Re: [Cfrg] A little room for AES-192 in TLS?

Phillip Hallam-Baker <phill@hallambaker.com> Tue, 17 January 2017 16:17 UTC

Return-Path: <hallam@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1DCC61294EF for <cfrg@ietfa.amsl.com>; Tue, 17 Jan 2017 08:17:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.597
X-Spam-Level:
X-Spam-Status: No, score=-2.597 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.001, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id w48nsGCFt6fL for <cfrg@ietfa.amsl.com>; Tue, 17 Jan 2017 08:17:39 -0800 (PST)
Received: from mail-wm0-x236.google.com (mail-wm0-x236.google.com [IPv6:2a00:1450:400c:c09::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0852C12943E for <cfrg@irtf.org>; Tue, 17 Jan 2017 08:17:39 -0800 (PST)
Received: by mail-wm0-x236.google.com with SMTP id c85so206942922wmi.1 for <cfrg@irtf.org>; Tue, 17 Jan 2017 08:17:38 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=rqTrJ/Fuzk8Ccj+WhrSuPqbThTULaJv6YVKo1Kyk7Xo=; b=uAHq4S4F8bMpDEDdOINOf6lQE2GhWBUzIzHRvvVH17E6MSS65c9v2spFudjvO+nIRx wgxSCZtMpSzrO4mpHvxGY4a1ex9NTDFgaPP7jB7DAPQVxInW7xQmax9xRKZiq53aX3rW eVneK3/mQaFhNtL+HhAcpHoGtT4VjZyOH79XgU04zqxoIuYvkp0ey2c8rSr7lDWTiiaY dBEKMSqbihwR9caen1gZU5mN2qsfuUIbi0btFOf2HteLHQl/DloMpwcWC/rr5RqKDZOL PdeMUFGAUDtAewON82Nzd8V8w3Qso8lOlDWJcZygOLrs6Nl50kvoHt3Z7uAsMkZ6bfLQ KrjQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=rqTrJ/Fuzk8Ccj+WhrSuPqbThTULaJv6YVKo1Kyk7Xo=; b=NoaCfBzW8YLv2GS8h5iW8Xl/O1V8WheCaX0AK+aRX8+nGRnMHz0SRokT+REzYg4unx N5ngAdbgiHJ2FDWmzrRyQ8W1b5uM/5MF9TEaOZi3qmaF2JPUTZfkjsybGtXvkS1uBnfm fBC/QbMfXh1Kdx+869nBlmU+8fPr7l5JNIDCtOXDjMMU2wVQN2VEasjSKBA+kS3hPBQj 61r2WpgpoZudavM7TzzRwRMYlOl5qvDGpIWv0S9aM2Xtm1Erwldj1M8PIgvqG1t0qsH7 GLPRgQf3mvxgrfCZZB7NMyJZxIWszdarkq2yqs5XkWJGoHqL8rt4YtYmyDtyAZPPGIsM ItAw==
X-Gm-Message-State: AIkVDXJLc2tcsXSG/tfNyc9K//lXaLsw2FfnA8qzQaP2hQl3o5u8fusY9ZejoZoB+tOaZEARpwhivkPtkPvxzg==
X-Received: by 10.28.217.13 with SMTP id q13mr17772135wmg.13.1484669857405; Tue, 17 Jan 2017 08:17:37 -0800 (PST)
MIME-Version: 1.0
Sender: hallam@gmail.com
Received: by 10.194.221.6 with HTTP; Tue, 17 Jan 2017 08:17:36 -0800 (PST)
In-Reply-To: <CAHOTMVLGoj7RPFQBTRu_d+kOoBfrKmi+CG+ityyW=x3G4t_AaQ@mail.gmail.com>
References: <20170115205926.853FB60A6D@jupiter.mumble.net> <1484577818.5104.1.camel@quad> <D4A2A7CE.57FDF%john.mattsson@ericsson.com> <CABcZeBPGxT=9iiChy4PxD_zMHWcHU=AhCLoe7wEHHtryw2rfwg@mail.gmail.com> <D4A2B50D.7E040%kenny.paterson@rhul.ac.uk> <CAHOTMVJrHBn4AR7PCJ14xKYCVjdxF7SiswiOABX_g6A5gsQGDg@mail.gmail.com> <1484593651.5104.49.camel@quad> <1df3ba4212e44f9d8e3e6fabf8610cc0@usma1ex-dag1mb1.msg.corp.akamai.com> <1484662079.5135.49.camel@quad> <9d54608c721c465788a38e5cc8e8cac6@usma1ex-dag1mb1.msg.corp.akamai.com> <CACz1E9rZrso0184wiiK04UJnv4sBWZwtM2yYumha08Z-4n0=KQ@mail.gmail.com> <CAHOTMVLGoj7RPFQBTRu_d+kOoBfrKmi+CG+ityyW=x3G4t_AaQ@mail.gmail.com>
From: Phillip Hallam-Baker <phill@hallambaker.com>
Date: Tue, 17 Jan 2017 11:17:36 -0500
X-Google-Sender-Auth: 32NgP6maWPtFST0ZaknamQOpqYE
Message-ID: <CAMm+Lwh05t6AMoRdgmMLZNsAVWAXxax84WOxMB8Cp_gBq5oZVA@mail.gmail.com>
To: Tony Arcieri <bascule@gmail.com>
Content-Type: multipart/alternative; boundary=001a11469f9e75aa1b05464ca30e
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/-V_uqj-oEA7V4ga01sL0s1IRkRM>
Cc: "cfrg@irtf.org" <cfrg@irtf.org>, Leonard den Ottolander <leonard-lists@den.ottolander.nl>
Subject: Re: [Cfrg] A little room for AES-192 in TLS?
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Jan 2017 16:17:42 -0000

Please no, just no.

Use 128 bit AES or 256 bits. Please do not create more options. The idea
that there is a need for a cipher between 10 and 14 rounds is just not
sensible. Either you are on the bleeding edge or you take a 40% performance
hit.

I am now of the opinion that all Key Agreement schemes should use a Key
Derivation function, RSA included. So even if your Key Agreement only
delivers 128 bits worth of work factor, you can still use a 256 bit cipher.

If you are doing a master key agreement plus an ephemeral, you should use
the master key agreement to salt the key derivation and so even with 128
bits of work factor on each you will have a total of 256 bits.

Rather than add pointless new cipher suites, I would like to see the key
derivation function fixed so that the ephemeral step cannot weaken the
strength of the agreed key.