Re: [Cfrg] A little room for AES-192 in TLS?

"Salz, Rich" <> Mon, 16 January 2017 19:18 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 6301312946F for <>; Mon, 16 Jan 2017 11:18:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -5.9
X-Spam-Status: No, score=-5.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-3.199, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id fMdwDhzhkc14 for <>; Mon, 16 Jan 2017 11:18:34 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 21E3F1294AB for <>; Mon, 16 Jan 2017 11:18:34 -0800 (PST)
Received: from (localhost.localdomain []) by postfix.imss70 (Postfix) with ESMTP id 6870F43341C; Mon, 16 Jan 2017 19:18:33 +0000 (GMT)
Received: from ( []) by (Postfix) with ESMTP id 521C7433401; Mon, 16 Jan 2017 19:18:33 +0000 (GMT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=a1; t=1484594313; bh=oBYRgR0AP0LRWVFL+Hx2/g8qt6nb5rwDHQyX2tuCzqo=; l=1692; h=From:To:Date:References:In-Reply-To:From; b=Fcft02tkWEDTq6dWSKLZ9+OLLhSMQuEs4knjveKBsLkhjUjlaU+rQ7yJvosnf+nR8 zNBk+Omt25JqQPBKd4wnFlH/8bUk4aEn8YEwgXziyGCTOr6pLstKuKSpDEVB3qRhSM CgVQpONBBfk31ggfnxycHqmAPmE1J8jWfgM71TGs=
Received: from ( []) by (Postfix) with ESMTP id 4E1D11FC88; Mon, 16 Jan 2017 19:18:33 +0000 (GMT)
Received: from ( by ( with Microsoft SMTP Server (TLS) id 15.0.1178.4; Mon, 16 Jan 2017 14:18:32 -0500
Received: from ([]) by ([]) with mapi id 15.00.1178.000; Mon, 16 Jan 2017 14:18:32 -0500
From: "Salz, Rich" <>
To: Leonard den Ottolander <>, "" <>
Thread-Topic: [Cfrg] A little room for AES-192 in TLS?
Thread-Index: AQHSb3JE35QdAtT7x0CRQruWUbnzSqE7gsUAgAAVHoCAAAfRAIAAE5+AgAAI+oCAABAygP//rfNw
Date: Mon, 16 Jan 2017 19:18:32 +0000
Message-ID: <>
References: <> <1484577818.5104.1.camel@quad> <> <> <> <> <1484593651.5104.49.camel@quad>
In-Reply-To: <1484593651.5104.49.camel@quad>
Accept-Language: en-US
Content-Language: en-US
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: []
Content-Type: text/plain; charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <>
Subject: Re: [Cfrg] A little room for AES-192 in TLS?
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 16 Jan 2017 19:18:35 -0000

> How about a scenario where an adversary is able to compromise the
> software in such a way that related keys are being generated occasionally
> and possibly even used for encryption of known plain text (protocol headers
> come to mind)?

To the best of my knowledge, partial compromise of software is not something that has been in the IETF threat model.  "All or nothing" if you will.

> And how can one extrapolate the attacks and analyses mentioned in
> to use them as an indication of possible
> cryptanalytic advances?

One simple idea, which I have suggested in the TLS mailing list, is that you search to see if anyone has done anything in this area in the past eight years.
> > used almost exclusively. I think the general trend is to switch to
> > AES-256 in new systems.
> This is a circular argument.

Not quite.  It is an argument saying that we are using AES256 in spite of what one paper says.

> I don't see how one can qualify the addition
> of a few references to a list as "complex".

Have you done much software deployment, especially at Internet scale?  This is about far more than just adding IANA entries.  Did you see my post in the  TLS group that talked to this?
> So the question remains if AES-192 has certain characteristics that warrant
> inclusion. The fact that "the key schedule for 256-bit version is pretty lousy"
> and the mentioned attacks have complexity of < 2^100 for AES-256, but >
> 2^179 for AES-192 might speak for it.

Has anyone but Bruce shared that viewpoint?

It's been nine years.  Surely *something* must have happened that you can find?