Re: [TLS] consensus on adopting draft-mcgrew-tls-aes-ccm and draft-mcgrew-tls-aes-ccm-ecc
Robert Cragie <robert.cragie@gridmerge.com> Tue, 06 December 2011 18:29 UTC
Return-Path: <robert.cragie@gridmerge.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 78C7D21F8C0E for <tls@ietfa.amsl.com>; Tue, 6 Dec 2011 10:29:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, J_CHICKENPOX_21=0.6]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dcx-VwWAguR9 for <tls@ietfa.amsl.com>; Tue, 6 Dec 2011 10:29:36 -0800 (PST)
Received: from mail78.extendcp.co.uk (mail78.extendcp.co.uk [79.170.40.78]) by ietfa.amsl.com (Postfix) with ESMTP id 6D7C321F8801 for <tls@ietf.org>; Tue, 6 Dec 2011 10:29:36 -0800 (PST)
Received: from client-86-27-10-250.glfd.adsl.virginmedia.com ([86.27.10.250] helo=[192.168.0.2]) by mail78.extendcp.com with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.77) id 1RXzlm-0000zr-L6; Tue, 06 Dec 2011 18:29:35 +0000
Message-ID: <4EDE5F1E.2030605@gridmerge.com>
Date: Tue, 06 Dec 2011 18:29:50 +0000
From: Robert Cragie <robert.cragie@gridmerge.com>
Organization: Gridmerge Ltd.
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:8.0) Gecko/20111105 Thunderbird/8.0
MIME-Version: 1.0
To: Rene Struik <rstruik.ext@gmail.com>, tls@ietf.org
References: <CAFD209E.DF10%d.sturek@att.net> <4ED7EA82.2080407@gmail.com>
In-Reply-To: <4ED7EA82.2080407@gmail.com>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha1"; boundary="------------ms030100030506080007060107"
X-Authenticated-As: robert.cragie@gridmerge.com
Subject: Re: [TLS] consensus on adopting draft-mcgrew-tls-aes-ccm and draft-mcgrew-tls-aes-ccm-ecc
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: robert.cragie@gridmerge.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Dec 2011 18:29:37 -0000
Hi Rene, Comments inline, bracketed by <RCC></RCC> Robert On 01/12/2011 8:58 PM, Rene Struik wrote: > Dear colleagues: > > Just a short note (I will have to review the cross-referenced four or so > RFCs later): > > 1) to my knowledge, for relatively short frames (a few times the size of > the underlying block cipher), > the GCM mode of operation is *not* "significantly faster" than the CCM > mode of operation. > > 2) 802.15.4-2011 (or 802.15.4-2006 for that matter) does use the CCM* > mode of operation, where > the nonce format is incompatible with that specified in the RFC 5116 or > the mcgrew-tls-aes-ccm draft. > > Given #2 above, it seems that reference to 802.15.4's use of CCM is > somewhat inopportune. <RCC>Not necessarily - it depends on the implementation of AES-CCM or AES-CCM*.</RCC> > Moreover, from > Don Sturek's note below, it seems that the Joe Salovey's note that > "Zigbee smart energy group has > interest in these drafts" should be taken with some grain of salt > (lukewarm interest at most, so it seems [if one > really wished to have had another cipher (on technical grounds???), then > one missed a window of opportunity > 802.15.4 TG4i issued very recently and 802.15.4 TGe just went to RevCom]). <RCC>I am not sure what your point is. The fact is we are using these drafts in efficient ZigBee IP implementations based on current technology.</RCC> > > On a more detailed technical note, > > a) how does one assure that nonces used by different entities never > clash if they use a > shared key for securing network traffic? (a scenario prevalent in lots > of ZigBee, RoLL, etc. scenarios). <RCC>I would say this is somewhat out of scope for a TLS specification but the situation exists for GCM as well and is covered in RFC 5116 for both GCM and CCM</RCC> > > b) I am curious as to whether the design in mcgrew-tls-aes-ccm allows > for reuse of keying material accross > layers, so as to economize on key storage and key management overhead? > (given that devices should be > assumed to have intra-device open trust domain, this seems feasible. I > am concerned the current draft may > kill off this prospect). <RCC>I think the question is more whether it would preclude it and the answer is IMHO no.</RCC> > > Based on the above, I am somewhat critical as to why this should be > pushed, certainly as a standard-track > document. <RCC>The aim was to align with the two GCM documents, i.e. align draft-mcgrew-tls-aes-ccm with RFC 5288 (standards track) and draft-mcgrew-tls-aes-ccm-ecc with RFC 5289 (informational). This seems reasonable as they are equivalent</RCC> > > Most of these arguments I have made before, but did not see addressed. > > I will provide more technical feedback later on, but prior to the > suggested December 15th deadline. > > Best regards, Rene > > On 01/12/2011 3:20 PM, Don Sturek wrote: >> Hi Dan, >> >> While ZigBee does specify AES-CCM* in their *commercial* specification, I >> would say the general problem is that IEEE 802.15.4 (which ZigBee uses) >> specifies AES-CCM and nearly all silicon vendors have that (not CCM*) >> available. If we could somehow get those implementations to switch to >> GCM, I don't think we would be asking for adoption of AES-CCM. That said, >> for the IEEE 802.15.4 devices already manufactured and in those in the >> field, either we try to align the use of TLS with what is available >> hardware wise or else bypass the AES-CCM engine in those parts and >> implement GCM in software..... >> >> Don >> >> >> >> >> On 12/1/11 12:01 PM, "Dan Harkins"<dharkins@lounge.org> wrote: >> >>> On Wed, November 30, 2011 1:34 pm, Joe Salowey wrote: >>>> The chairs would like to see if there is consensus in the TLS working >>>> group to adopt draft-mcgrew-tls-aes-ccm and draft-mcgrew-tls-aes-ccm-ecc >>>> as working group items. These drafts define AES-CCM cipher suites for >>>> TLS. The Zigbee smart energy group has interest in these drafts. >>>> These >>>> drafts only deal with a AES-CCM and not with Zigbee's AES-CCM* which is >>>> a >>>> super set of AES-CCM. The authors are requesting standards track for >>>> these ciphers. Please note that there is an IPR declaration listed for >>>> draft-mcgrew-tls-aes-ccm-ecc available here: >>>> https://datatracker.ietf.org/ipr/1443/. This declaration has been >>>> updated >>>> from previous declarations. Please respond to the following by >>>> December >>>> 14, 2011 : >>>> >>>> - Do you object to taking these drafts on as working group items? >>>> (Please >>>> state the reason for you objection) >>> No. >>> >>>> - Would you contribute time to review and provide text for the documents >>>> when needed? >>> Yes. >>> >>>> - Do you object to standards track status for these documents?(Please >>>> state the reason for you objection) >>> I have a mild objection. There is no point in doing CCM. GCM is faster, >>> if you're gonna implement an AEAD scheme implement GCM. If you really want >>> a 2-pass AEAD scheme you can use RFC 5297 and you get misuse-resistance >>> for free (basically the security of the mode does not collapse if you >>> reuse a nonce/counter). The only group I know pushing CCM is actually >>> pushing CCM* and, as you note, this isn't CCM*. >>> >>> Dan. >>> >>> >>> _______________________________________________ >>> TLS mailing list >>> TLS@ietf.org >>> https://www.ietf.org/mailman/listinfo/tls >> _______________________________________________ >> TLS mailing list >> TLS@ietf.org >> https://www.ietf.org/mailman/listinfo/tls >
- [TLS] consensus on adopting draft-mcgrew-tls-aes-… Joe Salowey
- Re: [TLS] consensus on adopting draft-mcgrew-tls-… Yoav Nir
- Re: [TLS] consensus on adopting draft-mcgrew-tls-… Don Sturek
- Re: [TLS] consensus on adopting draft-mcgrew-tls-… Peter Gutmann
- [TLS] 答复: consensus on adopting draft-mcgrew-tls-… zhou.sujing
- Re: [TLS] consensus on adopting draft-mcgrew-tls-… Nikos Mavrogiannopoulos
- Re: [TLS] consensus on adopting draft-mcgrew-tls-… Dan Harkins
- Re: [TLS] consensus on adopting draft-mcgrew-tls-… Don Sturek
- Re: [TLS] consensus on adopting draft-mcgrew-tls-… Rene Struik
- Re: [TLS] consensus on adopting draft-mcgrew-tls-… Robert Cragie
- Re: [TLS] consensus on adopting draft-mcgrew-tls-… Martin Rex
- Re: [TLS] consensus on adopting draft-mcgrew-tls-… Robert Cragie