Re: [Cfrg] [TLS] Closing out tls1.3 "Limits on key usage" PRs (#765/#769).
Andrey Jivsov <crypto@brainhub.org> Thu, 02 March 2017 23:15 UTC
Return-Path: <crypto@brainhub.org>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CEF9E127601 for <cfrg@ietfa.amsl.com>; Thu, 2 Mar 2017 15:15:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Level:
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vh8BqT0FjY0N for <cfrg@ietfa.amsl.com>; Thu, 2 Mar 2017 15:15:32 -0800 (PST)
Received: from resqmta-po-09v.sys.comcast.net (resqmta-po-09v.sys.comcast.net [IPv6:2001:558:fe16:19:96:114:154:168]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0A926127ABE for <cfrg@ietf.org>; Thu, 2 Mar 2017 15:15:31 -0800 (PST)
Received: from resomta-po-14v.sys.comcast.net ([96.114.154.238]) by resqmta-po-09v.sys.comcast.net with SMTP id jZwXc8oMPODBvjZwYcF1fe; Thu, 02 Mar 2017 23:15:30 +0000
Received: from [IPv6:::1] ([24.5.144.109]) by resomta-po-14v.sys.comcast.net with SMTP id jZwXcMFBsBKYljZwXcdZdR; Thu, 02 Mar 2017 23:15:30 +0000
To: tls@ietf.org, cfrg@ietf.org
References: <352D31A3-5A8B-4790-9473-195C256DEEC8@sn3rd.com> <CY4PR09MB1464243342F19FCBE48C37E7F3550@CY4PR09MB1464.namprd09.prod.outlook.com> <26137F3B-5655-44CA-877E-7168CE02DBF1@azet.org> <D4DC341D.311E1%qdang@nist.gov> <2572E3FC-0139-4946-A12D-9D9509C402F1@azet.org> <CAFewVt5gCGrGrJRMQFiqXP_zeNONS45VhmJWYiyXyTkKt6ezPw@mail.gmail.com>
From: Andrey Jivsov <crypto@brainhub.org>
Message-ID: <cd2835c7-d093-60b0-df9c-998d77a6a26e@brainhub.org>
Date: Thu, 02 Mar 2017 15:15:28 -0800
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.6.0
MIME-Version: 1.0
In-Reply-To: <CAFewVt5gCGrGrJRMQFiqXP_zeNONS45VhmJWYiyXyTkKt6ezPw@mail.gmail.com>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: 8bit
X-CMAE-Envelope: MS4wfBf7lS8Q0JEbAWXCA/HtzBX4ko3u6Qf3WoVF+wD0qO/OO7ObLu4M76RVC1o0+e6YW8KtbyAx5IHKn4rlkXoBLIkEz3iKUYmGU31G1ClFzxNs8wrpUdw6 13jFtXnJXtzwVMMceT6uWzV4jcZEq5xBiOle6GZ008GlMNrkE+C1y9oluNcwRSU/fnN+DPnPeObVEQ==
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/NyL9KVDsk7XT2HiAHkpa2K6opiE>
Subject: Re: [Cfrg] [TLS] Closing out tls1.3 "Limits on key usage" PRs (#765/#769).
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Mar 2017 23:15:34 -0000
I also think that counting in blocks is cleaner. Counting in bytes is a close alternative. I have a few nits below: On 03/02/2017 01:44 PM, Brian Smith wrote: > Aaron Zauner <azet@azet.org> wrote: >> I'm not sure that text on key-usage limits in blocks in a spec >> that fundamentally deals in records is less confusing, quite >> the opposite (at least to me). > > 1. Consider an implementation that negotiates with another > implementation to use a very large record size such as 1MB records. If > the limit is specified in terms of records then the limit would need > to be readjusted to the new max record size, or else the new extension > is potentially unsafe to use. This shows that specifying the limits in > terms of records is brittle. Hm, while I agree that counting in wrong units is the main problem here, we over-count with records, which means that we re-key faster than needed. > 2. If it is only safe to use an AES-GCM key for a certain number of > blocks, where in the code is the best place to enforce the limit on > the number of blocks? IMO, it is better to enforce it in the AES-GCM > implementation itself, underneath the TLS layer. In that case the > limit is best expressed in terms of the number of blocks. Specifying > the limit in terms of records would be optimizing for implementations > that enforce the limit at the wrong layer of abstraction. Given that the event of reaching the limit requires TLS-level action, checking the limit at the TLS level seems reasonable. The lower-level block-cipher code should still have the logic to error out (using a more relaxed limit). > >> As I pointed out earlier: I strongly recommend that any changes >> to the spec are as clear als possible to engineers >> (non-crypto/math people) -- e.g. why the spec is suddenly >> dealing in blocks instead of records et cetera. Again; I really >> don't see any reason to change text here - to me all suggested >> changes are even more confusing. > > Given a limit in blocks, the arithmetic to keep track of the number of > blocks is trivial, and very similar to the arithmetic that's already > needed to split up a large byte stream into records and keep track of > the record sequence number. Also please consider counting in bytes. This may be more natural, especially with AES-GCM that doesn't expose higher levels to the block size granularity (as much as CBC does, anyway). > > Cheers, > Brian >
- [Cfrg] Closing out tls1.3 "Limits on key usage" P… Sean Turner
- Re: [Cfrg] Closing out tls1.3 "Limits on key usag… Stanislav V. Smyshlyaev
- Re: [Cfrg] Closing out tls1.3 "Limits on key usag… Martin Thomson
- Re: [Cfrg] Closing out tls1.3 "Limits on key usag… Paterson, Kenny
- Re: [Cfrg] Closing out tls1.3 "Limits on key usag… Ilari Liusvaara
- Re: [Cfrg] Closing out tls1.3 "Limits on key usag… Dang, Quynh (Fed)
- Re: [Cfrg] [TLS] Closing out tls1.3 "Limits on ke… Dang, Quynh (Fed)
- Re: [Cfrg] Closing out tls1.3 "Limits on key usag… Rene Struik
- Re: [Cfrg] [TLS] Closing out tls1.3 "Limits on ke… Paterson, Kenny
- Re: [Cfrg] [TLS] Closing out tls1.3 "Limits on ke… Dang, Quynh (Fed)
- Re: [Cfrg] [TLS] Closing out tls1.3 "Limits on ke… Dang, Quynh (Fed)
- Re: [Cfrg] [TLS] Closing out tls1.3 "Limits on ke… Rene Struik
- Re: [Cfrg] [TLS] Closing out tls1.3 "Limits on ke… Paterson, Kenny
- Re: [Cfrg] [TLS] Closing out tls1.3 "Limits on ke… Dang, Quynh (Fed)
- Re: [Cfrg] [TLS] Closing out tls1.3 "Limits on ke… Dang, Quynh (Fed)
- Re: [Cfrg] Closing out tls1.3 "Limits on key usag… Andrey Jivsov
- Re: [Cfrg] Closing out tls1.3 "Limits on key usag… Andrey Jivsov
- Re: [Cfrg] Closing out tls1.3 "Limits on key usag… Martin Thomson
- Re: [Cfrg] Closing out tls1.3 "Limits on key usag… Andrey Jivsov
- Re: [Cfrg] Closing out tls1.3 "Limits on key usag… Markulf Kohlweiss
- Re: [Cfrg] [TLS] Closing out tls1.3 "Limits on ke… Dang, Quynh (Fed)
- Re: [Cfrg] Closing out tls1.3 "Limits on key usag… Aaron Zauner
- Re: [Cfrg] Closing out tls1.3 "Limits on key usag… Tony Arcieri
- Re: [Cfrg] [TLS] Closing out tls1.3 "Limits on ke… Dang, Quynh (Fed)
- Re: [Cfrg] [TLS] Closing out tls1.3 "Limits on ke… Atul Luykx
- Re: [Cfrg] [TLS] Closing out tls1.3 "Limits on ke… Dang, Quynh (Fed)
- Re: [Cfrg] [TLS] Closing out tls1.3 "Limits on ke… Dang, Quynh (Fed)
- Re: [Cfrg] [TLS] Closing out tls1.3 "Limits on ke… Yoav Nir
- Re: [Cfrg] [TLS] Closing out tls1.3 "Limits on ke… Atul Luykx
- Re: [Cfrg] [TLS] Closing out tls1.3 "Limits on ke… Yoav Nir
- Re: [Cfrg] [TLS] Closing out tls1.3 "Limits on ke… Dang, Quynh (Fed)
- Re: [Cfrg] [TLS] Closing out tls1.3 "Limits on ke… Paterson, Kenny
- Re: [Cfrg] [TLS] Closing out tls1.3 "Limits on ke… Martin Thomson
- Re: [Cfrg] [TLS] Closing out tls1.3 "Limits on ke… Yoav Nir
- Re: [Cfrg] [TLS] Closing out tls1.3 "Limits on ke… Martin Thomson
- Re: [Cfrg] [TLS] Closing out tls1.3 "Limits on ke… Yoav Nir
- Re: [Cfrg] [TLS] Closing out tls1.3 "Limits on ke… Martin Thomson
- Re: [Cfrg] [TLS] Closing out tls1.3 "Limits on ke… Dang, Quynh (Fed)
- Re: [Cfrg] [TLS] Closing out tls1.3 "Limits on ke… Aaron Zauner
- Re: [Cfrg] [TLS] Closing out tls1.3 "Limits on ke… Aaron Zauner
- Re: [Cfrg] Closing out tls1.3 "Limits on key usag… Dang, Quynh (Fed)
- Re: [Cfrg] Closing out tls1.3 "Limits on key usag… Aaron Zauner
- Re: [Cfrg] Closing out tls1.3 "Limits on key usag… Dang, Quynh (Fed)
- Re: [Cfrg] Closing out tls1.3 "Limits on key usag… Aaron Zauner
- Re: [Cfrg] Closing out tls1.3 "Limits on key usag… Dang, Quynh (Fed)
- Re: [Cfrg] [TLS] Closing out tls1.3 "Limits on ke… Paterson, Kenny
- Re: [Cfrg] [TLS] Closing out tls1.3 "Limits on ke… Dang, Quynh (Fed)
- Re: [Cfrg] [TLS] Closing out tls1.3 "Limits on ke… Watson Ladd
- Re: [Cfrg] [TLS] Closing out tls1.3 "Limits on ke… Dang, Quynh (Fed)
- Re: [Cfrg] [TLS] Closing out tls1.3 "Limits on ke… Martin Thomson
- Re: [Cfrg] [TLS] Closing out tls1.3 "Limits on ke… Dang, Quynh (Fed)
- Re: [Cfrg] [TLS] Closing out tls1.3 "Limits on ke… Brian Smith
- Re: [Cfrg] [TLS] Closing out tls1.3 "Limits on ke… Andrey Jivsov
- Re: [Cfrg] [TLS] Closing out tls1.3 "Limits on ke… Hal Murray
- Re: [Cfrg] [TLS] Closing out tls1.3 "Limits on ke… Andrey Jivsov
- Re: [Cfrg] [TLS] Closing out tls1.3 "Limits on ke… Yoav Nir
- Re: [Cfrg] Closing out tls1.3 "Limits on key usag… Sean Turner
- Re: [Cfrg] Closing out tls1.3 "Limits on key usag… Russ Housley