Re: [Cfrg] [TLS] 3DES diediedie

Tony Arcieri <> Thu, 08 September 2016 16:28 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 8AA7612B1C5 for <>; Thu, 8 Sep 2016 09:28:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id fWIrn0oE2sFk for <>; Thu, 8 Sep 2016 09:28:50 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:400c:c08::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id C05E712B1CB for <>; Thu, 8 Sep 2016 09:28:48 -0700 (PDT)
Received: by with SMTP id 95so20948985uaz.2 for <>; Thu, 08 Sep 2016 09:28:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=wJbuZKFW8dhCv9hEa4JVDHGHfn8R1flPHCitjCysgnU=; b=U1MSik3eFzE9rAF6QDP/ITjcShhvhcJRFV6KJHSHUy0vuFeK0h7zkAZiHTnRwGBvtY dfQmR/nPpiirlCYEejlqGzXjals0ygg42aTV7Ne5QXdWWNFflEIxn4Npjh+MQxV6Y+gK eQlDarwgt4KfiN8EfxVMGg6LPYG/mXMTJMlFAVCpvOEJRAgBYB7r/KL+yXVq955bahKy DyXilTy9iQNnPsi/lu5WuYEHJJdLgCMWm8opIvLycIpn2oOywOz1hyM7hfsClkFFtfam KDR5XMT9yTLIkOKrfQOP1ImLNwJ20eeDR0VbFFwk8ZVN5k4+aBL9pm+quzcRZkDb4DuH 9phQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=wJbuZKFW8dhCv9hEa4JVDHGHfn8R1flPHCitjCysgnU=; b=dg4nuNN7Tk+5JfPO9nFNj/bbbemj3HVszT5kH/e1dDy+eNnBHhKMF0Kt6HolBsuopS oEzDTLBIT7v9T5+UnQs2H40VIbIixLa2yLxq4u9hXwzX2CChV/f8sx5w7a0ryzYG/yWy x9qQ8ZQ1HklIorE1HNyFoEU4+wZM0jE+xVeokKXaYkf12KxwUGAZCbuuasxYuVn9QpDT opBu/QCr7e48PXrRNQWcRukka/5amyyWXGTSBtLzSOfVum6bMSC/v0a15F2Ed8VvS3Oz P553Zi9pP791OiO2sNcblwQ1qFtIl1OFm1cMT3yUAoQGaNRdcRQCNfrVBj6+qw6kBuU8 sung==
X-Gm-Message-State: AE9vXwPVCFY6zJJK9AuT5P7tGgNlG+ctusWBqZToW+P/ONgQoGBmfMzq2fpane9uuR/ZTdvODENn2yz3RRugFg==
X-Received: by with SMTP id 47mr458865uah.10.1473352127810; Thu, 08 Sep 2016 09:28:47 -0700 (PDT)
MIME-Version: 1.0
Received: by with HTTP; Thu, 8 Sep 2016 09:28:26 -0700 (PDT)
In-Reply-To: <>
References: <> <> <> <> <> <> <>
From: Tony Arcieri <>
Date: Thu, 8 Sep 2016 09:28:26 -0700
Message-ID: <>
To: Derek Atkins <>
Content-Type: multipart/alternative; boundary=001a113cd3ca35128a053c0186b2
Archived-At: <>
Cc: "" <>, "" <>, Peter Gutmann <>
Subject: Re: [Cfrg] [TLS] 3DES diediedie
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 08 Sep 2016 16:28:51 -0000

On Thu, Sep 8, 2016 at 8:01 AM, Derek Atkins <> wrote:

> So they are finally up to 80-bit security?  Woohoo!
> That makes me feel so safe.

1024-bit RSA is certainly less than ideal, but certainly better than
nothing, which was the claim about devices in this class.

Comparisons with symmetric cryptography aren't exactly fungible like that
either: though I personally consider 1024-bit RSA keys to be weak, to my
knowledge one has not been factored successfully by the general public.

Payments are a very poor example..  Several seconds per transaction?
> That's not usable performance.  Look at all the pushback from consumers
> that have been happening since the changeover to chip cards in the US
> this past year.

The cryptography is not the bottleneck in this case: poor implementations
of the protocol are. Use the same card for an NFC transaction (provided
it's capable) and the delay will be considerably less.

Also, an asymmetric primitive is something you'd use to exchange keys and
sign transcripts for session initialization, after which all subsequent
communication is symmetric. Does a second of handshaking actually matter if
all subsequent communication is hardware accelerated symmetric
cryptography? (I'm sure it might for some, but won't for many others)

The real point is that if verticals within the "IoT space" were to
standardize on a particular set of asymmetric primitives and ship them en
masse like the payments industry did, economies of scale can drive the
costs down to the levels they deem acceptable. But they seem unwilling to
do the up-front development work and want to continue using the MCUs
they're already using, many of which have no crypto accelerators