IETF Logo Mail Archive

Re: [TLS] Clarifications and questions: TLS1.3 - Static RSA and AEAD

Michael StJohns <msj@nthpermutation.com> Tue, 27 May 2014 03:14 UTC

Return-Path: <msj@nthpermutation.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2CE121A0337 for <tls@ietfa.amsl.com>; Mon, 26 May 2014 20:14:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OvVMqoaLW2nV for <tls@ietfa.amsl.com>; Mon, 26 May 2014 20:14:29 -0700 (PDT)
Received: from mail-pb0-f48.google.com (mail-pb0-f48.google.com [209.85.160.48]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C3DF41A032D for <tls@ietf.org>; Mon, 26 May 2014 20:14:29 -0700 (PDT)
Received: by mail-pb0-f48.google.com with SMTP id rr13so8498659pbb.35 for <tls@ietf.org>; Mon, 26 May 2014 20:14:26 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to :cc:subject:references:in-reply-to:content-type; bh=RyfrYO4OJ/xA3QCsnTlJPuaxwsmHcZYzpOl+os8sUlk=; b=VPvz0i4CGES0xZcJnO7r9FyEdVkIt8gRMLiiu0ciXuHNGe04fg0K+YavyZUFuYiv8H Op1H/UupBXgywSJZHy0Aj9Sv4aSCRMOzAyBbU+dvskEA4w1IALYlmI82adbo0AcxK5jT OWbySygaJj+Aqev8qAx6yHVVGgPq8xWNd0pEzNYeBnclstUqPiBeHvjp6qbAy5bsAW98 tj3y7KVj9e+nxuqyM1B0ceBUHRJGgGmK4EWu1P5qNpMZCla5OHSXmWff3CvqmRfR0Wuv NcCf6b6snOO2wgB3rwC/7wvDPdlBPFV8d5F3pBzz+MrhlaSy/Kpu9vG7qUIemB25bY5u 06/w==
X-Gm-Message-State: ALoCoQmjf7d6EBiGsDFJuPjhxkiMT8SFMdWDomJTSPg8U/K40iY3jiqZLg0c67+vrXt76t9GmyGi
X-Received: by 10.66.137.109 with SMTP id qh13mr32661276pab.39.1401160466845; Mon, 26 May 2014 20:14:26 -0700 (PDT)
Received: from [192.168.1.102] (c-68-34-113-195.hsd1.md.comcast.net. [68.34.113.195]) by mx.google.com with ESMTPSA id ec2sm20575890pbc.63.2014.05.26.20.14.25 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Mon, 26 May 2014 20:14:26 -0700 (PDT)
Message-ID: <53840318.10902@nthpermutation.com>
Date: Mon, 26 May 2014 23:14:32 -0400
From: Michael StJohns <msj@nthpermutation.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.5.0
MIME-Version: 1.0
To: Eric Rescorla <ekr@rtfm.com>
References: <5383F02F.4050706@nthpermutation.com> <CABcZeBPU8gQtpVOyD5KO28bv3Ggjf-7p1wj8uU8NztnFMfPJ6Q@mail.gmail.com>
In-Reply-To: <CABcZeBPU8gQtpVOyD5KO28bv3Ggjf-7p1wj8uU8NztnFMfPJ6Q@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------040203020802000507070900"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/zoY1O1VMsT-ZfK6DvCJh6x1cnOc
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Clarifications and questions: TLS1.3 - Static RSA and AEAD
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 27 May 2014 03:14:31 -0000

On 5/26/2014 10:32 PM, Eric Rescorla wrote:
>
>     Does it also result in changing the output of the "key expansion"
>     phase as only "client_write_key" and "server_write_key"s will be
>     needed for AEAD?
>
>
> I don't believe so, since AEAD still at least potentially requires an IV.

Right - but we really need to get IV material in a way where it isn't 
derived from the master secret.    What I meant was that 
"client_write_mac_key" and "server_write_mac_key" are no longer 
generated since they aren't necessary for AEAD - correct?

>
>
>     Is there any desire to specify a AEAD general block cipher
>     mode/mac construct with an integral key expansion function?  E.g.
>     could something like
>     http://www.ietf.org/id/draft-mcgrew-aead-aes-cbc-hmac-sha2-04.txt
>     be adapted to be a general model for TLS or is this out of scope
>     for the TLS1.3 main document?
>
>
> Certainly this is something one could in principle do. However I know that
> there are some who would prefer to not specify any CBC cipher suite so
> I expect they may want to weigh in now. Another alternative would be to
> specific an AES-CTR/HMAC combined mode.

There's things that the TLS base document should be specifying (e.g. 
we'll only do AEAD style modes and here's the interface), and then 
there's getting into the nitty-gritty of specific cipher suites.

  I'm wondering if it would make sense to completely remove all of the 
cryptography (e.g. RSA, DH, AES, DSA, ECDSA, ECDH) specific language to 
a separate document and have the base document only talk about the 
cryptographic constructs, message formats, negotiation schemes etc?  
That makes support of the base specification a bit more independent from 
the crypto suite specifications.

With respect to the use of compound AEAD functions - I think you have to 
allow for things like McGrew's draft, as well as the equivalent on 
non-AES, non-NIST regional mechanisms to be specified as a compound 
AEAD.  CBC has gotten bad press, but it's out there, it's built in to a 
lot of hardware and, used with a good integrity mechanism (in 
encrypt-then-mac order), seems to be "secure enough" for the given uses.

v2.23.0 | Report a Bug | By Email