[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [TLS] Re: SIV as WG item?

To: "Dan Harkins" <dharkins@xxxxxxxxxx>
Subject: Re: [TLS] Re: SIV as WG item?
From: Eric Rescorla <ekr@xxxxxxxxxxxxxxxxxxxx>
Date: Thu, 17 Jan 2008 04:35:30 -0800
Cc: Simon Josefsson <simon@xxxxxxxxxxxxx>, tls@xxxxxxxx
In-reply-to: <2969.60.251.8.238.1200506256.squirrel@xxxxxxxxxxxxxxxxxx>
List-archive: <http://www1.ietf.org/pipermail/tls>
List-help: <mailto:tls-request@lists.ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-post: <mailto:tls@lists.ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
References: <B356D8F434D20B40A8CEDAEC305A1F24051748FC@xxxxxxxxxxxxxxxxxxxxxx> <87odbtpwu2.fsf@xxxxxxxxxxxxxxxxxxx> <B356D8F434D20B40A8CEDAEC305A1F24051A37D0@xxxxxxxxxxxxxxxxxxxxxx> <87prw4iw0h.fsf@xxxxxxxxxxxxxxxxxxx> <F8391F55-7A63-450D-B821-C6F02D0AF968@xxxxxxxxxxxxxx> <87d4s4iu3w.fsf@xxxxxxxxxxxxxxxxxxx> <6563E86B-727A-46E2-8C8C-BA4FA86CE186@xxxxxxxxxxxxxx> <4827.60.251.8.238.1200453914.squirrel@xxxxxxxxxxxxxxxxxx> <1316FEFB-A9BC-4B3F-B1BD-011F93F5E9D9@xxxxxxxxxxxxxx> <2969.60.251.8.238.1200506256.squirrel@xxxxxxxxxxxxxxxxxx>
User-agent: Wanderlust/2.14.0 (Africa) Emacs/21.3 Mule/5.0 (SAKAKI)

At Wed, 16 Jan 2008 09:57:36 -0800 (PST),
Dan Harkins wrote:
> 
> 
>   The GCM ciphersuites for TLS use the deterministic nonce construction.
> You can ignore the other one in SP 800-38D. Just pay attention to the
> sections I listed.
> 
>   Like I said, if you think that GCM cannot be implemented in TLS in
> such a way that it could fall under any of the topics SP 800-38D addresses
> then SIV is not for you.
> 
>   I, on the other hand, doubt that "IT professionals" on whom the security
> of GCM depends (according to SP 800-38D) will understand the nuance around
> IV management. In fact, experience shows that "IT professionals" will
> routinely cut corners with security to make things be more scalable--
> group pre-shared keys anyone? If all you care about when deploying a
> security system is to merely get your boss off your back then the special
> circumstances surrounding the particular module in the system you deploy
> is not of paramount concern.
> 
>   But it's fine. If you think that it is impossible to misuse your GCM
> implementation then bully for you. Do you also think that it is impossible
> to misuse _ANY_ TLS implementation of GCM? Is there something in TLS that
> makes SP 800-38D not apply?

Dan,

As I said in the WG meeting, I think this only meets half the burden for
SIV being a good idea. TLS has a block cipher mode which is extremely
resistant to IV reuse: CBC. The reason that GCM is attractive is that
it has good performance and ciphertext size properties as compared to
CBC. Given that SIV doesn't have particularly good performance propoerties,
in what settings would it be significant improvement over CBC?

-Ekr


_______________________________________________
TLS mailing list
TLS@xxxxxxxxxxxxxx
https://www1.ietf.org/mailman/listinfo/tls

References:
- [TLS] SIV as WG item?
  - From: Pasi.Eronen
- [TLS] Re: SIV as WG item?
  - From: Simon Josefsson
- [TLS] RE: SIV as WG item?
  - From: Pasi.Eronen
- [TLS] Re: SIV as WG item?
  - From: Simon Josefsson
- Re: [TLS] Re: SIV as WG item?
  - From: Yoav Nir
- [TLS] Re: SIV as WG item?
  - From: Simon Josefsson
- [TLS] Re: SIV as WG item?
  - From: Yoav Nir
- Re: [TLS] Re: SIV as WG item?
  - From: Dan Harkins
- Re: [TLS] Re: SIV as WG item?
  - From: Yoav Nir
- Re: [TLS] Re: SIV as WG item?
  - From: Dan Harkins

Prev by Date: Re: [TLS] Issue 66: HMAC-256 based ciphersuites
Previous by thread: Re: [TLS] Re: SIV as WG item?
Next by thread: [TLS] Public-key distribution via HTTP
Index(es):
- Date
- Thread