Re: [Cfrg] Closing out tls1.3 "Limits on key usage" PRs (#765/#769)

Andrey Jivsov <crypto@brainhub.org> Sun, 12 February 2017 19:28 UTC

Return-Path: <crypto@brainhub.org>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D142A129ACA for <cfrg@ietfa.amsl.com>; Sun, 12 Feb 2017 11:28:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Level:
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0ByeRSlHBa4Y for <cfrg@ietfa.amsl.com>; Sun, 12 Feb 2017 11:28:45 -0800 (PST)
Received: from resqmta-po-11v.sys.comcast.net (resqmta-po-11v.sys.comcast.net [IPv6:2001:558:fe16:19:96:114:154:170]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3CF50129AC2 for <cfrg@irtf.org>; Sun, 12 Feb 2017 11:28:44 -0800 (PST)
Received: from resomta-po-08v.sys.comcast.net ([96.114.154.232]) by resqmta-po-11v.sys.comcast.net with SMTP id czoscand95l5NczpEcEAP0; Sun, 12 Feb 2017 19:28:44 +0000
Received: from [192.168.0.10] ([24.5.144.109]) by resomta-po-08v.sys.comcast.net with SMTP id czpDcFqaOJE5zczpDcc94U; Sun, 12 Feb 2017 19:28:44 +0000
To: Martin Thomson <martin.thomson@gmail.com>
References: <352D31A3-5A8B-4790-9473-195C256DEEC8@sn3rd.com> <f4503c6d-5274-83c5-65be-4bb70d59a24a@brainhub.org> <CABkgnnXRswsqDHxeXeoAann5wkZxk1-uZMEi_uyFTJ1yvFAuiQ@mail.gmail.com>
From: Andrey Jivsov <crypto@brainhub.org>
Message-ID: <c191662f-5aa1-291b-ba44-c8d2a4c2bf1b@brainhub.org>
Date: Sun, 12 Feb 2017 11:28:18 -0800
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.7.0
MIME-Version: 1.0
In-Reply-To: <CABkgnnXRswsqDHxeXeoAann5wkZxk1-uZMEi_uyFTJ1yvFAuiQ@mail.gmail.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
X-CMAE-Envelope: MS4wfCnPkPMscLXW8dhwWJkW1OxDVqvtPloQL4cHE6Rw8kmqOvrAFBjfR1J5duQc8/VCP0FwJbaB7xV6f/fFUWdPaQ0vVlDjCFV/uQaFRpr9TvC//QYIBE+E Tq9n7gfjpIPfD1GYkMW44In/bKqNyOUw4ABbp68J3kot48Ds+EwiygaiS8izSCfPgeMWkBeL5UmH5M+S+Rk9908DgSVd6Wc4Tlo=
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/7gZ9ItZTseSdXHzwZW0vn1pWdXU>
Cc: IRTF CFRG <cfrg@irtf.org>
Subject: Re: [Cfrg] Closing out tls1.3 "Limits on key usage" PRs (#765/#769)
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sun, 12 Feb 2017 19:28:47 -0000

On 02/12/2017 01:44 AM, Martin Thomson wrote:
> On 12 February 2017 at 09:26, Andrey Jivsov <crypto@brainhub.org> wrote:
>> How should an implementer read [0]? If an implementation sends or receives
>> shorter records, it has to re-key sooner.
>
> [0] (the current text) says that there is a maximum number of records.
> That's pretty straightforward.  You are required to count them anyway.
> No accounting for partial records and other such things.
>
> If that means rekeying sooner, I'd like evidence that this is in some
> way harmful.  I think that it's fine.
>
> I'm not disagreeing with the notion of correctness that has been
> discussed on this thread and elsewhere, just offering a different set
> of criteria upon which you might make this decision.
>
> Ilari made a related point: if you don't rekey occasionally, you might
> as well just forget the whole mechanism.  Given the actual limit - for
> even the most conservative option, [0] - is so large that common usage
> will never hit it, that means rekeying even more often than any
> idealized 2^52 octets.
>

I don't disagree with the above.

If the stack shares code with 3DES, that code will probably count in 
bytes. This logic can be reused with TLS 1.3. Then the code can be 
tested with 3DES.