Re: [IPsec] [Cryptography] Direct public confirmation from Dr. Rogaway (fwd)

2021-03-05 Thread Yoav Nir 


> On 3 Mar 2021, at 21:36, Dan Harkins  wrote:
> 
>  
>   Faster and more secure seem to be compelling reasons. Those reasons are
> probably more compelling for ESP than they are for IKE.

Yes. If we were back in 2008 and figuring out which AEAD we should be using and 
they were both as unencumbered as they are now, maybe we would prefer OCB over 
GCM. 13 years later, every IPsec implementation has AES-GCM, so to add OCB to a 
product, it needs to be significantly better.  I haven’t seen recent numbers, 
but if I remember correctly, the performance difference was in the single-digit 
percentage points. It’s harder to quantify the security differences, but I 
don’t think they were compelling.  However, these arguments apply to a product, 
not necessarily to the protocol.  Adding this as an option for IPsec (and IKE) 
is just fine, whether vendors adopt it or not.

> 
>   The license for OCB always had some caveats like the code could not be used
> for military purposes which is something of a nightmare for a manufacturer of
> general purpose hardware/software. Considering how difficult it would be to
> ensure that your product is never used by a military anywhere in the world,
> that's probably enough of a reason for TLS to not support it. Remember how
> long ECC was delayed for (imagined) IP reasons? 
> 
>   IP is bad news. People don't want anything to do with partially encumbered
> technology. Now this technology is not encumbered at all so, yea, let's do it.
> 
>   If an individual draft was to appear would the WG adopt it as a work item?

Up to the WG, but I would support it.

Yoav

> 
>   regards,
> 
>   Dan.
> 
> On 2/28/21 1:47 PM, Yoav Nir wrote:
>> IIRC the license has allowed OCB to be used for TLS for several years. They 
>> haven’t taken it up. There are no AES-OCB ciphersuites 
>> inhttps://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-4
>>  
>> https://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-4>
>> 
>> So I’m wondering right with you: It has a theoretical advantage in security 
>> and a measurable advantage in speed in software.  Neither were compelling 
>> enough for anyone to bother adding it in TLS ciphersuites.  Why should our 
>> conclusion be any different?
>> 
>> Yoav
>> 
>> 
>>> On 28 Feb 2021, at 22:35, Paul Wouters >> > wrote:
>>> 
>>> 
>>> So now that OCB is finally free, do we want to implement it? :)
>>> 
>>> I'm honestly not sure if the improvements of AES-GCM are worth it.
>>> I haven't heard of vulnerabilities in IKE/ESP wrt. IVs or counters.
>>> 
>>> Paul
>>> 
>>> -- Forwarded message --
>>> Date: Sat, 27 Feb 2021 14:37:30
>>> From: "Salz, Rich via cryptography" >> >
>>> To: "cryptogra...@metzdowd.com " 
>>> mailto:cryptogra...@metzdowd.com>>
>>> Subject: [Cryptography] Direct public confirmation from Dr. Rogaway
>>> 
>>> 
>>> https://mailarchive.ietf.org/arch/msg/cfrg/qLTveWOdTJcLn4HP3ev-vrj05Vg/ 
>>>  :
>>> 
>>>  
>>> 
>>> I can confirm that I have abandoned all OCB patents
>>> 
>>> and placed into the public domain all OCB-related IP of mine.
>>> 
>>> While I have been telling people this for quite some time, I don't
>>> 
>>> think I ever made a proper announcement to the CFRG or on the
>>> 
>>> OCB webpage. Consider that done.
>>> 
>>>  
>>> 
>>> I hope people will use the scheme to do positive things.
>>> 
>>>  
>>> 
>>> phil
>>> 
>>> ___
>>> The cryptography mailing list
>>> cryptogra...@metzdowd.com 
>>> https://www.metzdowd.com/mailman/listinfo/cryptography 
>>> 
>>> ___
>>> IPsec mailing list
>>> IPsec@ietf.org 
>>> https://www.ietf.org/mailman/listinfo/ipsec 
>>> 
>> 
>> 
>> 
>> ___
>> IPsec mailing list
>> IPsec@ietf.org 
>> https://www.ietf.org/mailman/listinfo/ipsec 
>> 
> 
> -- 
> "The object of life is not to be on the side of the majority, but to
> escape finding oneself in the ranks of the insane." -- Marcus Aurelius
> ___
> IPsec mailing list
> IPsec@ietf.org
> https://www.ietf.org/mailman/listinfo/ipsec

___
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec

Re: [IPsec] [Cryptography] Direct public confirmation from Dr. Rogaway (fwd)

2021-03-04 Thread Dan Harkins 


On 3/4/21 4:46 PM, Dan Brown wrote:

Sorry for foolishly forgetting about the OCB RFC, which specifies OCB3.

But that OCB3 RFC is from 2014, five-ish years before the OCB2 break.

  It says:

"The version of OCB defined in this document is a refinement of two
   prior schemes.  The original OCB version was published in 2001 [OCB1]
   and was listed as an optional component in IEEE 802.11i.  A second
   version was published in 2004 [OCB2] and is specified in ISO 19772.
   The scheme described here is called OCB3 in the 2011 paper describing
   the mode [OCB3]; it shall be referred to simply as OCB throughout
   this document.  The only difference between the algorithm of this RFC
   and that of the [OCB3] paper is that the tag length is now encoded
   into the internally formatted nonce.  See [OCB3] for complete
   references, timing information, and a discussion of the differences
   between the algorithms."

So this RFC describes OCB3.

Again, the OCB2 attack severely erodes my trust in OCB3, though maybe 
I'm an outlier. Maybe I'm also forgetting recent CFRG or other effort 
to regain trust in OCB3 relative to OCB2?


And it also says:

  "OCB has received years of in-depth analysis previous to its
   submission to the CFRG and has been under review by the members of
   the CFRG for over a year.  It is the consensus of the CFRG that the
   security mechanisms provided by the OCB AEAD algorithm described in
   this document are suitable for use in providing confidentiality and
   authentication."

  So CFRG has produced a document defining OCB3 and that document
represents the consensus of the CFRG. I'm not sure what else you think
CFRG should be doing but maybe mention it on the CFRG list instead of
IPsec. Also, Phil Rogaway is on the CFRG list but I don't think he's
on this one. If you have trust issues with OCB then maybe bring them
up with him there.

  Dan.




*From: *Dan Harkins 
*Sent: *Mar 4, 2021 5:29 PM
*To: *Dan Brown ; ipsec@ietf.org
*Subject: *Re: [IPsec] [Cryptography] Direct public confirmation from 
Dr. Rogaway (fwd)



  Hi Dan,

On 3/4/21 11:04 AM, Dan Brown wrote:


Deciding whether to use OCB sounds like a job for CFRG!

As I understand it, OCB2 is severely broken:
https://eprint.iacr.org/2019/311

<https://urldefense.proofpoint.com/v2/url?u=https-3A__eprint.iacr.org_2019_311&d=DwMDaQ&c=yzoHOc_ZK-sxl-kfGNSEvlJYanssXN3q-lhj0sp26wE&r=mf6j6fOClApRsArWE9wqI1rEGUVkfxZ0aXWmn35nK_c&m=8aGCbnoSU7ozJ-QSzxHGokOgKsea7IZq6669KyaMNNA&s=bSN3q8CM03xYZRbPi2KanYD7GKxGF2HjAZ9AjTc5Nvk&e=>

That said, OCB1 and OCB3 may be just fine, but a broken OCB2 is
not a good sign.  All the more reason to defer to CFRG, unless
you want to play Monty Hall problem.




  CFRG already produced RFC 7253. That's really all they can
be expected to do. It's up to individual IETF WGs to define
how to use that cipher mode in their particular protocols.
That's where we come in.

  regards,

  Dan.


Dan

*From:* IPsec  *On Behalf Of *Dan Harkins
*Sent:* Wednesday, March 3, 2021 2:37 PM
    *To:* ipsec@ietf.org
    *Subject:* Re: [IPsec] [Cryptography] Direct public confirmation
from Dr. Rogaway (fwd)


  Faster and more secure seem to be compelling reasons. Those
reasons are
probably more compelling for ESP than they are for IKE.

  The license for OCB always had some caveats like the code could
not be used
for military purposes which is something of a nightmare for a
manufacturer of
general purpose hardware/software. Considering how difficult it
would be to
ensure that your product is never used by a military anywhere in
the world,
that's probably enough of a reason for TLS to not support it.
Remember how
long ECC was delayed for (imagined) IP reasons?

  IP is bad news. People don't want anything to do with partially
encumbered
technology. Now this technology is not encumbered at all so, yea,
let's do it.

  If an individual draft was to appear would the WG adopt it as a
work item?

  regards,

  Dan.

On 2/28/21 1:47 PM, Yoav Nir wrote:

IIRC the license has allowed OCB to be used for TLS for
several years. They haven’t taken it up. There are no AES-OCB
ciphersuites

inhttps://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-4
< >

So I’m wondering right with you: It has a theoretical
advantage in security and a measurable advantage in speed in
software.  Neither were compelling enough for anyone to
bother adding it in TLS ciphersuites.  Why should our
conclusion be any different?

Yoav



On 28 Feb 2021, at 22:35, Paul Wouters mailt

Re: [IPsec] [Cryptography] Direct public confirmation from Dr. Rogaway (fwd)

2021-03-04 Thread Dan Brown 
Sorry for foolishly forgetting about the OCB RFC, which specifies OCB3.

But that OCB3 RFC is from 2014, five-ish years before the OCB2 break.

Again, the OCB2 attack severely erodes my trust in OCB3, though maybe I'm an 
outlier. Maybe I'm also forgetting recent CFRG or other effort to regain trust 
in OCB3 relative to OCB2?


From: Dan Harkins 
Sent: Mar 4, 2021 5:29 PM
To: Dan Brown ; ipsec@ietf.org
Subject: Re: [IPsec] [Cryptography] Direct public confirmation from Dr. Rogaway 
(fwd)


  Hi Dan,

On 3/4/21 11:04 AM, Dan Brown wrote:
Deciding whether to use OCB sounds like a job for CFRG!

As I understand it, OCB2 is severely broken: 
https://eprint.iacr.org/2019/311<https://urldefense.proofpoint.com/v2/url?u=https-3A__eprint.iacr.org_2019_311&d=DwMDaQ&c=yzoHOc_ZK-sxl-kfGNSEvlJYanssXN3q-lhj0sp26wE&r=mf6j6fOClApRsArWE9wqI1rEGUVkfxZ0aXWmn35nK_c&m=8aGCbnoSU7ozJ-QSzxHGokOgKsea7IZq6669KyaMNNA&s=bSN3q8CM03xYZRbPi2KanYD7GKxGF2HjAZ9AjTc5Nvk&e=>

That said, OCB1 and OCB3 may be just fine, but a broken OCB2 is not a good 
sign.  All the more reason to defer to CFRG, unless you want to play Monty Hall 
problem.


  CFRG already produced RFC 7253. That's really all they can
be expected to do. It's up to individual IETF WGs to define
how to use that cipher mode in their particular protocols.
That's where we come in.

  regards,

  Dan.

Dan

From: IPsec <mailto:ipsec-boun...@ietf.org> On Behalf 
Of Dan Harkins
Sent: Wednesday, March 3, 2021 2:37 PM
To: ipsec@ietf.org<mailto:ipsec@ietf.org>
Subject: Re: [IPsec] [Cryptography] Direct public confirmation from Dr. Rogaway 
(fwd)


  Faster and more secure seem to be compelling reasons. Those reasons are
probably more compelling for ESP than they are for IKE.

  The license for OCB always had some caveats like the code could not be used
for military purposes which is something of a nightmare for a manufacturer of
general purpose hardware/software. Considering how difficult it would be to
ensure that your product is never used by a military anywhere in the world,
that's probably enough of a reason for TLS to not support it. Remember how
long ECC was delayed for (imagined) IP reasons?

  IP is bad news. People don't want anything to do with partially encumbered
technology. Now this technology is not encumbered at all so, yea, let's do it.

  If an individual draft was to appear would the WG adopt it as a work item?

  regards,

  Dan.
On 2/28/21 1:47 PM, Yoav Nir wrote:
IIRC the license has allowed OCB to be used for TLS for several years. They 
haven’t taken it up. There are no AES-OCB ciphersuites 
inhttps://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-4

So I’m wondering right with you: It has a theoretical advantage in security and 
a measurable advantage in speed in software.  Neither were compelling enough 
for anyone to bother adding it in TLS ciphersuites.  Why should our conclusion 
be any different?

Yoav



On 28 Feb 2021, at 22:35, Paul Wouters mailto:p...@nohats.ca>> 
wrote:


So now that OCB is finally free, do we want to implement it? :)

I'm honestly not sure if the improvements of AES-GCM are worth it.
I haven't heard of vulnerabilities in IKE/ESP wrt. IVs or counters.

Paul

-- Forwarded message --
Date: Sat, 27 Feb 2021 14:37:30
From: "Salz, Rich via cryptography" 
mailto:cryptogra...@metzdowd.com>>
To: "cryptogra...@metzdowd.com<mailto:cryptogra...@metzdowd.com>" 
mailto:cryptogra...@metzdowd.com>>
Subject: [Cryptography] Direct public confirmation from Dr. Rogaway


https://mailarchive.ietf.org/arch/msg/cfrg/qLTveWOdTJcLn4HP3ev-vrj05Vg/<https://urldefense.proofpoint.com/v2/url?u=https-3A__mailarchive.ietf.org_arch_msg_cfrg_qLTveWOdTJcLn4HP3ev-2Dvrj05Vg_&d=DwMDaQ&c=yzoHOc_ZK-sxl-kfGNSEvlJYanssXN3q-lhj0sp26wE&r=qkpbVDRj7zlSRVql-UonsW647lYqnsrbXizKI6MgkEw&m=2DcLjYKtazJ6kYTZx5uowgB-qJRp6_C8W0rBOr7ZOUI&s=LZV-8STdDDeui1TmXz2JORn2wTtSrkJa_-l3hZK-AO8&e=>
 :



I can confirm that I have abandoned all OCB patents

and placed into the public domain all OCB-related IP of mine.

While I have been telling people this for quite some time, I don't

think I ever made a proper announcement to the CFRG or on the

OCB webpage. Consider that done.



I hope people will use the scheme to do positive things.



phil

___
The cryptography mailing list
cryptogra...@metzdowd.com<mailto:cryptogra...@metzdowd.com>
https://www.metzdowd.com/mailman/listinfo/cryptography<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.metzdowd.com_mailman_listinfo_cryptography&d=DwMDaQ&c=yzoHOc_ZK-sxl-kfGNSEvlJYanssXN3q-lhj0sp26wE&r=qkpbVDRj7zlSRVql-UonsW647lYqnsrbXizKI6MgkEw&m=2DcLjYKtazJ6kYTZx5uowgB-qJRp6_C8W0rBOr7ZOUI&s=_9IPM1exZqE6F4PLBAvpqDF-bHkBi5JPiUyq3eeyfwo&a

Re: [IPsec] [Cryptography] Direct public confirmation from Dr. Rogaway (fwd)

2021-03-04 Thread Dan Harkins 


  Hi Dan,

On 3/4/21 11:04 AM, Dan Brown wrote:


Deciding whether to use OCB sounds like a job for CFRG!

As I understand it, OCB2 is severely broken: 
https://eprint.iacr.org/2019/311


That said, OCB1 and OCB3 may be just fine, but a broken OCB2 is not a 
good sign.  All the more reason to defer to CFRG, unless you want to 
play Monty Hall problem.





  CFRG already produced RFC 7253. That's really all they can
be expected to do. It's up to individual IETF WGs to define
how to use that cipher mode in their particular protocols.
That's where we come in.

  regards,

  Dan.


Dan

*From:* IPsec  *On Behalf Of *Dan Harkins
*Sent:* Wednesday, March 3, 2021 2:37 PM
*To:* ipsec@ietf.org
*Subject:* Re: [IPsec] [Cryptography] Direct public confirmation from 
Dr. Rogaway (fwd)



  Faster and more secure seem to be compelling reasons. Those reasons are
probably more compelling for ESP than they are for IKE.

  The license for OCB always had some caveats like the code could not 
be used
for military purposes which is something of a nightmare for a 
manufacturer of
general purpose hardware/software. Considering how difficult it would 
be to
ensure that your product is never used by a military anywhere in the 
world,

that's probably enough of a reason for TLS to not support it. Remember how
long ECC was delayed for (imagined) IP reasons?

  IP is bad news. People don't want anything to do with partially 
encumbered
technology. Now this technology is not encumbered at all so, yea, 
let's do it.


  If an individual draft was to appear would the WG adopt it as a work 
item?


  regards,

  Dan.

On 2/28/21 1:47 PM, Yoav Nir wrote:

IIRC the license has allowed OCB to be used for TLS for several
years. They haven’t taken it up. There are no AES-OCB ciphersuites

inhttps://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-4


So I’m wondering right with you: It has a theoretical advantage in
security and a measurable advantage in speed in software.  Neither
were compelling enough for anyone to bother adding it in TLS
ciphersuites.  Why should our conclusion be any different?

Yoav



On 28 Feb 2021, at 22:35, Paul Wouters mailto:p...@nohats.ca>> wrote:


So now that OCB is finally free, do we want to implement it? :)

I'm honestly not sure if the improvements of AES-GCM are worth it.
I haven't heard of vulnerabilities in IKE/ESP wrt. IVs or
counters.

Paul

-- Forwarded message --
Date: Sat, 27 Feb 2021 14:37:30
From: "Salz, Rich via cryptography" mailto:cryptogra...@metzdowd.com>>
To: "cryptogra...@metzdowd.com
<mailto:cryptogra...@metzdowd.com>" mailto:cryptogra...@metzdowd.com>>
Subject: [Cryptography] Direct public confirmation from Dr.
Rogaway


https://mailarchive.ietf.org/arch/msg/cfrg/qLTveWOdTJcLn4HP3ev-vrj05Vg/

<https://urldefense.proofpoint.com/v2/url?u=https-3A__mailarchive.ietf.org_arch_msg_cfrg_qLTveWOdTJcLn4HP3ev-2Dvrj05Vg_&d=DwMDaQ&c=yzoHOc_ZK-sxl-kfGNSEvlJYanssXN3q-lhj0sp26wE&r=qkpbVDRj7zlSRVql-UonsW647lYqnsrbXizKI6MgkEw&m=2DcLjYKtazJ6kYTZx5uowgB-qJRp6_C8W0rBOr7ZOUI&s=LZV-8STdDDeui1TmXz2JORn2wTtSrkJa_-l3hZK-AO8&e=>
:



I can confirm that I have abandoned all OCB patents

and placed into the public domain all OCB-related IP of mine.

While I have been telling people this for quite some time, I don't

think I ever made a proper announcement to the CFRG or on the

OCB webpage. Consider that done.



I hope people will use the scheme to do positive things.



phil

___
The cryptography mailing list
cryptogra...@metzdowd.com <mailto:cryptogra...@metzdowd.com>
https://www.metzdowd.com/mailman/listinfo/cryptography

<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.metzdowd.com_mailman_listinfo_cryptography&d=DwMDaQ&c=yzoHOc_ZK-sxl-kfGNSEvlJYanssXN3q-lhj0sp26wE&r=qkpbVDRj7zlSRVql-UonsW647lYqnsrbXizKI6MgkEw&m=2DcLjYKtazJ6kYTZx5uowgB-qJRp6_C8W0rBOr7ZOUI&s=_9IPM1exZqE6F4PLBAvpqDF-bHkBi5JPiUyq3eeyfwo&e=>
___
IPsec mailing list
IPsec@ietf.org <mailto:IPsec@ietf.org>
https://www.ietf.org/mailman/listinfo/ipsec

<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mailman_listinfo_ipsec&d=DwMDaQ&c=yzoHOc_ZK-sxl-kfGNSEvlJYanssXN3q-lhj0sp26wE&r=qkpbVDRj7zlSRVql-UonsW647lYqnsrbXizKI6MgkEw&m=2DcLjYKtazJ6kYTZx5uowgB-qJRp6_C8W0rBOr7ZOUI&s=B4s3eO4jZ5UhqwAPEQu9SxQaSVWKuM4HcC1moozCyBc&e=>



___

IPsec mailing list

IPsec@ietf.org

Re: [IPsec] [Cryptography] Direct public confirmation from Dr. Rogaway (fwd)

2021-03-04 Thread Dan Brown 
Deciding whether to use OCB sounds like a job for CFRG!

 

As I understand it, OCB2 is severely broken: https://eprint.iacr.org/2019/311

 

That said, OCB1 and OCB3 may be just fine, but a broken OCB2 is not a good 
sign.  All the more reason to defer to CFRG, unless you want to play Monty Hall 
problem.

​

Dan

 

From: IPsec  On Behalf Of Dan Harkins
Sent: Wednesday, March 3, 2021 2:37 PM
To: ipsec@ietf.org
Subject: Re: [IPsec] [Cryptography] Direct public confirmation from Dr. Rogaway 
(fwd)

 

 
  Faster and more secure seem to be compelling reasons. Those reasons are
probably more compelling for ESP than they are for IKE.

  The license for OCB always had some caveats like the code could not be used
for military purposes which is something of a nightmare for a manufacturer of
general purpose hardware/software. Considering how difficult it would be to
ensure that your product is never used by a military anywhere in the world,
that's probably enough of a reason for TLS to not support it. Remember how
long ECC was delayed for (imagined) IP reasons? 

  IP is bad news. People don't want anything to do with partially encumbered
technology. Now this technology is not encumbered at all so, yea, let's do it.

  If an individual draft was to appear would the WG adopt it as a work item?

  regards,

  Dan.

On 2/28/21 1:47 PM, Yoav Nir wrote:

IIRC the license has allowed OCB to be used for TLS for several years. They 
haven’t taken it up. There are no AES-OCB ciphersuites 
inhttps://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-4
 

 

So I’m wondering right with you: It has a theoretical advantage in security and 
a measurable advantage in speed in software.  Neither were compelling enough 
for anyone to bother adding it in TLS ciphersuites.  Why should our conclusion 
be any different?

 

Yoav

 





On 28 Feb 2021, at 22:35, Paul Wouters mailto:p...@nohats.ca> 
> wrote:

 


So now that OCB is finally free, do we want to implement it? :)

I'm honestly not sure if the improvements of AES-GCM are worth it.
I haven't heard of vulnerabilities in IKE/ESP wrt. IVs or counters.

Paul

-- Forwarded message --
Date: Sat, 27 Feb 2021 14:37:30
From: "Salz, Rich via cryptography" mailto:cryptogra...@metzdowd.com> >
To: "cryptogra...@metzdowd.com <mailto:cryptogra...@metzdowd.com> " 
mailto:cryptogra...@metzdowd.com> >
Subject: [Cryptography] Direct public confirmation from Dr. Rogaway


https://mailarchive.ietf.org/arch/msg/cfrg/qLTveWOdTJcLn4HP3ev-vrj05Vg/ 
<https://urldefense.proofpoint.com/v2/url?u=https-3A__mailarchive.ietf.org_arch_msg_cfrg_qLTveWOdTJcLn4HP3ev-2Dvrj05Vg_&d=DwMDaQ&c=yzoHOc_ZK-sxl-kfGNSEvlJYanssXN3q-lhj0sp26wE&r=qkpbVDRj7zlSRVql-UonsW647lYqnsrbXizKI6MgkEw&m=2DcLjYKtazJ6kYTZx5uowgB-qJRp6_C8W0rBOr7ZOUI&s=LZV-8STdDDeui1TmXz2JORn2wTtSrkJa_-l3hZK-AO8&e=>
  :

 

I can confirm that I have abandoned all OCB patents

and placed into the public domain all OCB-related IP of mine.

While I have been telling people this for quite some time, I don't

think I ever made a proper announcement to the CFRG or on the

OCB webpage. Consider that done.

 

I hope people will use the scheme to do positive things.

 

phil

___
The cryptography mailing list
cryptogra...@metzdowd.com <mailto:cryptogra...@metzdowd.com> 
https://www.metzdowd.com/mailman/listinfo/cryptography 
<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.metzdowd.com_mailman_listinfo_cryptography&d=DwMDaQ&c=yzoHOc_ZK-sxl-kfGNSEvlJYanssXN3q-lhj0sp26wE&r=qkpbVDRj7zlSRVql-UonsW647lYqnsrbXizKI6MgkEw&m=2DcLjYKtazJ6kYTZx5uowgB-qJRp6_C8W0rBOr7ZOUI&s=_9IPM1exZqE6F4PLBAvpqDF-bHkBi5JPiUyq3eeyfwo&e=>
 
___
IPsec mailing list
IPsec@ietf.org <mailto:IPsec@ietf.org> 
https://www.ietf.org/mailman/listinfo/ipsec 
<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mailman_listinfo_ipsec&d=DwMDaQ&c=yzoHOc_ZK-sxl-kfGNSEvlJYanssXN3q-lhj0sp26wE&r=qkpbVDRj7zlSRVql-UonsW647lYqnsrbXizKI6MgkEw&m=2DcLjYKtazJ6kYTZx5uowgB-qJRp6_C8W0rBOr7ZOUI&s=B4s3eO4jZ5UhqwAPEQu9SxQaSVWKuM4HcC1moozCyBc&e=>
 

 





___
IPsec mailing list
IPsec@ietf.org <mailto:IPsec@ietf.org> 
https://www.ietf.org/mailman/listinfo/ipsec 
<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mailman_listinfo_ipsec&d=DwMDaQ&c=yzoHOc_ZK-sxl-kfGNSEvlJYanssXN3q-lhj0sp26wE&r=qkpbVDRj7zlSRVql-UonsW647lYqnsrbXizKI6MgkEw&m=2DcLjYKtazJ6kYTZx5uowgB-qJRp6_C8W0rBOr7ZOUI&s=B4s3eO4jZ5UhqwAPEQu9SxQaSVWKuM4HcC1moozCyBc&e=>
 





-- 
"The object of life is not to be on the side of the majority, but to
escape finding oneself in the ranks of the insane." -- Marcus Aurelius

-

Re: [IPsec] [Cryptography] Direct public confirmation from Dr. Rogaway (fwd)

2021-03-04 Thread Tero Kivinen 
Dan Harkins writes:
> If an individual draft was to appear would the WG adopt it as a work item?

Can't say what WG would decide, but I would support such work, and
would be willing to start a process to adding such item to charter if
WG feels that is something we want to do. 
-- 
kivi...@iki.fi

___
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec

Re: [IPsec] [Cryptography] Direct public confirmation from Dr. Rogaway (fwd)

2021-03-03 Thread Graham Bartlett 
Hi Dan

Glad you replied to this, OCB seems to be a hot topic at the moment. There
seems to be some interest in this simply due to the potential speed
increase.

Would anyone know the potential % difference in speed compared to GCM ?

In summary I think it should be discussed.

cheers

On Wed, Mar 3, 2021 at 7:37 PM Dan Harkins  wrote:

>
>   Faster and more secure seem to be compelling reasons. Those reasons are
> probably more compelling for ESP than they are for IKE.
>
>   The license for OCB always had some caveats like the code could not be
> used
> for military purposes which is something of a nightmare for a manufacturer
> of
> general purpose hardware/software. Considering how difficult it would be to
> ensure that your product is never used by a military anywhere in the world,
> that's probably enough of a reason for TLS to not support it. Remember how
> long ECC was delayed for (imagined) IP reasons?
>
>   IP is bad news. People don't want anything to do with partially
> encumbered
> technology. Now this technology is not encumbered at all so, yea, let's do
> it.
>
>   If an individual draft was to appear would the WG adopt it as a work
> item?
>
>   regards,
>
>   Dan.
>
> On 2/28/21 1:47 PM, Yoav Nir wrote:
>
> IIRC the license has allowed OCB to be used for TLS for several years.
> They haven’t taken it up. There are no AES-OCB ciphersuites
> inhttps://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-4
>
> So I’m wondering right with you: It has a theoretical advantage in
> security and a measurable advantage in speed in software.  Neither were
> compelling enough for anyone to bother adding it in TLS ciphersuites.  Why
> should our conclusion be any different?
>
> Yoav
>
>
> On 28 Feb 2021, at 22:35, Paul Wouters  wrote:
>
>
> So now that OCB is finally free, do we want to implement it? :)
>
> I'm honestly not sure if the improvements of AES-GCM are worth it.
> I haven't heard of vulnerabilities in IKE/ESP wrt. IVs or counters.
>
> Paul
>
> -- Forwarded message --
> Date: Sat, 27 Feb 2021 14:37:30
> From: "Salz, Rich via cryptography" 
> To: "cryptogra...@metzdowd.com" 
> Subject: [Cryptography] Direct public confirmation from Dr. Rogaway
>
>
> https://mailarchive.ietf.org/arch/msg/cfrg/qLTveWOdTJcLn4HP3ev-vrj05Vg/ :
>
>
>
> I can confirm that I have abandoned all OCB patents
>
> and placed into the public domain all OCB-related IP of mine.
>
> While I have been telling people this for quite some time, I don't
>
> think I ever made a proper announcement to the CFRG or on the
>
> OCB webpage. Consider that done.
>
>
>
> I hope people will use the scheme to do positive things.
>
>
>
> phil
>
> ___
> The cryptography mailing list
> cryptogra...@metzdowd.com
> https://www.metzdowd.com/mailman/listinfo/cryptography
> ___
> IPsec mailing list
> IPsec@ietf.org
> https://www.ietf.org/mailman/listinfo/ipsec
>
>
>
> ___
> IPsec mailing listIPsec@ietf.orghttps://www.ietf.org/mailman/listinfo/ipsec
>
>
> --
> "The object of life is not to be on the side of the majority, but to
> escape finding oneself in the ranks of the insane." -- Marcus Aurelius
>
> ___
> IPsec mailing list
> IPsec@ietf.org
> https://www.ietf.org/mailman/listinfo/ipsec
>
___
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec

Re: [IPsec] [Cryptography] Direct public confirmation from Dr. Rogaway (fwd)

2021-03-03 Thread Dan Harkins 


  Faster and more secure seem to be compelling reasons. Those reasons are
probably more compelling for ESP than they are for IKE.

  The license for OCB always had some caveats like the code could not 
be used
for military purposes which is something of a nightmare for a 
manufacturer of

general purpose hardware/software. Considering how difficult it would be to
ensure that your product is never used by a military anywhere in the world,
that's probably enough of a reason for TLS to not support it. Remember how
long ECC was delayed for (imagined) IP reasons?

  IP is bad news. People don't want anything to do with partially 
encumbered
technology. Now this technology is not encumbered at all so, yea, let's 
do it.


  If an individual draft was to appear would the WG adopt it as a work 
item?


  regards,

  Dan.

On 2/28/21 1:47 PM, Yoav Nir wrote:
IIRC the license has allowed OCB to be used for TLS for several years. 
They haven’t taken it up. There are no AES-OCB ciphersuites 
inhttps://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-4 



So I’m wondering right with you: It has a theoretical advantage in 
security and a measurable advantage in speed in software.  Neither 
were compelling enough for anyone to bother adding it in TLS 
ciphersuites.  Why should our conclusion be any different?


Yoav


On 28 Feb 2021, at 22:35, Paul Wouters > wrote:



So now that OCB is finally free, do we want to implement it? :)

I'm honestly not sure if the improvements of AES-GCM are worth it.
I haven't heard of vulnerabilities in IKE/ESP wrt. IVs or counters.

Paul

-- Forwarded message --
Date: Sat, 27 Feb 2021 14:37:30
From: "Salz, Rich via cryptography" >
To: "cryptogra...@metzdowd.com " 
mailto:cryptogra...@metzdowd.com>>

Subject: [Cryptography] Direct public confirmation from Dr. Rogaway


https://mailarchive.ietf.org/arch/msg/cfrg/qLTveWOdTJcLn4HP3ev-vrj05Vg/ :



I can confirm that I have abandoned all OCB patents

and placed into the public domain all OCB-related IP of mine.

While I have been telling people this for quite some time, I don't

think I ever made a proper announcement to the CFRG or on the

OCB webpage. Consider that done.



I hope people will use the scheme to do positive things.



phil

___
The cryptography mailing list
cryptogra...@metzdowd.com 
https://www.metzdowd.com/mailman/listinfo/cryptography
___
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec



___
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec


--
"The object of life is not to be on the side of the majority, but to
escape finding oneself in the ranks of the insane." -- Marcus Aurelius

___
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec

Re: [IPsec] [Cryptography] Direct public confirmation from Dr. Rogaway (fwd)

2021-02-28 Thread Yoav Nir 
IIRC the license has allowed OCB to be used for TLS for several years. They 
haven’t taken it up. There are no AES-OCB ciphersuites 
inhttps://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-4
 
https://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-4>

So I’m wondering right with you: It has a theoretical advantage in security and 
a measurable advantage in speed in software.  Neither were compelling enough 
for anyone to bother adding it in TLS ciphersuites.  Why should our conclusion 
be any different?

Yoav


> On 28 Feb 2021, at 22:35, Paul Wouters  wrote:
> 
> 
> So now that OCB is finally free, do we want to implement it? :)
> 
> I'm honestly not sure if the improvements of AES-GCM are worth it.
> I haven't heard of vulnerabilities in IKE/ESP wrt. IVs or counters.
> 
> Paul
> 
> -- Forwarded message --
> Date: Sat, 27 Feb 2021 14:37:30
> From: "Salz, Rich via cryptography" 
> To: "cryptogra...@metzdowd.com" 
> Subject: [Cryptography] Direct public confirmation from Dr. Rogaway
> 
> 
> https://mailarchive.ietf.org/arch/msg/cfrg/qLTveWOdTJcLn4HP3ev-vrj05Vg/ :
> 
>  
> 
> I can confirm that I have abandoned all OCB patents
> 
> and placed into the public domain all OCB-related IP of mine.
> 
> While I have been telling people this for quite some time, I don't
> 
> think I ever made a proper announcement to the CFRG or on the
> 
> OCB webpage. Consider that done.
> 
>  
> 
> I hope people will use the scheme to do positive things.
> 
>  
> 
> phil
> 
> ___
> The cryptography mailing list
> cryptogra...@metzdowd.com
> https://www.metzdowd.com/mailman/listinfo/cryptography
> ___
> IPsec mailing list
> IPsec@ietf.org
> https://www.ietf.org/mailman/listinfo/ipsec

___
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec

[IPsec] [Cryptography] Direct public confirmation from Dr. Rogaway (fwd)

2021-02-28 Thread Paul Wouters 


So now that OCB is finally free, do we want to implement it? :)

I'm honestly not sure if the improvements of AES-GCM are worth it.
I haven't heard of vulnerabilities in IKE/ESP wrt. IVs or counters.

Paul

-- Forwarded message --
Date: Sat, 27 Feb 2021 14:37:30
From: "Salz, Rich via cryptography" 
To: "cryptogra...@metzdowd.com" 
Subject: [Cryptography] Direct public confirmation from Dr. Rogaway


https://mailarchive.ietf.org/arch/msg/cfrg/qLTveWOdTJcLn4HP3ev-vrj05Vg/ :

 

I can confirm that I have abandoned all OCB patents

and placed into the public domain all OCB-related IP of mine.

While I have been telling people this for quite some time, I don't

think I ever made a proper announcement to the CFRG or on the

OCB webpage. Consider that done.

 

I hope people will use the scheme to do positive things.

 

phil

___
The cryptography mailing list
cryptogra...@metzdowd.com
https://www.metzdowd.com/mailman/listinfo/cryptography
___
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec