Go: proposal: crypto/tls: add support for AES-CCM

I don't believe we need AES-CCM. Ideally, we would only support one or two ciphersuites at a time, and I intend to emulate BoringSSL in not exposing any choice of ciphersuite in TLS 1.3, selecting the fastest between AES-GCM and ChaCha20 based on hardware support (or the one preferred by the client based on PreferServerCipherSuites). As long as the default is fast and secure, the end user shouldn't have to make a decision on cipher block modes.

I don't think there's a fairness argument to the number of choices, as long as most users are served by the available options. If you believe I'm missing a concrete use case for AES-CCM that's not covered by the other supported ciphersuites, please do follow up.

@FiloSottile the missing use case is quite simple: IoT device where using AES-CCM is faster/consumes less than AES-GCM and connecting through TLS to a cloud service implemented in golang.

I disagree @FiloSottile, most of the current battery-powered IoT devices doesn't have accelerated Galois mode of authentication which force us to use the software based ChaCha20-Poly1305.

That is a deal breaker for lots of devices already deployed where only hardware-accelerated AES is available. In our internal tests AES (HW), CCM (SW) is much more efficient (for a battery draining POV) than ChaCha20-Poly1305. Although there are already known flaws in AES-CCM combo I think it's worth implementing it.

Perhaps you can tell me why does IETF board included this cipher combo in TLS 1.3?

Can you reconsider this?

I'm reopening this to see how popular this request is and to look more into the AES-CCM mode (what "known flaws" are you referring to?), but 1) crypto/tls takes a minimalist approach, and 2) carrying a performant AES-CCM would probably cause us to carry extra assembly implementations, which is a deal-breaker at least for now.

Thanks at least for thinking it twice.

1. More than flaws, they are probable attacks:
   
   
   
   • https://wiki.newae.com/AES-CCM_Attack
   
   
   • https://eprint.iacr.org/2015/529.pdf
   
   
2. Why not just a pure-go implementation for the initial phase?

I'm also finding myself in need of an AES-CCM implementation to communicate with an IoT device (Custom protocol, not TLS, though). And again, AES-CCM is the cipher of choice due to having hardware-accelerated AES.

So +1 on this.

(Also, the attacks linked above are power analysis attacks against hardware implementations. They're not cryptanalytic attacks against the algorithm itself. I don't believe they are reasons to not include CCM)

In case this proposal gets approved there is a valid CCM implementation at https://github.com/bocajim/dtls

I have submitted a MR (https://github.com/golang/crypto/pull/62) but it was denied because I am not the author of the code and because this proposal must be approved first.

/cc @bocajim @jimwert

Friendly ping, including also to (maybe) interested parties (@agl @bradfitz)

The cost of carrying assembly implementations has unfortunately not improved, so this is still on hold for the same reasons here https://github.com/golang/go/issues/27484#issuecomment-421078808.

What about an AES-CCM implementation without assembly optimizations? This will allow IoT devices with AES acceleration to connect to a server running golang code even if the server is not optimized. The bottleneck here will be probably the IoT device, not the server anyway.

I second @igolaizola proposal. CCM is largely useful for communicating with IoT devices/gateways, so not having assembly optimised implementations is unlikely to be a source of problems. It would be nice to not have this requirement hold it back but land CCM support so that when the need arises we can improve by adding the assembly in future versions.

I'm currently looking at lifting bocajim/dtls CCM implementation into pions/dtls so we can end up with one DTLS library supporting all use cases, but it would be great to have this in stdlib instead and avoid needing to carry that code.

I also agree with the proposal, CCM in the standard library would be a big improvement.

From: Daniele Sluijters notifications@github.com
Sent: Tuesday, March 26, 2019 6:12 AM
To: golang/go
Cc: Jim Wert; Mention
Subject: Re: [golang/go] proposal: crypto/tls: add support for AES-CCM (#27484)

I second @igolaizolahttps://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Figolaizola&data=02%7C01%7CJim.Wert%40telit.com%7C8a7f8b5f4aa548ac1e5108d6b1d39fba%7C15d9cfdc338445c582dc3426a208a45c%7C1%7C0%7C636891919806404170&sdata=QiTsP4ceBqaBVT6Jepn6qgrlMZynHiGGzKzWZ4Qa5EI%3D&reserved=0 proposal. CCM is largely useful for communicating IoT devices/gateways, so not having server-side assembly optimised implementations is unlikely to be a source of problems. It would be nice to not have this requirement hold it back but land CCM support so that when the need arises we can improve by adding the assembly in future versions.

I'm currently looking at lifting bocajim/dtlshttps://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fbocajim%2Fdtls&data=02%7C01%7CJim.Wert%40telit.com%7C8a7f8b5f4aa548ac1e5108d6b1d39fba%7C15d9cfdc338445c582dc3426a208a45c%7C1%7C0%7C636891919806414179&sdata=Qd5HutXOxcgxTLG4a1cxMpDhsN1FnUUu7ijiag%2Bfr9w%3D&reserved=0 CCM implementation into pions/dtlshttps://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fpions%2Fdtls&data=02%7C01%7CJim.Wert%40telit.com%7C8a7f8b5f4aa548ac1e5108d6b1d39fba%7C15d9cfdc338445c582dc3426a208a45c%7C1%7C0%7C636891919806414179&sdata=EE8ebqkJHyXqebJfPSUUVpf9hRjt4%2FvDTCdX2b3S4kg%3D&reserved=0 so we can end up with one DTLS library supporting all use cases, but it would be great to have this in stdlib instead and avoid needing to carry that code.

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHubhttps://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fgolang%2Fgo%2Fissues%2F27484%23issuecomment-476557184&data=02%7C01%7CJim.Wert%40telit.com%7C8a7f8b5f4aa548ac1e5108d6b1d39fba%7C15d9cfdc338445c582dc3426a208a45c%7C1%7C0%7C636891919806424183&sdata=5yjV0FVsmNXDa84exq8OiKU%2F4q%2FOMaHwLPXgz9oiZgs%3D&reserved=0, or mute the threadhttps://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAFS1CeJmcFZDsN73wlEGjwW7p8lWY42tks5vafKngaJpZM4WYjtD&data=02%7C01%7CJim.Wert%40telit.com%7C8a7f8b5f4aa548ac1e5108d6b1d39fba%7C15d9cfdc338445c582dc3426a208a45c%7C1%7C0%7C636891919806424183&sdata=E5vM8lciMsBHtyPd1zJD7F7kl11f8tQlnk8%2BqPDPQ3Y%3D&reserved=0.

Is the any progress going on? as above comments mentions it will be helpful if is CCM implementation (no necessarily hardware accelerated) makes into standard library, i am also in need for CCM to communicate with IoT gateway.

@newmanifold If it can help you, feel free to take a look at https://github.com/pion/dtls/tree/master/internal/crypto/ccm

@FiloSottile Can we get you to take another look at this, please? We're not looking to add assembly, which seems to be the biggest concern that was brought up previously. People are just looking for a pure-Go additional as a first step to stdlib.