Re: [IPsec] Two questions about draft-ietf-ipsecme-chacha20-poly1305-00

2015-04-27 Thread Michael Richardson
Yoav Nir ynir.i...@gmail.com wrote: Second issue is about UI advice. Some implementations (yes, mine is included) allow the user to configure encryption algorithm, MAC algorithm, and D-H group. There is no setting for PRF since such UIs date back to IKEv1. The PRF is usually

Re: [IPsec] Two questions about draft-ietf-ipsecme-chacha20-poly1305-00

2015-04-02 Thread Yaron Sheffer
Here's the reason that we do use the 32-bit salt value for GCM - to prevent batching attacks. Consider the case that an attacker is able to collect packets from a billion (2^30) sessions; each such session contains a packet with the same IV (say, IV=0), and contains a packet with the same

Re: [IPsec] Two questions about draft-ietf-ipsecme-chacha20-poly1305-00

2015-04-02 Thread Yoav Nir
On Mar 31, 2015, at 1:49 PM, Tero Kivinen kivi...@iki.fi wrote: Yoav Nir writes: First is the nonce/IV question: In the current draft, there is a 64-bit IV with guidance not to repeat them (so use a counter or LFSR). The function itself accepts a 96-bit input nonce, so the nonce is

Re: [IPsec] Two questions about draft-ietf-ipsecme-chacha20-poly1305-00

2015-04-02 Thread Yoav Nir
Subject: [IPsec] Two questions about draft-ietf-ipsecme-chacha20-poly1305-00 Hi, There is two questions I would like guidance from the group about. First is the nonce/IV question: In the current draft, there is a 64-bit IV with guidance not to repeat them (so use a counter or LFSR

[IPsec] Two questions about draft-ietf-ipsecme-chacha20-poly1305-00

2015-03-31 Thread Tero Kivinen
Yoav Nir writes: First is the nonce/IV question: In the current draft, there is a 64-bit IV with guidance not to repeat them (so use a counter or LFSR). The function itself accepts a 96-bit input nonce, so the nonce is constructed from the 64-bit IV and 32 zero bits. The reason for doing this

[IPsec] Two questions about draft-ietf-ipsecme-chacha20-poly1305-00

2015-03-30 Thread Yoav Nir
Hi, There is two questions I would like guidance from the group about. First is the nonce/IV question: In the current draft, there is a 64-bit IV with guidance not to repeat them (so use a counter or LFSR). The function itself accepts a 96-bit input nonce, so the nonce is constructed from the

Re: [IPsec] Two questions about draft-ietf-ipsecme-chacha20-poly1305-00

2015-03-30 Thread Yoav Nir
Arrgh. Please don’t reply-all to my previous message, because it was mistakenly directed to I-D announce… On Mar 30, 2015, at 5:39 PM, Yoav Nir ynir.i...@gmail.com wrote: Hi, There is two questions I would like guidance from the group about. First is the nonce/IV question: In the

Re: [IPsec] Two questions about draft-ietf-ipsecme-chacha20-poly1305-00

2015-03-30 Thread Scott Fluhrer (sfluhrer)
-Original Message- From: IPsec [mailto:ipsec-boun...@ietf.org] On Behalf Of Yoav Nir Sent: Monday, March 30, 2015 10:40 AM To: internet-dra...@ietf.org Cc: ipsec@ietf.org; i-d-annou...@ietf.org Subject: [IPsec] Two questions about draft-ietf-ipsecme-chacha20-poly1305-00 Hi