[TLS] Comments about rsa-aes-gcm and ecc-new-mac

To: <tls at ietf.org>
Subject: [TLS] Comments about rsa-aes-gcm and ecc-new-mac
From: <Pasi.Eronen at nokia.com>
Date: Tue, 4 Mar 2008 10:44:49 +0200
Delivered-to: ietfarch-tls-web-archive at core3.amsl.com
Delivered-to: tls at core3.amsl.com
List-archive: <http://www.ietf.org/pipermail/tls>
List-help: <mailto:tls-request@ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-post: <mailto:tls@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
Sender: tls-bounces at ietf.org
Thread-index: Ach91AGvrOqD+EUdRNWJKHj0TEZZsg==
Thread-topic: Comments about rsa-aes-gcm and ecc-new-mac

<not wearing any hats>

1) The definition of how AES_128_GCM and AES_256_GCM work in TLS 
really should be in one document only, with the other one having 
just a reference. (Since ecc-new-mac is Informational, the text
would need to go in rsa-aes-gcm.)

If in the future we define other combinations, like TLS_PSK_WITH_
AES_128_GCM_SHA256, it wouldn't make much sense to repeat the nonce
generation details and related security considerations in that
document -- we'd just say "AES_128_GCM and its security considerations
are in [X]".  For the same reason, it doesn't make much sense to
repeat it here either (and the two documents currently don't
have same text anyway -- e.g. rsa-aes-gcm has more text about
counter reuse in security considerations).


2) Both documents mention DTLS -- but none of these ciphersuites can
be actually used with RFC 4347 (since they can't be used with TLS 1.1).


3) Section 1 of rsa-aes-gcm draft would benefit from some rephrasing
(e.g. include similar text as the abstract contains; split the "why
GCM is good" marketing text to separate paragraph; expand CAPWAP,
etc.)


4) The nonce generation text in Section 3 of rsa-aes-gcm could 
benefit from some rephrasing and rearrangement. Here's my my proposal 
(trying to be a purely editorial rearrangement of current text):

   The "nonce" SHALL be 12 bytes long, and it consists of two parts
   as follows: (this is an example of "partially implicit" nonce; 
   see Section 3.2.1 of [RFC5116])

      struct {
          opaque salt[4];
          opaque nonce_explicit[8];
      } GCMNonce;

   The salt is the "implicit" part of the nonce and is not sent in
   packets. Instead, the salt is generated as part of the handshake
   process: it is either the client_write_IV (when the client is
   sending) or the server_write_IV (when the server is sending). 
   The salt length (SecurityParameters.fixed_iv_length) is 4 octets.

   The "nonce_explicit" part is chosen by the sender and is carried in
   each TLS record, in the GenericAEADCipher.nonce_explicit field.
   The explicit part length (SecurityParameters.record_iv_length) is 8
   octets.

   Each value of the nonce_explicit MUST be ...

5) rsa-aes-gcm reference [GCM] has old title and date.


Best regards,
Pasi
_______________________________________________
TLS mailing list
TLS at ietf.org
https://www.ietf.org/mailman/listinfo/tls

Prev by Date: [no subject]
Next by Date: Re: [TLS] Last Call: draft-ietf-tls-rfc4346-bis (The Transport Layer Security (TLS) Protocol Version 1.2) to Proposed Standard
Previous by thread: [no subject]
Next by thread: [TLS] Review of draft-kato-tls-rfc4132bis-00
Index(es):
- Date
- Thread

[TLS] Comments about rsa-aes-gcm and ecc-new-mac

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.