[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [TLS] Re: SIV as WG item?

To: <dharkins@xxxxxxxxxx>, <tls@xxxxxxxx>
Subject: RE: [TLS] Re: SIV as WG item?
From: <Pasi.Eronen@xxxxxxxxx>
Date: Wed, 16 Jan 2008 11:26:27 +0200
Cc:
In-reply-to: <4827.60.251.8.238.1200453914.squirrel@xxxxxxxxxxxxxxxxxx>
List-archive: <http://www1.ietf.org/pipermail/tls>
List-help: <mailto:tls-request@lists.ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-post: <mailto:tls@lists.ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
References: <B356D8F434D20B40A8CEDAEC305A1F24051748FC@xxxxxxxxxxxxxxxxxxxxxx><87odbtpwu2.fsf@xxxxxxxxxxxxxxxxxxx><B356D8F434D20B40A8CEDAEC305A1F24051A37D0@xxxxxxxxxxxxxxxxxxxxxx><87prw4iw0h.fsf@xxxxxxxxxxxxxxxxxxx><F8391F55-7A63-450D-B821-C6F02D0AF968@xxxxxxxxxxxxxx><87d4s4iu3w.fsf@xxxxxxxxxxxxxxxxxxx><6563E86B-727A-46E2-8C8C-BA4FA86CE186@xxxxxxxxxxxxxx> <4827.60.251.8.238.1200453914.squirrel@xxxxxxxxxxxxxxxxxx>
Thread-index: AchX77gE7vjCZ2gaRHCDuyPWv5t2EAAL3UNA
Thread-topic: [TLS] Re: SIV as WG item?

Dan Harkins wrote:

>   It is also important to look at section 9.1 regarding design
> consideration. For instance the module responsible for construction
> of the nonce must be inside the FIPS140 cryptographic boundary.
> And in the case of power loss of an entity implementing GCM, "for
> [the TLS GCM ciphersuite] all of the deterministic elements that are
> necessary to construct the IV would have to be available when the
> power is restored. For example, these elements could be stored in
> non-volatile memory."

This storage requirement applies only to implementations that
also store (or are in some way able to recover or reuse) the key
itself. 

(Section 9.1, "If the generation unit cannot recover from a loss of
power, then the authenticated encryption function shall enter a
failure state until a fresh key can be established.")

>   There are also operational considerations in section 9.2 that lists
> questions that must be answered when deploying a GCM implementation.
> It states, "Compliance with the uniqueness requirement on IVs, and
> hence THE SECURITY OF GCM, ultimately DEPENDS ON THE IT PROFESSIONAL
> WHO CONFIGURES, DEPLOYS, AND MAINTAINS THE GCM MODULESS within a
> particular system." (emphasis mine and I apologize for screaming).
> 
>   So yes, defer to NIST. If you read SP 800-38D and are satisfied
> that all of the relevant requirements are adhered to then GCM is
> secure. If you don't feel it's possible to guarantee that all of
> those requirements can be met or if you don't feel comfortable
> placing the security of the system in the hands of "the IT
> professional" who configures it then maybe it's not for you.

As far as I can tell, all (or almost all) of these considerations
are about ensuring proper IV generation and other "cryptographic
hygiene" to ensure one given key doesn't end up being used in
different contexts (e.g. across power loss, with different GCM
mode options, etc.). With complications such as system backups,
this will ultimately depend on the IT administration procedures
as well.

Those concerns don't really seem to apply to protocols that
always establish fresh keys, and during that key establishment,
agree on how the key will be used.

Best regards,
Pasi


_______________________________________________
TLS mailing list
TLS@xxxxxxxxxxxxxx
https://www1.ietf.org/mailman/listinfo/tls

Follow-Ups:
- RE: [TLS] Re: SIV as WG item?
  - From: Dan Harkins

References:
- [TLS] SIV as WG item?
  - From: Pasi.Eronen
- [TLS] Re: SIV as WG item?
  - From: Simon Josefsson
- [TLS] RE: SIV as WG item?
  - From: Pasi.Eronen
- [TLS] Re: SIV as WG item?
  - From: Simon Josefsson
- Re: [TLS] Re: SIV as WG item?
  - From: Yoav Nir
- [TLS] Re: SIV as WG item?
  - From: Simon Josefsson
- [TLS] Re: SIV as WG item?
  - From: Yoav Nir
- Re: [TLS] Re: SIV as WG item?
  - From: Dan Harkins

Prev by Date: Re: [TLS] Re: SIV as WG item?
Next by Date: Re: [TLS] Re: SIV as WG item?
Previous by thread: Re: [TLS] Re: SIV as WG item?
Next by thread: RE: [TLS] Re: SIV as WG item?
Index(es):
- Date
- Thread