Re: [Cfrg] A little room for AES-192 in TLS?

John Mattsson <john.mattsson@ericsson.com> Mon, 16 January 2017 20:06 UTC

Return-Path: <john.mattsson@ericsson.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0AA14129659 for <cfrg@ietfa.amsl.com>; Mon, 16 Jan 2017 12:06:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.221
X-Spam-Level:
X-Spam-Status: No, score=-4.221 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id whldUNz0RkWh for <cfrg@ietfa.amsl.com>; Mon, 16 Jan 2017 12:06:03 -0800 (PST)
Received: from sesbmg23.ericsson.net (sesbmg23.ericsson.net [193.180.251.37]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AE21E1294A3 for <cfrg@irtf.org>; Mon, 16 Jan 2017 12:06:02 -0800 (PST)
X-AuditID: c1b4fb25-9cfc898000002ee9-7b-587d27a899c0
Received: from ESESSHC024.ericsson.se (Unknown_Domain [153.88.183.90]) by (Symantec Mail Security) with SMTP id D8.BC.12009.8A72D785; Mon, 16 Jan 2017 21:06:00 +0100 (CET)
Received: from ESESSMB307.ericsson.se ([169.254.7.134]) by ESESSHC024.ericsson.se ([153.88.183.90]) with mapi id 14.03.0319.002; Mon, 16 Jan 2017 21:05:26 +0100
From: John Mattsson <john.mattsson@ericsson.com>
To: Leonard den Ottolander <leonard-lists@den.ottolander.nl>, "cfrg@irtf.org" <cfrg@irtf.org>
Thread-Topic: [Cfrg] A little room for AES-192 in TLS?
Thread-Index: AQHSb3JElGWDey8IokmATVEDzKxmUaE7HjAAgAAl34D///cQAIAAE5+AgAAI+oCAABAygIAAIPGA
Date: Mon, 16 Jan 2017 20:05:25 +0000
Message-ID: <D4A2E5D0.58040%john.mattsson@ericsson.com>
References: <20170115205926.853FB60A6D@jupiter.mumble.net> <1484577818.5104.1.camel@quad> <D4A2A7CE.57FDF%john.mattsson@ericsson.com> <CABcZeBPGxT=9iiChy4PxD_zMHWcHU=AhCLoe7wEHHtryw2rfwg@mail.gmail.com> <D4A2B50D.7E040%kenny.paterson@rhul.ac.uk> <CAHOTMVJrHBn4AR7PCJ14xKYCVjdxF7SiswiOABX_g6A5gsQGDg@mail.gmail.com> <1484593651.5104.49.camel@quad>
In-Reply-To: <1484593651.5104.49.camel@quad>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.7.1.161129
x-originating-ip: [153.88.183.149]
Content-Type: text/plain; charset="utf-8"
Content-ID: <DD487201FCBC9544AC3FF3E48B6DA307@ericsson.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFprEIsWRmVeSWpSXmKPExsUyM2J7lO4K9doIg7a7FhbdPw4yWexYup/Z gcnj4LKj7B6TNx5mC2CK4rJJSc3JLEst0rdL4MpY2rCOqeAcW0XTuy7mBsYdbF2MHBwSAiYS s/cZdDFycQgJrGOU+Hd9DQuEs4RRYt6vj0AOJwebgIHE3D0NbCC2iEC8RN/ldiYQW1jAVGLB +muMEHEziYM3mqFqoiROnv0MVsMioCpxcs51RpBlvALmEpO/hkHMf8IkcfXPO7B6TgEdiceX t4DNYRQQk/h+ag1YL7OAuMStJ/PBbAkBAYkle84zQ9iiEi8f/2MFsUUF9CSWP18DFVeSWHt4 OwvILmYBTYn1u/QhxlhL3L16gR3CVpSY0v0QzOYVEJQ4OfMJywRGsVlIts1C6J6FpHsWku5Z SLoXMLKuYhQtTi1Oyk03MtZLLcpMLi7Oz9PLSy3ZxAiMqYNbfqvuYLz8xvEQowAHoxIP74f7 NRFCrIllxZW5hxglOJiVRHg3K9RGCPGmJFZWpRblxxeV5qQWH2KU5mBREuc1W3k/XEggPbEk NTs1tSC1CCbLxMEp1cBY73vX+vVHTol+azE3ZibxXpWLTbzbkv5bl7XdeO99oYxJ/OZNycdN hvE3vytXfsmaxxruFlOrLaAk8JlpRdms6b02Va8DA64fFRJ/WiM/+XfynwNzLpx9abJ6r3/0 0xMq57Jey5jl82dN/s/BvDt01rb0Aid184YL2bLX3C89VFzdcelw/l0lluKMREMt5qLiRADG Xvx9pQIAAA==
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/JH01DE1ndqmGmWU1wNNXSH6TPX4>
Subject: Re: [Cfrg] A little room for AES-192 in TLS?
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 16 Jan 2017 20:06:04 -0000

>So the question remains if AES-192 has certain characteristics that
>warrant inclusion. The fact that "the key schedule for 256-bit version
>is pretty lousy" and the mentioned attacks have complexity of < 2^100
>for AES-256, but > 2^179 for AES-192 might speak for it.

AES-192 is not stronger then AES-256 against related-key attacks except in
the special case were #keys is very small. And even if it was, I do not
think that alone makes a case for AES-192 in TLS. If HKDF is secure, then
there are no related AES keys. And if HKDF is not secure, then TLS should
replace HDKF rather than AES.


John