Re: [TLS] chacha to replace RC4

Manuel Pégourié-Gonnard <mpg@elzevir.fr> Fri, 06 December 2013 16:44 UTC

Return-Path: <mpg@elzevir.fr>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4028B1AE385 for <tls@ietfa.amsl.com>; Fri, 6 Dec 2013 08:44:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.251
X-Spam-Level:
X-Spam-Status: No, score=-1.251 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_FR=0.35, MIME_8BIT_HEADER=0.3, RP_MATCHES_RCVD=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id k8ptiScxUYbh for <tls@ietfa.amsl.com>; Fri, 6 Dec 2013 08:44:05 -0800 (PST)
Received: from mordell.elzevir.fr (mordell.elzevir.fr [92.243.3.74]) by ietfa.amsl.com (Postfix) with ESMTP id F2E531ADFFB for <tls@ietf.org>; Fri, 6 Dec 2013 08:44:04 -0800 (PST)
Received: from thue.elzevir.fr (unknown [IPv6:2a01:e35:8a5d:80b0:be5f:f4ff:fe2c:95bc]) by mordell.elzevir.fr (Postfix) with ESMTPS id 942F2161DA for <tls@ietf.org>; Fri, 6 Dec 2013 17:44:00 +0100 (CET)
Received: from [192.168.0.124] (unknown [192.168.0.254]) by thue.elzevir.fr (Postfix) with ESMTPSA id E10E42984E for <tls@ietf.org>; Fri, 6 Dec 2013 17:43:57 +0100 (CET)
Message-ID: <52A1FECD.6080405@elzevir.fr>
Date: Fri, 06 Dec 2013 17:43:57 +0100
From: =?ISO-8859-1?Q?Manuel_P=E9gouri=E9-Gonnard?= <mpg@elzevir.fr>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Icedove/24.0
MIME-Version: 1.0
To: "tls@ietf.org" <tls@ietf.org>
References: <CAM_a8JzY8VGq+N-5YbDk_3EdXkKJzof1BtUTVY8pJev2HZ9U6g@mail.gmail.com> <1384850165.2542.13.camel@dhcp-2-127.brq.redhat.com> <5296C6D7.2040509@dei.uc.pt> <1386332388.3430.22.camel@dhcp-2-127.brq.redhat.com> <CABqy+spiBPaGrk7ipeWvC2Z_B=MeDVZAmmEbXL-Pa2Lf-6UA2Q@mail.gmail.com> <1386336151.3430.34.camel@dhcp-2-127.brq.redhat.com> <CAKDKvuw0EKJpbGxOmGGUHK3m0fOy43wwCLh3ZO-a06xrK2Mebg@mail.gmail.com> <1386345440.29004.2.camel@dhcp-2-127.brq.redhat.com>
In-Reply-To: <1386345440.29004.2.camel@dhcp-2-127.brq.redhat.com>
X-Enigmail-Version: 1.6
OpenPGP: id=98EED379; url=https://elzevir.fr/gpg/mpg.asc
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Subject: Re: [TLS] chacha to replace RC4
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 06 Dec 2013 16:44:07 -0000

On 06/12/2013 16:57, Nikos Mavrogiannopoulos wrote:
> A different nonce for each record is mandatory if chacha or salsa20 are
> to be used with DTLS. This has been the case from the first draft we had
> in salsa20. So I think the previous comment is not applicable to the
> draft I posted.
> 
I agree, but perhaps the draft could state that more clearly.

RFC 5246 6.2.3.1 states that

    For stream ciphers that do not use a synchronization vector (such as
    RC4), the stream cipher state from the end of one record is simply
    used on the subsequent packet.

The draft may recall this to emphasize and constrast that Chacha does
use a "synchronisation vector" (the per-record nonce) so that the stream
cipher state from the end of one record is *not* used on the subsequent
packet.

Also, maybe it's just me, but maybe the draft should state explicitly
that the per-record nonce is not meant to be transmitted as part of the
GenericStreamCipher PDU, but computed as mentionned in section 2.1.

Manuel.