX1.msg.corp.akamai.com> <542C362A.4010802@nthpermutation.com> <c3a437da7cbc50ef1448640f7afcdf82.squirrel@www.trepanning.net>
In-Reply-To: <c3a437da7cbc50ef1448640f7afcdf82.squirrel@www.trepanning.net>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/v5TEPn-ms5ldNme9rO-AmfajPJU
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] AEAD only for TLS1.3 revisit
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Oct 2014 18:15:35 -0000
On 10/1/2014 1:36 PM, Dan Harkins wrote: > Hi Mike, Hi Dan - The issue I'm describing is not intractable, just inelegant. There's about 100 different ways of solving it, but most require new TLS1.3 cipher suites. SIV is a possibility, McGrew's draft is a better possibility simply because its further along. Any AEAD mode with key diversity is a candidate. Or we can stick with TLS1.2 or IPSEC or build our own. All are more work than just being able to grab an already existing key. Mike > On Wed, October 1, 2014 10:13 am, Michael StJohns wrote: >> On 10/1/2014 12:47 PM, Salz, Rich wrote: >>> I don’t understand why you can’t sell those customers TLS 1.2. >>> >>> Algebraically, I view >>> >>> TLS 1.3 = TLS 1.2 + various_predefined_extensions – >>> some_crypto_mechanisms + epsilon >>> >>> Is there something so important in that epsilon? Or is it just a case >>> of “we must have the latest”? >>> >>> -- >>> >>> Principal Security Engineer, Akamai Technologies >>> >>> IM: rsalz@jabber.me <mailto:rsalz@jabber.me> Twitter: RichSalz >>> >> Hi Rich - >> >> TLS1.0 and 1.1 are "obsolete" for some value of obsolete. Once TLS1.3 >> is published, TLS1.2 will also be obsolete. That's as much reality as >> marketing and that causes problems with customers doing check box >> requirements. They say "TLS" and they mean "TLS, the latest and >> greatest" and explaining why you're offering TLS1.2 becomes a painful >> and sometimes business losing proposition. >> >> In your equation above, with respect to this thread only, the actual >> problem is not the " + epsilon" but the "- some_crypto_mechanisms" which >> took away all the mechanisms where the integrity key can be isolated >> from the encryption key. Trying to define new AEAD mechanisms that >> provide this capability *AND* make it in to sufficient commercial stacks >> becomes an interesting problem (and frankly a great deal of work in >> TLS1.3 that's not necessary in TLS1.2). > Such an AEAD mechanism has already been defined. RFC 5297 > specifies AES in SIV mode. SIV takes a single key but it is of the "double > wide" variety where the first half is for the integrity check key and the > second half is the encryption key. So it's possible to isolate one half > from the other assuming that the PRF that generated the double wide > key prevents inferring anything about the first half from knowledge > of the second half (I believe that will be the case for TLS 1.3). > > SIV is a perfectly valid AEAD mechanism and is part of the RFC 5116 > registry. You'd just need to specify it as a TLS1.3 cipher suite. > > It would be very regrettable if SIV became known as the "escrowed > AEAD mode" especially as it has other highly desirable properties, like not > requiring a counter and being robust in the presence of counter misuse, > if one is provided. On the other hand, it's likely that the people requiring > this kind of snooping are some of the very same people that really dislike > SIV mode (and oppose its adoption in standards) so maybe this would be > justice of the poetic kind. > > Be that as it may, I think SIV solves your problem. > > regards, > > Dan. > >> We may end up with TLS1.2, or with another IETF security protocol >> (IPSEC?) or even with something proprietary. >> >> The discussion really is about how we're making a number of structural >> changes to TLS in the TLS1.3 draft. Some of them have interesting and >> possibly unintended consequences (cf the discussion on encrypting the >> handshake with respect to encrypting the SNI extension; or the >> discussion about doing the hash of the handshake mixin with key >> derivation interacting badly with the desire for 1rtt); this particular >> change had an unintended consequence that didn't come to light (at least >> for me) until I got a specific request and tried to figure out how to >> satisfy it. >> >> Later, Mike >> >> _______________________________________________ >> TLS mailing list >> TLS@ietf.org >> https://www.ietf.org/mailman/listinfo/tls >> > >
- [TLS] AEAD only for TLS1.3 revisit Michael StJohns
- Re: [TLS] AEAD only for TLS1.3 revisit Salz, Rich
- Re: [TLS] AEAD only for TLS1.3 revisit Blumenthal, Uri - 0558 - MITLL
- Re: [TLS] AEAD only for TLS1.3 revisit Joseph Salowey (jsalowey)
- Re: [TLS] AEAD only for TLS1.3 revisit Blumenthal, Uri - 0558 - MITLL
- Re: [TLS] AEAD only for TLS1.3 revisit Michael StJohns
- Re: [TLS] AEAD only for TLS1.3 revisit Martin Thomson
- Re: [TLS] AEAD only for TLS1.3 revisit Joseph Salowey (jsalowey)
- Re: [TLS] AEAD only for TLS1.3 revisit Joseph Salowey (jsalowey)
- Re: [TLS] AEAD only for TLS1.3 revisit Michael StJohns
- Re: [TLS] AEAD only for TLS1.3 revisit Stephen Farrell
- Re: [TLS] AEAD only for TLS1.3 revisit Nikos Mavrogiannopoulos
- Re: [TLS] AEAD only for TLS1.3 revisit Michael StJohns
- Re: [TLS] AEAD only for TLS1.3 revisit Salz, Rich
- Re: [TLS] AEAD only for TLS1.3 revisit Michael StJohns
- Re: [TLS] AEAD only for TLS1.3 revisit Dan Harkins
- Re: [TLS] AEAD only for TLS1.3 revisit Ilari Liusvaara
- Re: [TLS] AEAD only for TLS1.3 revisit Michael StJohns
- Re: [TLS] AEAD only for TLS1.3 revisit Salz, Rich
- Re: [TLS] AEAD only for TLS1.3 revisit Peter Gutmann
- Re: [TLS] AEAD only for TLS1.3 revisit Hubert Kario
- Re: [TLS] AEAD only for TLS1.3 revisit Salz, Rich
- Re: [TLS] AEAD only for TLS1.3 revisit Peter Gutmann