IETF Logo Mail Archive

Re: [Uta] On cipher suites with Camellia of TLS-BCP

Stephen Farrell <stephen.farrell@cs.tcd.ie> Thu, 11 September 2014 11:04 UTC

Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 882F31A06C7 for <uta@ietfa.amsl.com>; Thu, 11 Sep 2014 04:04:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.952
X-Spam-Level:
X-Spam-Status: No, score=-2.952 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, J_CHICKENPOX_38=0.6, RP_MATCHES_RCVD=-1.652] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rW6A7_gPyDar for <uta@ietfa.amsl.com>; Thu, 11 Sep 2014 04:04:41 -0700 (PDT)
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) by ietfa.amsl.com (Postfix) with ESMTP id 503671A06D3 for <uta@ietf.org>; Thu, 11 Sep 2014 04:04:41 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id ECB98BED4; Thu, 11 Sep 2014 12:04:39 +0100 (IST)
X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Rj09bWtubSKt; Thu, 11 Sep 2014 12:04:36 +0100 (IST)
Received: from [10.87.48.5] (unknown [86.46.27.107]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id 77D72BEE2; Thu, 11 Sep 2014 12:04:20 +0100 (IST)
Message-ID: <541181B4.6040405@cs.tcd.ie>
Date: Thu, 11 Sep 2014 12:04:20 +0100
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.0
MIME-Version: 1.0
To: Kohei Kasamatsu <kasamatsu.kohei@po.ntts.co.jp>, Leif Johansson <leifj@mnt.se>, uta@ietf.org
References: <53D18A7F.1080703@po.ntts.co.jp> <B07D6809-105A-47CF-BA2B-04874715B97B@vpnc.org> <53E0AFC0.6000107@po.ntts.co.jp> <55179996-EC4C-4F6A-B48B-46EA2D417C54@vpnc.org> <53E87E6C.9030409@po.ntts.co.jp> <53E88285.2020105@gmail.com> <53E88DF9.6020505@mnt.se> <53FEEA59.8080702@po.ntts.co.jp> <53FF0401.9060502@cs.tcd.ie> <54117CA7.3050707@po.ntts.co.jp>
In-Reply-To: <54117CA7.3050707@po.ntts.co.jp>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
Archived-At: http://mailarchive.ietf.org/arch/msg/uta/uIZaveb3XgJjy58OFHe__al_ypE
Cc: holz@net.in.tum.de, yaronf.ietf@gmail.com, ietf@stpeter.im
Subject: Re: [Uta] On cipher suites with Camellia of TLS-BCP
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 11 Sep 2014 11:04:46 -0000

Hiya,

Your desire to add 4 Camellia ciphersuites is not at all
unreasonable, but I still myself think it would be a bad
plan right now. Better I (still:-) think to get this BCP
out the door now with just AES ciphersuites and look at
it again later when the chacha20/rc4 situation settles
down.

I think this BCP ought where possible match what's in
widespread use and is best practice. Right now, AES and
RC4 ciphersuites are used in most places as far as I know
but we want to see RC4 go away.

In future it could be AES and Camellia or AES and chacha20
or something else, but I don't think it'd be correct now
to say that AES+Camellia ciphersuites are the BCP since
Camellia is not as far as I know in such widespread use.

Cheers,
S.

On 11/09/14 11:42, Kohei Kasamatsu wrote:
> Hi, Stephen and UTA folks
> 
> 
> Thanks Stephen for your comments.
> I agree with your comments and will not discuss alternative algorithms
> in UTA WG.
> I would like to discuss alternative algorithms in a suitable group.
> 
> However, by reason of followings, I wish cipher suites with Camellia are
> also expressed in TLS-BCP, meanwhile I do NOT care about description of
> enforcement statements; i.e., recommended, or optional.
> 
> First, I strongly believe that status of Camellia is different from any
> other symmetric ciphers (including Chacha20).
> For example, Camellia is only selected as recommended symmetric cipher
> together with AES in NESSIE project [1].
> And, it also standardized in ISO/IEC18033-3 [2], ITU-T, W3C, and so on.
> 
>>From the above, Camellia is widely approved by global organizations.
> Actually, it is recommended by "Algorithms, Key Sizes and Parameters
> Report"[3] of ENISA (page59) as follows:
> ---
> Looking at the record layer protocol (i.e. the algorithms to encrypt the
> actual data), we see that only the use of Camellia and AES are
> recommended within a mode such as GCM or CCM.
> 
>   (snip)
> 
> This means at the time of writing we would only recommend the following
> cipher suites, for future use within TLS
>   *_WITH_Camellia\index{Camellia}_128_GCM_SHA256,
>   *_WITH_AES_128_GCM_SHA256,
>   *_WITH_Camellia\index{Camellia}_256_GCM_SHA384,
>   *_WITH_AES_256_GCM_SHA384,
>   *_WITH_AES_128_CCM,
>   *_WITH_AES_128_CCM_8,
>   *_WITH_AES_256_CCM,
>   *_WITH_AES_256_CCM_8.
> where * is sux denoting the underlying key exchange primitive.
> ---
> 
> In addition, Camellia satisfies all current requirements of TLS-BCP draft,
> and is already implemented in major software, such as OpenSSL, GnuTLS,
> NSS, and Linux.
> Therefore, once again, I wish the following cipher suites with Camellia
> specified by RFC6367 [4] are also expressed in TLS-BCP.
> 
> ---
> TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256
> TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256
> TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384
> TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384
> ---
> 
> [1] NESSIE Project,
> http://www.cosic.esat.kuleuven.be/nessie/
> 
> [2] ISO/IEC18033-3,
> http://www.iso.org/iso/home/store/catalogue_ics/catalogue_detail_ics.htm?csnumber=37972
> 
> [3] Algorithms, Key Sizes and Parameters Report
> 2013 recommendations,
> http://www.enisa.europa.eu/activities/identity-and-trust/library/deliverables/algorithms-key-sizes-and-parameters-report/at_download/fullReport
> 
> [4] RFC 6367 Addition of the Camellia Cipher Suites to Transport Layer
> Security (TLS), http://tools.ietf.org/html/rfc6367
> 
> Best,
> Kohei KASAMATSU
> 
> 
> (2014/08/28 19:27), Stephen Farrell wrote:
>>
>> Hiya,
>>
>> Having had this discussion a few times over the last
>> couple of years my take on it is:
>>
>> - there is some but not huge interest a backup cipher
>>    for AES and the interest-level varies by protocol
>>    as do the set of possible backups
>>
>> - we are very unlikely to get an easy consensus on which
>>    to pick, or how to pick (has been tried in both SAAG
>>    and CFRG without success), as a generic backup
>>
>> - picking a cipher is not a UTA thing, and not the same
>>    as picking a TLS ciphersuite, which can be a UTA thing
>>
>> - while Camellia ciphersuites exist, chacha20 ciphersuites
>>    seem like they are also getting traction as an
>>    alternative to AES when one doesn't have AES h/w, but
>>    its too soon to tell maybe - if that happened, then there
>>    is also a reason to support chacha20 in addition to it
>>    being a backup to AES. And 2 reasons are way better
>>    than one here.
>>
>> I conclude that UTA should not be in the business of
>> trying to decide which cipher might be a good backup
>> for AES.
>>
>> And since TLS ciphersuites are in flux, with RC4 on
>> the way out and (apparently) chacha20 on the rise,
>> this isn't the right time for UTA to pick another
>> ciphersuite as a backup in case of problems with AES.
>>
>> Cheers,
>> S.
>>
>>
>> On 28/08/14 09:37, Kohei Kasamatsu wrote:
>>> Hi Yaron and Leif,
>>>
>>>
>>> I also need a consensus about adding standby ciphers into TLS-BCP.
>>> And I understood that UTA WG focuses on getting a first version of the
>>> BCP out as soon as possible.
>>>
>>> In first, I want to point out it seems that very little interest in the
>>> idea of standby cipher that you pointed out is not fact.
>>> I heard from David that there are some interests in idea of standby ciphers.
>>>
>>> My concern is that when vulnerability related to the primitive is found
>>> it takes a lot of time to migrate from insecure primitive to secure one.
>>> In fact, it is seemed to me that it takes a lot of time to migrate to
>>> TLS1.2. (My proposal that TLS-BCP recommends standby ciphers is one of
>>> the solutions for a delay of migration.)
>>>
>>> What do you think about my concern?
>>>
>>> For example, shall we consider the procedure for review of algorithms in
>>> TLS-BCP and update of TLS-BCP in order to deal with the following events?
>>>
>>> 1. Operations of new algorithms in TLS implementations are so increasing
>>> that we cannot ignore it.
>>>
>>> 2. Vulnerability of TLS is found.
>>>
>>> Best,
>>> Kohei KASAMATSU
>>>
>>> (2014/08/11 18:33), Leif Johansson wrote:
>>>> On 2014-08-11 10:44, Yaron Sheffer wrote:
>>>>> Hi Kohei,
>>>>>
>>>>> Personally I support the idea of alternative (or "standby") ciphers, see
>>>>> http://tools.ietf.org/html/draft-mcgrew-standby-cipher-00. However there
>>>>> was very little interest in this idea when we brought it up at CFRG.
>>>>>
>>>>> IMHO for inclusion in the BCP there should be wide consensus about both
>>>>> the need for standby ciphers (and there is none, as far as I can tell)
>>>>> as well as the individual algorithms.
>>>>>
>>>>
>>>> I think that is a fair assessment. Our focus now should be on getting a
>>>> first version of the BCP out as soon as possible.
>>>>
>>>> 	Cheers Leif
>>>>
>>>> _______________________________________________
>>>> Uta mailing list
>>>> Uta@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/uta
>>>>
>>>
>>> _______________________________________________
>>> Uta mailing list
>>> Uta@ietf.org
>>> https://www.ietf.org/mailman/listinfo/uta
>>>
>>>
>>
> 
>

v2.23.0 | Report a Bug | By Email