search

golang / go

The Go programming language
https://go.dev
BSD 3-Clause "New" or "Revised" License
124.35k stars 17.71k forks source link

proposal: crypto/tls: support AEGIS (for TLS 1.3) #70587

Open ydnar opened 3 days ago

ydnar commented 3 days ago

Proposal Details

Resurrecting #58724 in a new proposal.

Voting for publication of AEGIS as an RFC closes December 12: https://mailarchive.ietf.org/arch/msg/cfrg/0T3m_Pageq7PIukaiG3Nxx4ENCM/

Dear CFRG participants,

This message is starting a 3-week RGLC on
draft-irtf-cfrg-aegis-aead-13 ("The AEGIS Family of Authenticated
Encryption Algorithms") that will end on December 12th 2024. If you've read
the document and think that it is ready (or not ready) for publication as
an RFC, please send a message in reply to this email or directly
to CFRG chairs ([cfrg-chairs@ietf.org](mailto:cfrg-chairs@ietf.org)) If you have detailed comments, these
would also be very helpful at this point.

We've got a review of the draft from Scott Fluhrer (on behalf of the Crypto
Review Panel):
https://mailarchive.ietf.org/arch/msg/cfrg/ikGi2zb6CmWyQIVhuo8QR_GrOsA/
The comments were addressed in version -13 of the draft.

Thank you,
Stanislav, for CFRG chairs

cc @jedisct1

gabyhelp commented 3 days ago

Related Issues

(Emoji vote if this was helpful or unhelpful; more detailed feedback welcome in this discussion.)

seankhliao commented 3 days ago

It still seems early. Is there any real world software that supports this today?

ianlancetaylor commented 3 days ago

CC @golang/security

ericlagergren commented 3 days ago

I'm happy to send a CL with https://github.com/ericlagergren/aegis, obviously being updated from 00 to 13.

FiloSottile commented 3 days ago

What is the advantage of AEGIS over AES-GCM in TLS 1.3, considering that nonce reuse is not a concern in TLS 1.3?

jedisct1 commented 2 days ago

What is the advantage of AEGIS over AES-GCM in TLS 1.3, considering that nonce reuse is not a concern in TLS 1.3?

Performance.

It would be good to have AEGIS in x/crypto, and Eric's Go implementation is an excellent starting point.

But regarding crypto/tls, and although some TLS implementations already support AEGIS-based cipher suites, it may bit a bit premature. The document about usage of AEGIS in TLS 1.3 is distinct from the CFRG one, and hasn't been proposed to the TLS WG yet -- it will be after the document on the construction itself has at least reached the IESG review step.