Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

proposal: crypto/tls: add support for AES-CCM #27484

Open
igolaizola opened this Issue Sep 4, 2018 · 10 comments

Comments

Projects
None yet
6 participants
@igolaizola
Copy link

igolaizola commented Sep 4, 2018

Hi! I am working in a project that requires AES-CCM cipher suite within TLS. I know that crypto/tls aims to support a limited safe subset of TLS. But since TLS 1.3 will only support the following cipher suites:

TLS_AES_128_GCM_SHA256
TLS_AES_256_GCM_SHA384
TLS_CHACHA20_POLY1305_SHA256
TLS_AES_128_CCM_SHA256
TLS_AES_128_CCM_8_SHA256

Reducing that list from 5 to only 3 choices seems pretty unfair.

I've seen some working golang AES-CCM implementations around github. Is there any specific reason why this cipher suite is not included?

Thanks!

Update:
Another option could be to port the code from BoringSSL: https://github.com/google/boringssl/blob/master/crypto/cipher_extra/e_aesccm.c

/cc @FiloSottile @agl

@andybons andybons changed the title crypto/tls: add support for AES-CCM proposal: crypto/tls: add support for AES-CCM Sep 4, 2018

@gopherbot gopherbot added this to the Proposal milestone Sep 4, 2018

@FiloSottile

This comment has been minimized.

Copy link
Member

FiloSottile commented Sep 5, 2018

I don't believe we need AES-CCM. Ideally, we would only support one or two ciphersuites at a time, and I intend to emulate BoringSSL in not exposing any choice of ciphersuite in TLS 1.3, selecting the fastest between AES-GCM and ChaCha20 based on hardware support (or the one preferred by the client based on PreferServerCipherSuites). As long as the default is fast and secure, the end user shouldn't have to make a decision on cipher block modes.

I don't think there's a fairness argument to the number of choices, as long as most users are served by the available options. If you believe I'm missing a concrete use case for AES-CCM that's not covered by the other supported ciphersuites, please do follow up.

@igolaizola

This comment has been minimized.

Copy link
Author

igolaizola commented Sep 6, 2018

@FiloSottile the missing use case is quite simple: IoT device where using AES-CCM is faster/consumes less than AES-GCM and connecting through TLS to a cloud service implemented in golang.

@glerchundi

This comment has been minimized.

Copy link

glerchundi commented Sep 13, 2018

I disagree @FiloSottile, most of the current battery-powered IoT devices doesn't have accelerated Galois mode of authentication which force us to use the software based ChaCha20-Poly1305.

That is a deal breaker for lots of devices already deployed where only hardware-accelerated AES is available. In our internal tests AES (HW), CCM (SW) is much more efficient (for a battery draining POV) than ChaCha20-Poly1305. Although there are already known flaws in AES-CCM combo I think it's worth implementing it.

Perhaps you can tell me why does IETF board included this cipher combo in TLS 1.3?

Can you reconsider this?

@FiloSottile

This comment has been minimized.

Copy link
Member

FiloSottile commented Sep 13, 2018

I'm reopening this to see how popular this request is and to look more into the AES-CCM mode (what "known flaws" are you referring to?), but 1) crypto/tls takes a minimalist approach, and 2) carrying a performant AES-CCM would probably cause us to carry extra assembly implementations, which is a deal-breaker at least for now.

@glerchundi

This comment has been minimized.

Copy link

glerchundi commented Sep 20, 2018

Thanks at least for thinking it twice.

  1. More than flaws, they are probable attacks:
  2. Why not just a pure-go implementation for the initial phase?
@Dirbaio

This comment has been minimized.

Copy link

Dirbaio commented Oct 1, 2018

I'm also finding myself in need of an AES-CCM implementation to communicate with an IoT device (Custom protocol, not TLS, though). And again, AES-CCM is the cipher of choice due to having hardware-accelerated AES.

So +1 on this.

(Also, the attacks linked above are power analysis attacks against hardware implementations. They're not cryptanalytic attacks against the algorithm itself. I don't believe they are reasons to not include CCM)

@igolaizola

This comment has been minimized.

Copy link
Author

igolaizola commented Oct 24, 2018

In case this proposal gets approved there is a valid CCM implementation at https://github.com/bocajim/dtls

I have submitted a MR (golang/crypto#62) but it was denied because I am not the author of the code and because this proposal must be approved first.

/cc @bocajim @jimwert

@glerchundi

This comment has been minimized.

Copy link

glerchundi commented Feb 6, 2019

Friendly ping, including also to (maybe) interested parties (@agl @bradfitz)

@FiloSottile

This comment has been minimized.

Copy link
Member

FiloSottile commented Feb 7, 2019

The cost of carrying assembly implementations has unfortunately not improved, so this is still on hold for the same reasons here #27484 (comment).

@igolaizola

This comment has been minimized.

Copy link
Author

igolaizola commented Feb 10, 2019

What about an AES-CCM implementation without assembly optimizations? This will allow IoT devices with AES acceleration to connect to a server running golang code even if the server is not optimized. The bottleneck here will be probably the IoT device, not the server anyway.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.