Re: [Cfrg] A little room for AES-192 in TLS?

Phillip Hallam-Baker <phill@hallambaker.com> Wed, 18 January 2017 18:16 UTC

Return-Path: <hallam@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E58711294E3 for <cfrg@ietfa.amsl.com>; Wed, 18 Jan 2017 10:16:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.597
X-Spam-Level:
X-Spam-Status: No, score=-2.597 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.001, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id revoGOSyh3kl for <cfrg@ietfa.amsl.com>; Wed, 18 Jan 2017 10:16:00 -0800 (PST)
Received: from mail-wm0-x234.google.com (mail-wm0-x234.google.com [IPv6:2a00:1450:400c:c09::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6BAF31294EF for <cfrg@irtf.org>; Wed, 18 Jan 2017 10:16:00 -0800 (PST)
Received: by mail-wm0-x234.google.com with SMTP id c206so38610612wme.0 for <cfrg@irtf.org>; Wed, 18 Jan 2017 10:16:00 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=m8+9eo+lSibOqexRNCTZP4MrhQDinMgUQHRo2Ra3Vwk=; b=c29fFFlpBZC0rkVq2dXyGj3EEwQH8LpPBNqM6e2aMeqaryO/iRPhgWSaxW3Xu5jeiD qdXRmf51XMTuMQV0B1na0ajW3AhOiaEEqwtzeVaoHjdkOciT9d058Nk3+lzO9Q54CXyk G/uoubLeV3AjaSTLmnqITwV9dsAwoSJMQbI4ftKm7oF+CeDJX8Z3OP+51kNimEVRB241 bl+YRt41HxzPaDabRr2rQARNW37pUBWp/fxlBgsLAJPLkXjQveRS7bHz1mZyMjSWz12S DZjFQWyd9a698TyFs/Dicc3Vhcturp8XzrMOIGjbtFXvGQObbl2uTdm3xzlbrtWPP7XD Bpdw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=m8+9eo+lSibOqexRNCTZP4MrhQDinMgUQHRo2Ra3Vwk=; b=OgEMoOmxJ8JV3Qob7gpJ2mJMdqRNkarWXpqZtcKcoHhsNSJF1a7QS7RjcTDkUvGEy1 8WtcDt5T4+rL3nDYOHsKZSapvC6MqL+PaAMP0EiNrlfyIOWwPWTbOyjt4kKzuKaN72bP +AVBKen2k6LWKmdrKqox11DC6/cWd5VEboPOXM0ISomx2JurQ6eNQSwho/H+Qy84DnP9 PZgTy93c0BAl8za4xfZebVeDfC12SQ+7CXEJHRmNoD1iaac34NTWto3eAFOE4b3rPpF8 /fkuyG2pBoz2LaU1wClkgBtbubiE6wnWKQ3QjhuHCQ3nu/Robj2ALFFzpxNeR1n1g/kj xR7g==
X-Gm-Message-State: AIkVDXKynNzcE42jgPGMwoYf15fuz5WJqQDig2ZILmXICrP0OVifXsGt9Udps3DJ81qEXzJlLOrY3U8pqpsyaQ==
X-Received: by 10.28.226.67 with SMTP id z64mr20313161wmg.137.1484763358886; Wed, 18 Jan 2017 10:15:58 -0800 (PST)
MIME-Version: 1.0
Sender: hallam@gmail.com
Received: by 10.194.221.6 with HTTP; Wed, 18 Jan 2017 10:15:58 -0800 (PST)
In-Reply-To: <1484763108.5121.77.camel@quad>
References: <20170115205926.853FB60A6D@jupiter.mumble.net> <1484577818.5104.1.camel@quad> <D4A2A7CE.57FDF%john.mattsson@ericsson.com> <CABcZeBPGxT=9iiChy4PxD_zMHWcHU=AhCLoe7wEHHtryw2rfwg@mail.gmail.com> <D4A2B50D.7E040%kenny.paterson@rhul.ac.uk> <CAHOTMVJrHBn4AR7PCJ14xKYCVjdxF7SiswiOABX_g6A5gsQGDg@mail.gmail.com> <1484593651.5104.49.camel@quad> <1df3ba4212e44f9d8e3e6fabf8610cc0@usma1ex-dag1mb1.msg.corp.akamai.com> <1484662079.5135.49.camel@quad> <9d54608c721c465788a38e5cc8e8cac6@usma1ex-dag1mb1.msg.corp.akamai.com> <CACz1E9rZrso0184wiiK04UJnv4sBWZwtM2yYumha08Z-4n0=KQ@mail.gmail.com> <CAHOTMVLGoj7RPFQBTRu_d+kOoBfrKmi+CG+ityyW=x3G4t_AaQ@mail.gmail.com> <CAMm+Lwh05t6AMoRdgmMLZNsAVWAXxax84WOxMB8Cp_gBq5oZVA@mail.gmail.com> <c185b3ee5008c559b1a42c5e298e0c74@mail.noekeon.org> <1484759562.5121.70.camel@quad> <CAMm+LwjNmbYWTRPeCM9i=TKoi9KM5bar4qpif24t9Fyhak5zsg@mail.gmail.com> <1484763108.5121.77.camel@quad>
From: Phillip Hallam-Baker <phill@hallambaker.com>
Date: Wed, 18 Jan 2017 13:15:58 -0500
X-Google-Sender-Auth: zE0QkCrF09ZuE0g_iPhk4i9vFlY
Message-ID: <CAMm+Lwi7cX5bYUThLPXz_2AUpV2ao0vb11WUTNeyCtDMi=UtjQ@mail.gmail.com>
To: Leonard den Ottolander <leonard-lists@den.ottolander.nl>
Content-Type: multipart/alternative; boundary=001a114b0d089501f605466268bc
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/DpbRfTkRuuVhvT_oAOw8Jre_syI>
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] A little room for AES-192 in TLS?
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Jan 2017 18:16:03 -0000

On Wed, Jan 18, 2017 at 1:11 PM, Leonard den Ottolander <
leonard-lists@den.ottolander.nl> wrote:

> Hello Phillip,
>
> On Wed, 2017-01-18 at 12:53 -0500, Phillip Hallam-Baker wrote:
> > On Wed, Jan 18, 2017 at 12:12 PM, Leonard den Ottolander <
> > leonard-lists@den.ottolander.nl> wrote:
> >
> > >
> > > - AES-192 was excluded from TLS for arbitrary reasons.
> > > - AES-256 has known weaknesses in its key schedule that some researcher
> > > consider severe.
> > > - AES-192 offers better security than AES-128. There is serious doubt
> > > AES-256 can offer the same level of security. This makes AES-192 a
> valid
> > > alternative.
> > > - Implementations of AES-192 are readily available.
> > >
> > >
> > ​AES 192 was excluded for the perfectly good reason that there is no
> > compelling argument for inclusion.
> >
> > I would like to see the number of suites reduced because the strength of
> a
> > cryptographic system depends on the strength of the weakest cipher. Thus
> > adding ciphers to a system invariably weakens it.
>
> It appears AES-256 is a weaker link than AES-192 so your general
> argument about more is less seems invalid in this case. AES-256 shows
> weaknesses that are not so prominent in AES-192.
> ​\
>
​
Oh really, the work fact of AES 256 is lower than that of AES 192? Please
show me the paper.

If AES 256 falls then AES goes completely. There is no middle ground.


​
> > The only way to improve security is to eliminate ciphers. AES 128 is
> > necessary, so is AES 256. ​I have never seen a point to 192.
>
> I'm trying to make exactly that point :-) . AES-192 does not suffer from
> the same weaknesses as AES-256 so the former is probably a more robust
> cipher choice than the latter.


​I see no evidence that the work factor of AES 256 is less than 2^192. ​