Re: [TLS] Pull Request: Removing the AEAD explicit IV
Adam Langley <agl@imperialviolet.org> Tue, 17 March 2015 18:21 UTC
Return-Path: <alangley@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1513B1A884F for <tls@ietfa.amsl.com>; Tue, 17 Mar 2015 11:21:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.278
X-Spam-Level:
X-Spam-Status: No, score=-1.278 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id P6dcaInMdDUu for <tls@ietfa.amsl.com>; Tue, 17 Mar 2015 11:21:27 -0700 (PDT)
Received: from mail-la0-x236.google.com (mail-la0-x236.google.com [IPv6:2a00:1450:4010:c03::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A766D1A8846 for <tls@ietf.org>; Tue, 17 Mar 2015 11:21:26 -0700 (PDT)
Received: by labjg1 with SMTP id jg1so16133182lab.2 for <tls@ietf.org>; Tue, 17 Mar 2015 11:21:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=7JHt79PbRPo8Mpi5ZLP03UV7IoO7uZSKlS55J236Kps=; b=O0mM0CQCvEEwAj0VrMszqXip5t/Mls6TBKwnQoc74QQFnsRn+P7YSw86cAuC3zwnPG cqzODdN0wdgXZkMzv0hRt6NkGAhGU3fQH1AVNGWNEpfczRQcgJUIJXfoc1cb+irHhllE 5r9W7t2njzhlkoU7quvMh11bj9oGiBDwiXeRTNFGCbSIqj116YgUcZhccFh70WTptjge 1p5wH3jIKorh3JZqpOdHsDIscUTU8DUXH0eyae8hwyw7O5CY5MzsEBI2I9Dv2LcpdOuv UDMJKHvhdp7mDlf/3dcZk2Lq66FfLRRqVmwkYqQI61Dj1glcSnd4QF2I6tsICQu+iuJz 4Mhw==
MIME-Version: 1.0
X-Received: by 10.152.181.197 with SMTP id dy5mr61647107lac.57.1426616485127; Tue, 17 Mar 2015 11:21:25 -0700 (PDT)
Sender: alangley@gmail.com
Received: by 10.112.55.71 with HTTP; Tue, 17 Mar 2015 11:21:24 -0700 (PDT)
In-Reply-To: <55086D3C.5090605@nthpermutation.com>
References: <CABcZeBPfasM5HmJaATLUHQKRgiSGCreJt1T=UoDBGCbcuzyW8Q@mail.gmail.com> <55086D3C.5090605@nthpermutation.com>
Date: Tue, 17 Mar 2015 11:21:24 -0700
X-Google-Sender-Auth: bzuD1TiPS56BZAcpmrt8d3pvdEg
Message-ID: <CAMfhd9VetS=bNeyBeBasRGr9nE8yoRqU7jajKrsOimPqMayWYA@mail.gmail.com>
From: Adam Langley <agl@imperialviolet.org>
To: Michael StJohns <msj@nthpermutation.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/vk0Y-IJzGnYQJFGSc5kgDN9yDPQ>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Pull Request: Removing the AEAD explicit IV
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Mar 2015 18:21:28 -0000
On Tue, Mar 17, 2015 at 11:06 AM, Michael StJohns <msj@nthpermutation.com> wrote: > That works for the currently defined pure AEAD modes (CCM/GCM at least, > haven't looked at chacha). Will that work in all cases for constructed > AEAD modes? (e.g. where we build an AEAD mode out of an encryption mode and > an integrity mode and derive the E and I keys from a single key internal to > the constructed mode - say AES-CBC with CMAC for example). Short answer is > probably not. I believe that it will, although I welcome counterexamples. The AEAD interface requires only an nonce (i.e. unique, but not unpredictable) and, under this proposal, that's all that TLS will provide. CBC modes require an IV (i.e. unpredictable). If you wished to make an AES-CBC-HMAC-SHA256 AEAD, for example, then you would do something like this: Define the key length to be twice as large as the AES key and split it internally into a CBC key and an IV key. For each record, generate the IV by AES(key = IV_key, block = nonce) then encrypt the plaintext using CBC with that IV and the CBC key. (And you might need extra key bytes for the HMAC too, but that's beside the point here.) Basically you can generate the IVs using AES-CTR as a PRNG. Cheers AGL
- [TLS] Pull Request: Removing the AEAD explicit IV Eric Rescorla
- Re: [TLS] Pull Request: Removing the AEAD explici… Eric Rescorla
- Re: [TLS] Pull Request: Removing the AEAD explici… Adam Langley
- Re: [TLS] Pull Request: Removing the AEAD explici… Michael StJohns
- Re: [TLS] Pull Request: Removing the AEAD explici… Yoav Nir
- Re: [TLS] Pull Request: Removing the AEAD explici… Michael StJohns
- Re: [TLS] Pull Request: Removing the AEAD explici… Michael StJohns
- Re: [TLS] Pull Request: Removing the AEAD explici… Eric Rescorla
- Re: [TLS] Pull Request: Removing the AEAD explici… Watson Ladd
- Re: [TLS] Pull Request: Removing the AEAD explici… Watson Ladd
- Re: [TLS] Pull Request: Removing the AEAD explici… Colm MacCárthaigh
- Re: [TLS] Pull Request: Removing the AEAD explici… Martin Thomson
- Re: [TLS] Pull Request: Removing the AEAD explici… Colm MacCárthaigh
- Re: [TLS] Pull Request: Removing the AEAD explici… Michael StJohns
- Re: [TLS] Pull Request: Removing the AEAD explici… Eric Rescorla
- Re: [TLS] Pull Request: Removing the AEAD explici… Brian Smith
- Re: [TLS] Pull Request: Removing the AEAD explici… Watson Ladd
- Re: [TLS] Pull Request: Removing the AEAD explici… Eric Rescorla
- Re: [TLS] Pull Request: Removing the AEAD explici… Watson Ladd
- Re: [TLS] Pull Request: Removing the AEAD explici… Ilari Liusvaara
- Re: [TLS] Pull Request: Removing the AEAD explici… Eric Rescorla
- Re: [TLS] Pull Request: Removing the AEAD explici… Watson Ladd
- Re: [TLS] Pull Request: Removing the AEAD explici… Eric Rescorla
- Re: [TLS] Pull Request: Removing the AEAD explici… Ilari Liusvaara
- Re: [TLS] Pull Request: Removing the AEAD explici… Eric Rescorla
- Re: [TLS] Pull Request: Removing the AEAD explici… Brian Smith
- Re: [TLS] Pull Request: Removing the AEAD explici… Eric Rescorla
- Re: [TLS] Pull Request: Removing the AEAD explici… Brian Smith
- Re: [TLS] Pull Request: Removing the AEAD explici… Ilari Liusvaara
- Re: [TLS] Pull Request: Removing the AEAD explici… Adam Langley
- Re: [TLS] Pull Request: Removing the AEAD explici… Eric Rescorla
- Re: [TLS] Pull Request: Removing the AEAD explici… Ilari Liusvaara
- Re: [TLS] Pull Request: Removing the AEAD explici… Eric Rescorla
- Re: [TLS] Pull Request: Removing the AEAD explici… Adam Langley
- Re: [TLS] Pull Request: Removing the AEAD explici… Eric Rescorla
- Re: [TLS] Pull Request: Removing the AEAD explici… Brian Smith
- Re: [TLS] Pull Request: Removing the AEAD explici… Eric Rescorla
- Re: [TLS] Pull Request: Removing the AEAD explici… Martin Thomson