[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[TLS] Counter structure

To: tls@xxxxxxxx
Subject: [TLS] Counter structure
From: Eric Rescorla <ekr@xxxxxxxxxxxxxxxxxxxx>
Date: Tue, 19 Dec 2006 13:10:45 -0800
Cc: kent@xxxxxxx
List-archive: <http://www1.ietf.org/pipermail/tls>
List-help: <mailto:tls-request@lists.ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-post: <mailto:tls@lists.ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>

Currently, the (D)TLS Counter draft uses the sequence number to
generate the per-record IV. Recently, Steve Kent pointed out
a drawback of this mode which mau motivate a different counter
structure. I was hoping we could discuss this on the list
and try to reach consensus.

Here's the issue as I understand it (Steve, please correct
me if I screw something up):

   The CTR IV is security critical in a way that the CBC IV is
   not. Accordingly, for evaluated products the IV must be generated
   inside the evaluation boundary where it can be insured that it's not
   reused.  As the IV is currently designed, this would mean that the
   record sequence number was also maintained inside the security
   boundary.

   Ordinarily, this isn't an issue but in implementations where you are
   doing hardware record processing you might have multiple parallel
   hardware modules. Synchronizing the sequence number between those
   modules could be quite problematic.

   An alternate approach is to use an explicit per-record IV which can
   be maintained independently by each encryption module. This IV
   doesn't need to be the full block width, just long enough to prevent
   collisions. If the modules use a counter or LFSR (with a few bits
   reserved for module ID) to generate the IV, then you can get by with
   64 bits of IV. [0]

So, the question is: is enabling this kind of parallel hardware
implementation a good tradeoff for 8 more bytes of record size?

Please discuss.

Thanks,
-Ekr


[0] Note that this IV size more or less precludes random IVs because of
birthday statistics.

_______________________________________________
TLS mailing list
TLS@xxxxxxxxxxxxxx
https://www1.ietf.org/mailman/listinfo/tls

Follow-Ups:
- Re: [TLS] Counter structure
  - From: Russ Housley

Prev by Date: Re: Ephemeral RSA (was Re: [TLS] Any advice regarding frequency
Next by Date: Re: [TLS] Comments on TLS identity protection
Previous by thread: [TLS] Please discuss: draft-housley-evidence-extns-00
Next by thread: Re: [TLS] Counter structure
Index(es):
- Date
- Thread