[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [TLS] Re: SIV as WG item?

To: "Yoav Nir" <ynir@xxxxxxxxxxxxxx>
Subject: Re: [TLS] Re: SIV as WG item?
From: "Dan Harkins" <dharkins@xxxxxxxxxx>
Date: Tue, 15 Jan 2008 19:25:14 -0800 (PST)
Cc: Simon Josefsson <simon@xxxxxxxxxxxxx>, tls@xxxxxxxx
Importance: Normal
In-reply-to: <6563E86B-727A-46E2-8C8C-BA4FA86CE186@xxxxxxxxxxxxxx>
List-archive: <http://www1.ietf.org/pipermail/tls>
List-help: <mailto:tls-request@lists.ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-post: <mailto:tls@lists.ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
References: <B356D8F434D20B40A8CEDAEC305A1F24051748FC@xxxxxxxxxxxxxxxxxxxxxx> <87odbtpwu2.fsf@xxxxxxxxxxxxxxxxxxx> <B356D8F434D20B40A8CEDAEC305A1F24051A37D0@xxxxxxxxxxxxxxxxxxxxxx> <87prw4iw0h.fsf@xxxxxxxxxxxxxxxxxxx> <F8391F55-7A63-450D-B821-C6F02D0AF968@xxxxxxxxxxxxxx> <87d4s4iu3w.fsf@xxxxxxxxxxxxxxxxxxx> <6563E86B-727A-46E2-8C8C-BA4FA86CE186@xxxxxxxxxxxxxx>
User-agent: SquirrelMail/1.4.8

  Hi Yoav,

  Actually NIST has commented on this, it's SP 800-38D. GCM is not
flawed provided you abide by the recommendations in that document.
Specifically section 8.2.1 for the deterministic construction of
the IV (which is used by the GCM ciphersuites for TLS). Since the
nonce construction in draft-ietf-tls-rsa-aes-gcm-01.txt is partially
implicit the recommendations in section 8.3 should be interpreted
appropriately.

  It is also important to look at section 9.1 regarding design
consideration. For instance the module responsible for construction
of the nonce must be inside the FIPS140 cryptographic boundary.
And in the case of power loss of an entity implementing GCM, "for
[the TLS GCM ciphersuite] all of the deterministic elements that are
necessary to construct the IV would have to be available when the
power is restored. For example, these elements could be stored in
non-volatile memory."

  There are also operational considerations in section 9.2 that lists
questions that must be answered when deploying a GCM implementation.
It states, "Compliance with the uniqueness requirement on IVs, and
hence THE SECURITY OF GCM, ultimately DEPENDS ON THE IT PROFESSIONAL
WHO CONFIGURES, DEPLOYS, AND MAINTAINS THE GCM MODULESS within a
particular system." (emphasis mine and I apologize for screaming).

  So yes, defer to NIST. If you read SP 800-38D and are satisfied that
all of the relevant requirements are adhered to then GCM is secure. If
you don't feel it's possible to guarantee that all of those requirements
can be met or if you don't feel comfortable placing the security of the
system in the hands of "the IT professional" who configures it then
maybe it's not for you.

  Now, back to my screaming above for a second. It is this notice in
SP 800-38D that really makes the SIV ciphersuites attractive. All of
the text in SP 800-38D (approx 8 pages of it) do not apply to SIV
because it is secure even in the presence of IV misuse. That is, if
the IT professional intentionally or unintentionally misconfigures,
misdeploys or improperly maintains a GCM module security is voided but
if that module had been a SIV module security would not be voided
(assuming, of course, that the misuse by the IT professional results in
IV misuse which is the a valid assumption since that's the topic of
the quote above).

  The need for a SIV-based ciphersuites depends on whether you have any
discomfort with any of the numerous requirements placed on proper use
of GCM. If you think that the design considerations of SP 800-38D are
met due to the nature of the TLS protocol and that the deployment
considerations either don't apply ("it's your problem if you misconfigure
it so tough luck") or are similarly met due to the nature of the TLS
protocol then SIV-based ciphersuites are probably not important enough
to bring to the WG. If, on the other hand, these design and deployment
considerations make you uncomfortable and that a TLS module implementing
GCM might be too fragile then a misuse-resistant alternative like SIV
becomes important and attractive.

  regards,

  Dan.

On Mon, January 14, 2008 2:37 am, Yoav Nir wrote:
> Supporting only GCM has the advantage that it works well with the "In
> NIST we trust" model of cryptographic reasoning.
>
> I'm also missing some performance measurements of AES-GCM vs AES-SIV
> vs AES-CBC+HMAC-SHA1. We have the original papers from the authors,
> who made the measurements on a 1 GHz PPC processor. I'm not sure how
> much of an advantage we'd get with more common processors and with
> optimized code. Right now, I don't know what, if anything, any of the
> AEAD ciphersuites would give me.
>
> I don't think GCM is seriously flawed at least in its use in TLS or
> IPsec. But like you, I'm not comfortable claiming it.  In this it may
> be wise to defer to NIST, unless some cryptographer has a different
> view and would like to weigh in.
>
> On Jan 14, 2008, at 12:23 PM, Simon Josefsson wrote:
>
>> Yoav Nir <ynir@xxxxxxxxxxxxxx> writes:
>>
>>> That gives the writers of OpenSSL/GnuTLS/Windows CAPI no guidance.
>>
>> I think part of my point is that at this time there is not enough
>> guidance to give: or do we actually know which properties of the
>> various
>> AEAD proposals are critical for Internet-wide use?
>>
>> I don't feel comfortable claiming that the nonce-reuse problem in
>> GCM is
>> never going to lead to serious security problems.  Nor would I feel
>> comfortable to claim that GCM is inherently flawed because of it.
>>
>> If there are specification for several AEAD ciphersuite to chose from,
>> they would each contain discussions of their applicability.  If we
>> only
>> specify AES-GCM and kill other proposals, I suspect that will make it
>> more difficult to re-consider the situation later on.
>>
>> I guess I have argued my point of view now, so I'll try to shut up and
>> let others talk.
>>
>> /Simon
>>
>> Scanned by Check Point Total Security Gateway.
>>
>
>
>
> _______________________________________________
> TLS mailing list
> TLS@xxxxxxxxxxxxxx
> https://www1.ietf.org/mailman/listinfo/tls
>

_______________________________________________
TLS mailing list
TLS@xxxxxxxxxxxxxx
https://www1.ietf.org/mailman/listinfo/tls

Follow-Ups:
- Re: [TLS] Re: SIV as WG item?
  - From: Yoav Nir
- RE: [TLS] Re: SIV as WG item?
  - From: Pasi.Eronen

References:
- [TLS] SIV as WG item?
  - From: Pasi.Eronen
- [TLS] Re: SIV as WG item?
  - From: Simon Josefsson
- [TLS] RE: SIV as WG item?
  - From: Pasi.Eronen
- [TLS] Re: SIV as WG item?
  - From: Simon Josefsson
- Re: [TLS] Re: SIV as WG item?
  - From: Yoav Nir
- [TLS] Re: SIV as WG item?
  - From: Simon Josefsson
- [TLS] Re: SIV as WG item?
  - From: Yoav Nir

Prev by Date: Re: [TLS] Issue 66: HMAC-256 based ciphersuites
Next by Date: RE: [TLS] Re: SIV as WG item?
Previous by thread: [TLS] Re: SIV as WG item?
Next by thread: RE: [TLS] Re: SIV as WG item?
Index(es):
- Date
- Thread