Re: [TLS] I-D Action: draft-ietf-tls-chacha20-poly1305-01.txt

On Tue, Nov 3, 2015 at 11:29 AM, Brian Smith wrote: > Brian Smith wrote: >> >> This way, one Poly1305 invocation per record could be saved, potentially, >> forapplication_data records, which is the common case. > > > This is still true, but... > >> >> An implementation that avavoids sending encry

[TLS] I-D Action: draft-ietf-tls-chacha20-poly1305-02.txt

A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Transport Layer Security Working Group of the IETF. Title : ChaCha20-Poly1305 Cipher Suites for Transport Layer Security (TLS) Authors : Adam Langl

Re: [TLS] I-D Action: draft-ietf-tls-chacha20-poly1305-01.txt

On Tue, Nov 3, 2015 at 2:34 AM, Nikos Mavrogiannopoulos wrote: > I agree that protecting the length of the communicated data is > important, but there is nothing specific to this cipher. All modern TLS > ciphers today are stream ciphers (i.e., AES-GCM and AES-CCM (*)), so > they offer the same pro

Re: [TLS] I-D Action: draft-ietf-tls-chacha20-poly1305-01.txt

On Tue, Nov 3, 2015 at 8:25 AM, Benjamin Kaduk wrote: > % 1. The 64-bit record sequence number is serialized as an 8-byte, > % big-endian value and padded on the left with 4 zeroes. > > I assume you mean zero octets/bytes, and not ASCII '0' (or EBCDIC, or ...) > > "padded on the left" als

Re: [TLS] Data limit for GCM under a given key.

On Wed, Nov 4, 2015 at 3:43 PM, Dang, Quynh wrote: > I did not talk under indistinguishability framework. My discussion was about > confidentiality protection and authentication. What is the definition of "confidentiality protection" being used here? > > Quynh. > ___

Re: [TLS] Data limit for GCM under a given key.

On Friday, November 6, 2015, Watson Ladd wrote: > On Wed, Nov 4, 2015 at 3:43 PM, Dang, Quynh > wrote: > > I did not talk under indistinguishability framework. My discussion was > about confidentiality protection and authentication. > > What is the definition of "confidentiality protection" bei

Re: [TLS] Data limit for GCM under a given key.

Update: we discussed this extensively in Yokohama and based on Watson's feedback and offline comments from David McGrew, the consensus was that we needed to add some sort of rekeying mechanism to support long-lived flows. Expect a PR on this next week. Note: We'll still need guidance to implementa

Re: [TLS] Data limit for GCM under a given key.

On Friday, November 06, 2015 08:13:44 pm Eric Rescorla wrote: > Update: we discussed this extensively in Yokohama and based on Watson's > feedback and offline comments from David McGrew, the consensus was that we > needed to add some sort of rekeying mechanism to support long-lived flows. > Expect

Re: [TLS] Data limit for GCM under a given key.

> On 7 Nov 2015, at 11:39 AM, Dave Garrett wrote: > > On Friday, November 06, 2015 08:13:44 pm Eric Rescorla wrote: >> Update: we discussed this extensively in Yokohama and based on Watson's >> feedback and offline comments from David McGrew, the consensus was that we >> needed to add some sort

Re: [TLS] Data limit for GCM under a given key.

On Fri, Nov 6, 2015 at 7:46 PM, Yoav Nir wrote: > > > On 7 Nov 2015, at 11:39 AM, Dave Garrett wrote: > > > > On Friday, November 06, 2015 08:13:44 pm Eric Rescorla wrote: > >> Update: we discussed this extensively in Yokohama and based on Watson's > >> feedback and offline comments from David M

Re: [TLS] Data limit for GCM under a given key.

On Fri, Nov 6, 2015 at 6:39 PM, Dave Garrett wrote: > On Friday, November 06, 2015 08:13:44 pm Eric Rescorla wrote: > > Update: we discussed this extensively in Yokohama and based on Watson's > > feedback and offline comments from David McGrew, the consensus was that > we > > needed to add some s

Re: [TLS] Data limit for GCM under a given key.

On Fri, Nov 6, 2015 at 7:50 PM, Eric Rescorla wrote: > > > On Fri, Nov 6, 2015 at 7:46 PM, Yoav Nir wrote: > >> >> > On 7 Nov 2015, at 11:39 AM, Dave Garrett >> wrote: >> > >> > On Friday, November 06, 2015 08:13:44 pm Eric Rescorla wrote: >> >> Update: we discussed this extensively in Yokohama

Re: [TLS] Data limit for GCM under a given key.

On Friday, November 06, 2015 10:54:02 pm Eric Rescorla wrote: > I don't believe time-based guidance is useful here, given that it's highly > situation specific rather than derived from reasoning about the properties > of the cipher. One reason to have a regular interval between rekeys is to ensure

Re: [TLS] Data limit for GCM under a given key.

Tony, You are correct. An Indistinguishability bound promises you no attacks will be below the bound assuming the claimed property(ies) of the underline function in the construction (mode) hold(s). A distinguishing attack below the bound tells you that the construction or the underlined func

Re: [TLS] Data limit for GCM under a given key.

Hi Eric and Watson, On Sat, Nov 7, 2015 at 12:50 PM, Eric Rescorla wrote: > > > On Fri, Nov 6, 2015 at 7:46 PM, Yoav Nir wrote: > >> >> > On 7 Nov 2015, at 11:39 AM, Dave Garrett >> wrote: >> > >> > On Friday, November 06, 2015 08:13:44 pm Eric Rescorla wrote: >> >> Update: we discussed this e