RE: [TLS] SIV Ciphersuites for TLS

[<Pasi.Eronen at nokia.com>]

Some general comments, mostly repeating things said at the 
Vancouver meeting:

- Being resistant to nonce misuse is indeed a good idea in some
environments (where spec writers and/or implementors may not fully
understand the situation), it doesn't seem very important in TLS.
TLS always derives fresh keys, so the opportunities for getting things
wrong are rather limited. 

- Certainly an application writer doesn't have to understand the
nuances of nonce management -- that's the job of the TLS library (and
an application programmer who doesn't understand crypto shouldn't
implement his/her own TLS library anyway -- there are many other
things he/she will get wrong.)

- If we're concerned with implementation errors in the TLS library
itself (and think that SIV is harder to get wrong than GCM), we
already have cipher suites which are pretty good in this regard (i.e.,
possibly harder to get wrong than GCM): the CBC mode cipher suites, 
which have the advantage that everyone implements them already (i.e., 
no new code needed, thus less opportunities for new bugs).

- While the SIV mode has slightly smaller per-packet overhead than 
CBC mode, it's also slower to compute than GCM. So if CBC is good
enough for almost everyone, and those requiring high performance
use GCM, what's the environment where SIV would be good?
(The obvious answer "those who want small per-packet overhead, 
don't care about computational costs, and don't trust implementors 
to get GCM right" IMHO seems rather marginal.)

Best regards,
Pasi

> -----Original Message-----
> From: ext Dan Harkins [mailto:dharkins at lounge.org] 
> Sent: 21 December, 2007 20:48
> To: tls at ietf.org
> Subject: [TLS] SIV Ciphersuites for TLS
> 
> 
>   Greetings,
> 
>   I presented the document RSA AES-SIV Ciphersuites for TLS at the
> last meeting in Vancouver. It is my hope that this document would be
> accepted as a WG document and solicit more review and comments from
> everyone here. The document can be found at:
> 
> http://www.ietf.org/internet-drafts/draft-harkins-tls-rsa-aes-
> siv-00.txt
> 

>   Since this email is arriving in the midst of a discussion to drop
> support for another cipher-suite I would like to explain why this
> one should be added: SIV is an AEAD mode that is resistant to nonce
> misuse (unlike other counter-mode constructs like GCM) and is
> therefore well-suited for cases where an application writer, who may
> not understand the cryptographic nuances of nonce management for
> other cipher-suites, obtains TLS services for his application by
> linking to an external library.
> 
>   Please take a look and send comments.
> 
>   regards,
> 
>   Dan.


_______________________________________________
TLS mailing list
TLS at lists.ietf.org
https://www1.ietf.org/mailman/listinfo/tls