On Wed, Dec 06, 2023 at 03:46:32PM +0000, John Mattsson wrote: > That sounds great. > > Who is doing the work of adding “for TLS 1.3 and later”? > > My understanding is that the currently registered TLS 1.3 cipher suites are: > > Value Description > 0x13,0x01 TLS_AES_128_GCM_SHA256 > 0x13,0x02 TLS_AES_256_GCM_SHA384 > 0x13,0x03 TLS_CHACHA20_POLY1305_SHA256 > 0x13,0x04 TLS_AES_128_CCM_SHA256 > 0x13,0x05 TLS_AES_128_CCM_8_SHA256 > 0x13,0x06 TLS_AEGIS_256_SHA512 > 0x13,0x07 TLS_AEGIS_128L_SHA256 > 0xC0,0xB0 TLS_ECCPWD_WITH_AES_128_GCM_SHA256 > 0xC0,0xB1 TLS_ECCPWD_WITH_AES_256_GCM_SHA384 > 0xC0,0xB2 TLS_ECCPWD_WITH_AES_128_CCM_SHA256 > 0xC0,0xB3 TLS_ECCPWD_WITH_AES_256_CCM_SHA384 > 0xC0,0xB4 TLS_SHA256_SHA256 > 0xC0,0xB5 TLS_SHA384_SHA384 > 0xC1,0x03 TLS_GOSTR341112_256_WITH_KUZNYECHIK_MGM_L > 0xC1,0x04 TLS_GOSTR341112_256_WITH_MAGMA_MGM_L > 0xC1,0x05 TLS_GOSTR341112_256_WITH_KUZNYECHIK_MGM_S > 0xC1,0x06 TLS_GOSTR341112_256_WITH_MAGMA_MGM_S
Also, 0x00,0xC6 TLS_SM4_GCM_SM3 0x00,0xC7 TLS_SM4_CCM_SM3 Both are explicitly flagged as not OK for DTLS. However, using GCM/CCM in usual way, so not difficult to define how those would work in DTLS or QUIC (just copy what AES-128 does there). > Note that “for TLS 1.3 and later” and “DTLS-OK” is not enough as some > cipher suites (the _ECCPWD_ ones) seem to be valid for TLS 1.2, > TLS 1.3, DTLS 1.2 but not DTLS 1.3…. If the _ECCPWD_ ones work for TLS 1.3, why wouldn't those work for DTLS 1.3 or QUIC? Those ciphersuites use AES in standard way, and DTLS/QUIC do serialize the flights. > Do we need some guidance/requirements on naming and use of TLS 1.3 > cipher suites? The _ECCPWD_ ones seem to include authentication in > the TLS 1.3. The _GOSTR341112_ seems to include authentication and > key exchange…. I did not think this was how TLS 1.3 cipher suites > were supposed to be used. Well, _ECCPWD_ is just special snowflake as it modifies the key exchange (I haven't checked if what it does actually works). The GOST ciphers do not seem to do anything special with key exchange (unlike other things like seemingly rekeying for every record), so those presumably should just be TLS_KUZNYECHIK_* and TLS_MAGMA_*. The rekey-every-record the GOST ciphers do could pose a problem for defining a mapping to DTLS or QUIC... Unless doing it like AES-GCM was added to SECSH (a.k.a. SSH). -Ilari _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
