Re: [TLS] Comments on
Adam Langley <agl@google.com> Fri, 14 February 2014 19:51 UTC
Return-Path: <agl@google.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AB7E91A02B9 for <tls@ietfa.amsl.com>; Fri, 14 Feb 2014 11:51:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.627
X-Spam-Level:
X-Spam-Status: No, score=-1.627 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, MIME_8BIT_HEADER=0.3, RP_MATCHES_RCVD=-0.548, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id crMZkTvyVu6L for <tls@ietfa.amsl.com>; Fri, 14 Feb 2014 11:51:24 -0800 (PST)
Received: from mail-vc0-x22d.google.com (mail-vc0-x22d.google.com [IPv6:2607:f8b0:400c:c03::22d]) by ietfa.amsl.com (Postfix) with ESMTP id 7DD491A0394 for <tls@ietf.org>; Fri, 14 Feb 2014 11:50:00 -0800 (PST)
Received: by mail-vc0-f173.google.com with SMTP id ld13so9462362vcb.4 for <tls@ietf.org>; Fri, 14 Feb 2014 11:49:58 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type:content-transfer-encoding; bh=ErLvlr370rWOGqp0bJfVThnI3GChRQg2nD8LggM27lg=; b=GWeIHw42tvhKgnxkoup61v6EtvWvWkBKl2wZiAj+wLgXiaR0e8jgYqU/6GVKAPHsEu +4KNYyZS+icqqmD7CASk4OpE6wUeq5doSUJquCWdW9PvxIPbaBYO1XWF/5tE6VAgjQDa YTgemCCyCisf6DGhBy0Uv4JpWi6MAKcQP2noEDaqpj5s9iE44J0je6eHpiUcksXpdEwZ mnUGSDR+RNfaQqGL7ajC6ZQfYQ+EWVqFtPOQo15qdY7m4WZAO0XQadQgeCdeDliJW39S cw1ptvpwfLm40yFJ8jw4tj6eigqZ5aJydDppEBe/nfOJ3oOpvbTiqq3aFAmfi/bQWTkO kASA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type:content-transfer-encoding; bh=ErLvlr370rWOGqp0bJfVThnI3GChRQg2nD8LggM27lg=; b=I3Vt+UnE/fDdsLNrz1L1hu3VZ5HelPWTC14dUyKtaSbIg5Q8mnnS57TXu8OFvqGb5P Gi9FvHTRylmIBwBcZSZU9mKNT/LgotCVQty6vb4cggxYpkRdIqFUhpYN3+VwqdQ/fq+/ RAHt1fI3rMpj/F5i4bhW3yh9BE7KxbOrZwcAxj5yYh5rzK0vsiRakPj+m8ipIn6CCXvD U9xb35fpx0Lfq8jNCt0Dl4E3z8dVj67ahvi8dHbr/jI5U0esmzduyppU+NpsGR+PJs6H HFtA4yuSt5F4LPPOIDYM6yAtQ5yYop74jiidIl3vjhJONkWbW1ciJ/PwL/+heV+OCsJ2 Gffg==
X-Gm-Message-State: ALoCoQnqjZvvebOq44lQAbINJdPUDU6bhDsme2Lx8VVQFs3YULib0vaCGkCt0u0sSZfqb4zXMysgCQhCeaHXcV+ehR4TmfZBk3RQc16P/N/uaAntEKo3GVnpKBHVQLCActrEVsGGS/bP8T0Bw8+yTyWRNTvLbqIndjPwKrJsGZWfYNn5PsmoX+O8J+hj2MYOtfN6O4er+Mhq
X-Received: by 10.52.186.230 with SMTP id fn6mr5613927vdc.14.1392407398642; Fri, 14 Feb 2014 11:49:58 -0800 (PST)
MIME-Version: 1.0
Received: by 10.52.104.37 with HTTP; Fri, 14 Feb 2014 11:49:38 -0800 (PST)
In-Reply-To: <nnsirlldyf.fsf@bacon.lysator.liu.se>
References: <nnha83nwy9.fsf@bacon.lysator.liu.se> <CAL9PXLyWhqSdG5YRyrOprW5wgCYCwHn7_a=R2sb+mN-irkMYbA@mail.gmail.com> <nna9dum6fk.fsf@bacon.lysator.liu.se> <CAL9PXLyC98rc73x7o4gDeu-UBz1k0VP_qTdbCqgSSObuKf9+LA@mail.gmail.com> <nnsirlldyf.fsf@bacon.lysator.liu.se>
From: Adam Langley <agl@google.com>
Date: Fri, 14 Feb 2014 14:49:38 -0500
Message-ID: <CAL9PXLzgHqguYfKwhiVyjDeSCUkqwbsoujAcz8UPN0FQyfaodg@mail.gmail.com>
To: Niels Möller <nisse@lysator.liu.se>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/ULJbYdCDaycBGBUI_hye3SSo2ok
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Comments on
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 14 Feb 2014 19:51:27 -0000
On Fri, Feb 14, 2014 at 1:57 PM, Niels Möller <nisse@lysator.liu.se> wrote: > Right, with some care both views these input words could perhaps > coexist. And a 32-bit counter (256 GB message size, if I manage to get > the powers right) ought to be sufficient for almost all applications. > But I'm afraid it might to slow adoption of chacha if there are multiple > slightly incompatible specifications. I intend for the 64/64 bit version to be dead at this point. I think everyone can agree on the 96/32 split. I wouldn't want there to be two versions if it can be avoided. > By streaming, I don't advocate you do the decryption in a pipe line; > that's clearly a dangerous habit. Usecase is more like on one machine > running > > src-machine$ tar -cf - foo-dir | aead-encrypt | send This use of streaming is fine by my criteria, assuming that "aead-encrypt" is chunking the input into different blocks and applying the AEAD to each block. This is perfectly fine with a one-shot(*), AEAD API at the core. > If I want to encrypt a large file (say, with key derived from a > passphrase, or with an random and RSA-encrypted session key), I see no > clearly better or easier way to do that than as a single large AEAD > message processed using a streaming/incremental API. Sure, I could > divide the data into reasonably sized shorter blocks and process each > block as a separate message with AEAD, but then I would have to think > about how to do sequence numbers and a properly authenticated EOF > indication, to prevent reorder and truncation. And to me, that's also > very much against the spirit of AEAD as a safe and easy-to-use > mechanism. I disagree here and this seems to contradict your statement above that decryption in a pipeline is a "dangerous habit". Wouldn't your streaming/incremental API return unauthenticated plaintext to the caller and thus encourage just this habit? Certainly I have much sympathy with the problem of giving the user a simple API for dealing with large files. However, I think such an API should, under the covers, chunk the data and apply an AEAD to each chunk. That design can avoid holding large amounts of plaintext or ciphertext in memory and also avoid returning unauthenticated plaintext. There is still the need to handle unexpected truncation, but I think that's fundamental when one cannot hold the whole file in memory at once. So I think that what you want is an "AEAD chunking format" which is a higher level concept than an AEAD and that our disagreement arises from merging what I see as two different layers. (*) by one-shot I mean that it does the whole operation in one call. I.e.: ssize_t EVP_AEAD_CTX_seal(const EVP_AEAD_CTX *ctx, unsigned char *out, size_t max_out_len, const unsigned char *nonce, size_t nonce_len, const unsigned char *in, size_t in_len, const unsigned char *ad, size_t ad_len); Cheers AGL
- Re: [TLS] Comments on Adam Langley
- Re: [TLS] Comments on Wan-Teh Chang
- [TLS] Comments on Niels Möller
- Re: [TLS] Comments on Niels Möller
- Re: [TLS] Comments on Dr Stephen Henson
- Re: [TLS] Comments on Adam Langley
- Re: [TLS] Comments on Niels Möller
- Re: [TLS] Comments on Adam Langley
- Re: [TLS] Comments on Niels Möller
- Re: [TLS] Comments on Adam Langley
- Re: [TLS] Comments on Nikos Mavrogiannopoulos
- Re: [TLS] Comments on Watson Ladd
- Re: [TLS] Comments on Adam Langley
- Re: [TLS] Comments on Adam Langley
- Re: [TLS] Comments on Watson Ladd
- Re: [TLS] Comments on Bill Frantz
- Re: [TLS] Comments on Watson Ladd
- Re: [TLS] Comments on Bill Frantz
- Re: [TLS] Comments on Alfredo Pironti
- Re: [TLS] Comments on Niels Möller
- [TLS] dealing with AEAD partial delivery [was: Re… Daniel Kahn Gillmor
- Re: [TLS] Comments on Bill Frantz
- Re: [TLS] Comments on draft-nir-cfrg-chacha20-pol… Niels Möller
- Re: [TLS] Comments on draft-nir-cfrg-chacha20-pol… Adam Langley
- Re: [TLS] Comments on draft-nir-cfrg-chacha20-pol… Niels Möller
- Re: [TLS] Comments on draft-nir-cfrg-chacha20-pol… Niels Möller
- Re: [TLS] Comments on draft-nir-cfrg-chacha20-pol… Adam Langley
- Re: [TLS] Comments on draft-nir-cfrg-chacha20-pol… Niels Möller