Re: [TLS] Consensus call on Implicit IV for AEAD

Martin Thomson <martin.thomson@gmail.com> Mon, 06 April 2015 16:24 UTC

Return-Path: <martin.thomson@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F1AA51A8AFC for <tls@ietfa.amsl.com>; Mon, 6 Apr 2015 09:24:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.101
X-Spam-Level:
X-Spam-Status: No, score=-0.101 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UqYJ-xTKxMmB for <tls@ietfa.amsl.com>; Mon, 6 Apr 2015 09:24:25 -0700 (PDT)
Received: from mail-ob0-x22d.google.com (mail-ob0-x22d.google.com [IPv6:2607:f8b0:4003:c01::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AFC631A8FD3 for <tls@ietf.org>; Mon, 6 Apr 2015 09:24:10 -0700 (PDT)
Received: by obvd1 with SMTP id d1so48043581obv.0 for <tls@ietf.org>; Mon, 06 Apr 2015 09:24:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=TX+rzYWAUfzwQZM1MH20/0dNK8gQc5d7EBDqFRVjq+k=; b=V1/xJ+71C6med43LcyulaMrv+Y40ozHEnT0yPS03fyPtre0scI/qUyk4f+nE3rb4sE AkxGjIHj3zM4JYtaVMaQf9KLhzC3vBbpg+4cl1QbllSdS2ZBICHoyzEpWiU4wwRZ7GEF 6gnho1UmFrim44eIS6v+3vZ4nlVzcKWQ1xKa7c8zFYbJpUr1NjHIjqMR2vc89klOJmrR NTX4oVHhvfr1kBI2A9VctGlpHkfim7+z81PM1AaetxT9XmfbqQ0jEsqgG/xBv/Sbgb9l SryvK0UxIbAiPjDoQdHRrxJf6ug/LiURj+2Kq6vi9t1xy8QKy7Q6F/cKbCEA0jvbTNnv me9w==
MIME-Version: 1.0
X-Received: by 10.60.15.133 with SMTP id x5mr14024614oec.80.1428337449421; Mon, 06 Apr 2015 09:24:09 -0700 (PDT)
Received: by 10.202.48.151 with HTTP; Mon, 6 Apr 2015 09:24:09 -0700 (PDT)
In-Reply-To: <CAFewVt6fL2sty8E=kOaykynhH8i0Mf52Aqypt-iFS8F_SWZMaQ@mail.gmail.com>
References: <CAOgPGoCW-znnh5VFobCFjZafxEOcwsaHZ_eByTwpCpmqfgX=6Q@mail.gmail.com> <CAFewVt6fL2sty8E=kOaykynhH8i0Mf52Aqypt-iFS8F_SWZMaQ@mail.gmail.com>
Date: Mon, 6 Apr 2015 09:24:09 -0700
Message-ID: <CABkgnnW_OosREEtny02D2-2Ycm2XEPh80X8rwG82crnom-qdfw@mail.gmail.com>
From: Martin Thomson <martin.thomson@gmail.com>
To: Brian Smith <brian@briansmith.org>
Content-Type: text/plain; charset=UTF-8
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/yDFuKvmX3aKC5wygCZ8jJWYP_G0>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Consensus call on Implicit IV for AEAD
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Apr 2015 16:24:28 -0000

On 3 April 2015 at 20:17, Brian Smith <brian@briansmith.org> wrote:
> a clear record of my objection to the
> zero-padding mechanism on the mailing list,

For the record then, the objection was this:

If you are concerned that someone might spend a large amount of
computing resources (2^60+ iterations) to gain themselves a reasonable
chance of decrypting a randomly selected session from a similar sized
set of sessions, pick a stronger cipher.

There's a history of attempting to paper over perceived weaknesses in
the crypto we use.  I get the belt and braces approach here, but I'd
rather see us develop stronger constructions (ChaCha+Poly uses a
longer key, for example).

If the complaint is specific to AES-GCM, I see nothing stopping
someone from proposing AES-GCMv2 that operates on extra keying
material internally in order to make the IV unpredictable.  I'd rather
keep the nonce sane though, it keeps it easy to reason about the
construction.