Re: [TLS] Consensus call on Implicit IV for AEAD
Martin Thomson <martin.thomson@gmail.com> Mon, 06 April 2015 16:24 UTC
Return-Path: <martin.thomson@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F1AA51A8AFC for <tls@ietfa.amsl.com>; Mon, 6 Apr 2015 09:24:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.101
X-Spam-Level:
X-Spam-Status: No, score=-0.101 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UqYJ-xTKxMmB for <tls@ietfa.amsl.com>; Mon, 6 Apr 2015 09:24:25 -0700 (PDT)
Received: from mail-ob0-x22d.google.com (mail-ob0-x22d.google.com [IPv6:2607:f8b0:4003:c01::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AFC631A8FD3 for <tls@ietf.org>; Mon, 6 Apr 2015 09:24:10 -0700 (PDT)
Received: by obvd1 with SMTP id d1so48043581obv.0 for <tls@ietf.org>; Mon, 06 Apr 2015 09:24:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=TX+rzYWAUfzwQZM1MH20/0dNK8gQc5d7EBDqFRVjq+k=; b=V1/xJ+71C6med43LcyulaMrv+Y40ozHEnT0yPS03fyPtre0scI/qUyk4f+nE3rb4sE AkxGjIHj3zM4JYtaVMaQf9KLhzC3vBbpg+4cl1QbllSdS2ZBICHoyzEpWiU4wwRZ7GEF 6gnho1UmFrim44eIS6v+3vZ4nlVzcKWQ1xKa7c8zFYbJpUr1NjHIjqMR2vc89klOJmrR NTX4oVHhvfr1kBI2A9VctGlpHkfim7+z81PM1AaetxT9XmfbqQ0jEsqgG/xBv/Sbgb9l SryvK0UxIbAiPjDoQdHRrxJf6ug/LiURj+2Kq6vi9t1xy8QKy7Q6F/cKbCEA0jvbTNnv me9w==
MIME-Version: 1.0
X-Received: by 10.60.15.133 with SMTP id x5mr14024614oec.80.1428337449421; Mon, 06 Apr 2015 09:24:09 -0700 (PDT)
Received: by 10.202.48.151 with HTTP; Mon, 6 Apr 2015 09:24:09 -0700 (PDT)
In-Reply-To: <CAFewVt6fL2sty8E=kOaykynhH8i0Mf52Aqypt-iFS8F_SWZMaQ@mail.gmail.com>
References: <CAOgPGoCW-znnh5VFobCFjZafxEOcwsaHZ_eByTwpCpmqfgX=6Q@mail.gmail.com> <CAFewVt6fL2sty8E=kOaykynhH8i0Mf52Aqypt-iFS8F_SWZMaQ@mail.gmail.com>
Date: Mon, 06 Apr 2015 09:24:09 -0700
Message-ID: <CABkgnnW_OosREEtny02D2-2Ycm2XEPh80X8rwG82crnom-qdfw@mail.gmail.com>
From: Martin Thomson <martin.thomson@gmail.com>
To: Brian Smith <brian@briansmith.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/yDFuKvmX3aKC5wygCZ8jJWYP_G0>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Consensus call on Implicit IV for AEAD
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Apr 2015 16:24:28 -0000
On 3 April 2015 at 20:17, Brian Smith <brian@briansmith.org> wrote: > a clear record of my objection to the > zero-padding mechanism on the mailing list, For the record then, the objection was this: If you are concerned that someone might spend a large amount of computing resources (2^60+ iterations) to gain themselves a reasonable chance of decrypting a randomly selected session from a similar sized set of sessions, pick a stronger cipher. There's a history of attempting to paper over perceived weaknesses in the crypto we use. I get the belt and braces approach here, but I'd rather see us develop stronger constructions (ChaCha+Poly uses a longer key, for example). If the complaint is specific to AES-GCM, I see nothing stopping someone from proposing AES-GCMv2 that operates on extra keying material internally in order to make the IV unpredictable. I'd rather keep the nonce sane though, it keeps it easy to reason about the construction.
- [TLS] Consensus call on Implicit IV for AEAD Joseph Salowey
- Re: [TLS] Consensus call on Implicit IV for AEAD Martin Thomson
- Re: [TLS] Consensus call on Implicit IV for AEAD Daniel Migault
- Re: [TLS] Consensus call on Implicit IV for AEAD Brian Smith
- Re: [TLS] Consensus call on Implicit IV for AEAD Dave Garrett
- Re: [TLS] Consensus call on Implicit IV for AEAD Eric Rescorla
- Re: [TLS] Consensus call on Implicit IV for AEAD Ilari Liusvaara
- Re: [TLS] Consensus call on Implicit IV for AEAD Tom Ritter
- Re: [TLS] Consensus call on Implicit IV for AEAD David Leon Gil
- Re: [TLS] Consensus call on Implicit IV for AEAD Eric Rescorla
- Re: [TLS] Consensus call on Implicit IV for AEAD Yoav Nir
- Re: [TLS] Consensus call on Implicit IV for AEAD Tom Ritter
- Re: [TLS] Consensus call on Implicit IV for AEAD Yoav Nir
- Re: [TLS] Consensus call on Implicit IV for AEAD Daniel Migault
- Re: [TLS] Consensus call on Implicit IV for AEAD Martin Thomson
- Re: [TLS] Consensus call on Implicit IV for AEAD Daniel Migault
- Re: [TLS] Consensus call on Implicit IV for AEAD Ilari Liusvaara
- Re: [TLS] Consensus call on Implicit IV for AEAD Martin Thomson
- Re: [TLS] Consensus call on Implicit IV for AEAD Ilari Liusvaara
- Re: [TLS] Consensus call on Implicit IV for AEAD Michael Hamburg
- Re: [TLS] Consensus call on Implicit IV for AEAD Brian Smith
- Re: [TLS] Consensus call on Implicit IV for AEAD Yoav Nir