[TLS] shibboleth and the nonce

Martin Thomson <martin.thomson@gmail.com> Thu, 24 July 2014 18:21 UTC

Return-Path: <martin.thomson@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F05511B27B5 for <tls@ietfa.amsl.com>; Thu, 24 Jul 2014 11:21:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WutKIqYIjOWk for <tls@ietfa.amsl.com>; Thu, 24 Jul 2014 11:21:02 -0700 (PDT)
Received: from mail-we0-x22c.google.com (mail-we0-x22c.google.com [IPv6:2a00:1450:400c:c03::22c]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 557351B2797 for <tls@ietf.org>; Thu, 24 Jul 2014 11:21:02 -0700 (PDT)
Received: by mail-we0-f172.google.com with SMTP id x48so3183029wes.17 for <tls@ietf.org>; Thu, 24 Jul 2014 11:21:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=I8jjl8VIdY34+T9M1ewnSHsR5Zt7nDnAoAw6fl2NyW0=; b=ayZ1+6enROQrAbCChpzFkZVAxNP9yW51wOUFt1CajpANCoRgeQM4be+6vpgLrl0zOn ujazxgviR8zNSpDxvqw+FX9l1JkfvQspzFte0TnCnsLCQ6o3d84pNmsMfqxKdSrIIkV7 pX+7QnugXpQgNhySJq6phavm8VWHFgg6EdoICL7TFAp5ulWVfHDSGFm4Ep94rx/B+Pf1 C1QR1suOnhAlTQJF+eqEoPVwYjQT6EMIn+Km3e0d+P2cL7SF9KOEjeZZUWg+XYJ93ymb fv7Iwm6bTxpusaH+qTmrBdVti8+nGQQosZoPgmLMbDzihCIAfV5EMTU2BtvlVhqXXIbp 9ncg==
MIME-Version: 1.0
X-Received: by 10.194.185.238 with SMTP id ff14mr14911811wjc.9.1406226060920; Thu, 24 Jul 2014 11:21:00 -0700 (PDT)
Received: by 10.194.110.6 with HTTP; Thu, 24 Jul 2014 11:21:00 -0700 (PDT)
Date: Thu, 24 Jul 2014 11:21:00 -0700
Message-ID: <CABkgnnXJ4c6DqZPG+Y5m1BRX+hCjVSg4xi40po4AOuU1F4TFQA@mail.gmail.com>
From: Martin Thomson <martin.thomson@gmail.com>
To: "tls@ietf.org" <tls@ietf.org>
Content-Type: text/plain; charset=UTF-8
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/vfIPeAzLOBqIVWvXxLDVpm8bC5k
Subject: [TLS] shibboleth and the nonce
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 24 Jul 2014 18:21:04 -0000

(No, that's not a proposed prog-synth-death-polka band name.)

The arguments around the way that explicit/implicit nonces interact
with certification were, I thought, already exhausted.  So I'd like to
see if some points can be clarified:

As far as I am aware, there are no concrete concerns about implicit
nonces from a straight-up security perspective.  Is that right?

If the concerns are solely around the certification of crypto modules,
then we need more information to be able to make a rational decision
here.

If the static inputs are keys, and the per-record inputs are nonce +
ad + plaintext, I see no problem.

The previous response to suggestions that the nonce was a required
input was to have a counter produce the nonce input, with a matching
counter and validation in the module.

The new information yesterday was that David McGrew suggested that the
nonce needed to be arbitrary.  In that case, do we actually need the
input to be validated?  Does the certification process check that the
module produces different output for different nonces by starting
separate module instances with the same values for all other inputs
(keys, ad, and plaintext) then varying the input nonces?

I'm sure that there are other concerns, but it's hard for me to make
an assessment based on the information made available thus far.