IETF Logo Mail Archive

Re: [TLS] Comments on

Adam Langley <agl@google.com> Fri, 14 February 2014 19:51 UTC

Return-Path: <agl@google.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AB7E91A02B9 for <tls@ietfa.amsl.com>; Fri, 14 Feb 2014 11:51:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.627
X-Spam-Level:
X-Spam-Status: No, score=-1.627 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, MIME_8BIT_HEADER=0.3, RP_MATCHES_RCVD=-0.548, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id crMZkTvyVu6L for <tls@ietfa.amsl.com>; Fri, 14 Feb 2014 11:51:24 -0800 (PST)
Received: from mail-vc0-x22d.google.com (mail-vc0-x22d.google.com [IPv6:2607:f8b0:400c:c03::22d]) by ietfa.amsl.com (Postfix) with ESMTP id 7DD491A0394 for <tls@ietf.org>; Fri, 14 Feb 2014 11:50:00 -0800 (PST)
Received: by mail-vc0-f173.google.com with SMTP id ld13so9462362vcb.4 for <tls@ietf.org>; Fri, 14 Feb 2014 11:49:58 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type:content-transfer-encoding; bh=ErLvlr370rWOGqp0bJfVThnI3GChRQg2nD8LggM27lg=; b=GWeIHw42tvhKgnxkoup61v6EtvWvWkBKl2wZiAj+wLgXiaR0e8jgYqU/6GVKAPHsEu +4KNYyZS+icqqmD7CASk4OpE6wUeq5doSUJquCWdW9PvxIPbaBYO1XWF/5tE6VAgjQDa YTgemCCyCisf6DGhBy0Uv4JpWi6MAKcQP2noEDaqpj5s9iE44J0je6eHpiUcksXpdEwZ mnUGSDR+RNfaQqGL7ajC6ZQfYQ+EWVqFtPOQo15qdY7m4WZAO0XQadQgeCdeDliJW39S cw1ptvpwfLm40yFJ8jw4tj6eigqZ5aJydDppEBe/nfOJ3oOpvbTiqq3aFAmfi/bQWTkO kASA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type:content-transfer-encoding; bh=ErLvlr370rWOGqp0bJfVThnI3GChRQg2nD8LggM27lg=; b=I3Vt+UnE/fDdsLNrz1L1hu3VZ5HelPWTC14dUyKtaSbIg5Q8mnnS57TXu8OFvqGb5P Gi9FvHTRylmIBwBcZSZU9mKNT/LgotCVQty6vb4cggxYpkRdIqFUhpYN3+VwqdQ/fq+/ RAHt1fI3rMpj/F5i4bhW3yh9BE7KxbOrZwcAxj5yYh5rzK0vsiRakPj+m8ipIn6CCXvD U9xb35fpx0Lfq8jNCt0Dl4E3z8dVj67ahvi8dHbr/jI5U0esmzduyppU+NpsGR+PJs6H HFtA4yuSt5F4LPPOIDYM6yAtQ5yYop74jiidIl3vjhJONkWbW1ciJ/PwL/+heV+OCsJ2 Gffg==
X-Gm-Message-State: ALoCoQnqjZvvebOq44lQAbINJdPUDU6bhDsme2Lx8VVQFs3YULib0vaCGkCt0u0sSZfqb4zXMysgCQhCeaHXcV+ehR4TmfZBk3RQc16P/N/uaAntEKo3GVnpKBHVQLCActrEVsGGS/bP8T0Bw8+yTyWRNTvLbqIndjPwKrJsGZWfYNn5PsmoX+O8J+hj2MYOtfN6O4er+Mhq
X-Received: by 10.52.186.230 with SMTP id fn6mr5613927vdc.14.1392407398642; Fri, 14 Feb 2014 11:49:58 -0800 (PST)
MIME-Version: 1.0
Received: by 10.52.104.37 with HTTP; Fri, 14 Feb 2014 11:49:38 -0800 (PST)
In-Reply-To: <nnsirlldyf.fsf@bacon.lysator.liu.se>
References: <nnha83nwy9.fsf@bacon.lysator.liu.se> <CAL9PXLyWhqSdG5YRyrOprW5wgCYCwHn7_a=R2sb+mN-irkMYbA@mail.gmail.com> <nna9dum6fk.fsf@bacon.lysator.liu.se> <CAL9PXLyC98rc73x7o4gDeu-UBz1k0VP_qTdbCqgSSObuKf9+LA@mail.gmail.com> <nnsirlldyf.fsf@bacon.lysator.liu.se>
From: Adam Langley <agl@google.com>
Date: Fri, 14 Feb 2014 14:49:38 -0500
Message-ID: <CAL9PXLzgHqguYfKwhiVyjDeSCUkqwbsoujAcz8UPN0FQyfaodg@mail.gmail.com>
To: Niels Möller <nisse@lysator.liu.se>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/ULJbYdCDaycBGBUI_hye3SSo2ok
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Comments on
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 14 Feb 2014 19:51:27 -0000

On Fri, Feb 14, 2014 at 1:57 PM, Niels Möller <nisse@lysator.liu.se> wrote:
> Right, with some care both views these input words could perhaps
> coexist. And a 32-bit counter (256 GB message size, if I manage to get
> the powers right) ought to be sufficient for almost all applications.
> But I'm afraid it might to slow adoption of chacha if there are multiple
> slightly incompatible specifications.

I intend for the 64/64 bit version to be dead at this point. I think
everyone can agree on the 96/32 split. I wouldn't want there to be two
versions if it can be avoided.

> By streaming, I don't advocate you do the decryption in a pipe line;
> that's clearly a dangerous habit. Usecase is more like on one machine
> running
>
>   src-machine$ tar -cf - foo-dir | aead-encrypt | send

This use of streaming is fine by my criteria, assuming that
"aead-encrypt" is chunking the input into different blocks and
applying the AEAD to each block. This is perfectly fine with a
one-shot(*), AEAD API at the core.

> If I want to encrypt a large file (say, with key derived from a
> passphrase, or with an random and RSA-encrypted session key), I see no
> clearly better or easier way to do that than as a single large AEAD
> message processed using a streaming/incremental API. Sure, I could
> divide the data into reasonably sized shorter blocks and process each
> block as a separate message with AEAD, but then I would have to think
> about how to do sequence numbers and a properly authenticated EOF
> indication, to prevent reorder and truncation. And to me, that's also
> very much against the spirit of AEAD as a safe and easy-to-use
> mechanism.

I disagree here and this seems to contradict your statement above that
decryption in a pipeline is a "dangerous habit". Wouldn't your
streaming/incremental API return unauthenticated plaintext to the
caller and thus encourage just this habit?

Certainly I have much sympathy with the problem of giving the user a
simple API for dealing with large files. However, I think such an API
should, under the covers, chunk the data and apply an AEAD to each
chunk. That design can avoid holding large amounts of plaintext or
ciphertext in memory and also avoid returning unauthenticated
plaintext.

There is still the need to handle unexpected truncation, but I think
that's fundamental when one cannot hold the whole file in memory at
once.

So I think that what you want is an "AEAD chunking format" which is a
higher level concept than an AEAD and that our disagreement arises
from merging what I see as two different layers.


(*) by one-shot I mean that it does the whole operation in one call. I.e.:

ssize_t EVP_AEAD_CTX_seal(const EVP_AEAD_CTX *ctx,
                         unsigned char *out, size_t max_out_len,
                         const unsigned char *nonce, size_t nonce_len,
                         const unsigned char *in, size_t in_len,
                         const unsigned char *ad, size_t ad_len);


Cheers

AGL

v2.23.0 | Report a Bug | By Email