Re: [Cfrg] [SSH] [TLS] 3DES diediedie
David Jacobson <dmjacobson@sbcglobal.net> Fri, 26 August 2016 04:43 UTC
Return-Path: <dmjacobson@sbcglobal.net>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E278312D0A5 for <cfrg@ietfa.amsl.com>; Thu, 25 Aug 2016 21:43:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=sbcglobal.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Uj5yK_5OwSO5 for <cfrg@ietfa.amsl.com>; Thu, 25 Aug 2016 21:43:44 -0700 (PDT)
Received: from nm2-vm9.access.bullet.mail.gq1.yahoo.com (nm2-vm9.access.bullet.mail.gq1.yahoo.com [216.39.63.240]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EE159126579 for <cfrg@irtf.org>; Thu, 25 Aug 2016 21:43:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sbcglobal.net; s=s2048; t=1472186623; bh=ibGtzDLdG3J83F8Y8WzZ5OOqXAMWfMlMjCg8GpEfaTc=; h=Subject:To:References:Cc:From:Date:In-Reply-To:From:Subject; b=Z25bHTnPuZXof0G8oedCPbcButEid0y8pFRZwFs9DrWu9DUKjwY7Bg4Z2u9PDhLeXwoDRM9dZWQTH4p83efK8r6sM6OP5aEQr8+KyaJ1W3Wi7rkBz09rIRDnZqJU/zrSkO2TSIwrwFM510AN+U5zEe15YdCWmgQbiQLDZm78RQa/Kp2kZ9fuUtXQUZA7sQ5Ox+puRRw3CliSLSW/lsAIZ2aUqHfSa8ROk5YPqpN4Pkt9WFAY3IYyJMnJfi7rCue2oFfDSG0O2ikzBgld/3qNBWm2mRImLSZVOLtfbaldEUfzouMgrZf0s0771Ibcva4BhlIDM9K/Xd5wKgOG5218yw==
Received: from [216.39.60.173] by nm2.access.bullet.mail.gq1.yahoo.com with NNFMP; 26 Aug 2016 04:43:43 -0000
Received: from [67.195.23.148] by tm9.access.bullet.mail.gq1.yahoo.com with NNFMP; 26 Aug 2016 04:43:42 -0000
Received: from [127.0.0.1] by smtp120.sbc.mail.gq1.yahoo.com with NNFMP; 26 Aug 2016 04:43:42 -0000
X-Yahoo-Newman-Id: 351413.17023.bm@smtp120.sbc.mail.gq1.yahoo.com
X-Yahoo-Newman-Property: ymail-3
X-YMail-OSG: DGsw4PAVM1m8ejXynIU1QCMRHM2sB9uDBQUJVpiOKc1uaxW 8EdRakF0BhXB4VGMOBqi3hKBnd0k3aTRw42466Bp1tN5KP8BaGIbPSMvZcPU FoMnMazK6riOjpGqLWxDvOHdkGHHtxMpVqtX1I1ojOynQPHv7T0DSXKTLh7F NMIx_hSf6AX8m2SGKV5EkQ6u_oHs4aTX7MwOlb8214JiI5N_qd_PtZxZyl58 QoIVKy6OYTZNa0GQK77kSNJmQWvLumGXDt2W7iY7cnJ7VIdngFXn2E69RVc2 HEH5ONDCtAAdBnHsD6H5hkCz2_TwEkVWrqdrWyhaK2D2dUXwXtPXX67lZ3.s WQ4sYkzS8C2PUc5kQh0Fmu0gwlU3SWe8vdsgTBvRhNsjvKVXjE_LiBH1oH61 OhrOrqQkjJbcZ03MbJl20yUYrdvLEYI6dY9qqN1Ri5M1Wom8ZsUxfP_QdYqp J0h4vJXwL_YrbdfATxkhsfgqzdapkaR4TEaDsXEKPUGupR2MrVBmA3_6QQUi 0b2FEqLRKfmlWSfqJoU.hkeNZFuM6Ev.DAIeXJJZhGj4M05L5tfgd.CzlP7P VsWkW6NVKVLA-
X-Yahoo-SMTP: nOrmCa6swBAE50FabWnlVFUpgFVJ9Gbi__8U5mpvhtQq7tTV1g--
To: "denis bider (Bitvise)" <ietf-ssh3@denisbider.com>, "Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu>, Tony Arcieri <bascule@gmail.com>, Peter Gutmann <pgut001@cs.auckland.ac.nz>
References: <CAHOTMV+r5PVxqnSozYyqJqq_YocMKV06aAa-43t+5Huzh7Lo=A@mail.gmail.com> <9A043F3CF02CD34C8E74AC1594475C73F4D01F6E@uxcn10-5.UoA.auckland.ac.nz> <CAHOTMVKyub+J0Vx+UryDEAHdJRYRTmZ1wvLmEBkSor7pOrXy_w@mail.gmail.com> <386DA563-FA77-4FA7-9E3D-EBF0022E0B43@ll.mit.edu> <B7B4274BD48048338321B078E6FDA182@Khan>
From: David Jacobson <dmjacobson@sbcglobal.net>
Message-ID: <1ab41850-79ba-8b91-91bc-ba9b4b01c766@sbcglobal.net>
Date: Thu, 25 Aug 2016 21:43:41 -0700
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:45.0) Gecko/20100101 Thunderbird/45.2.0
MIME-Version: 1.0
In-Reply-To: <B7B4274BD48048338321B078E6FDA182@Khan>
Content-Type: multipart/alternative; boundary="------------0C1AC7C5BBBDF67273FC457A"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/QLwH1bXAOYR1Y5z-hxU7f3IXQDE>
Cc: cfrg@irtf.org
Subject: Re: [Cfrg] [SSH] [TLS] 3DES diediedie
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 26 Aug 2016 04:43:46 -0000
On 8/25/16 3:38 PM, denis bider (Bitvise) wrote: > In SSH, 3des-ctr is currently a cipher in good standing (RFC 4344). > CBC is already discouraged (and alerted by many security scanners) > because of the issue of naive decryption of packet lengths in this mode. > I might be mistaken, but I do not see applicability of this issue in > CTR mode. If two ciphertext blocks collide, I don’t see how one could > take advantage even if one knows the plaintext corresponding to one of > the blocks. If one knows a lot of the plaintext, and therefore finds > two key-stream blocks that collide, I’m not seeing what use that could > be, either. With any block cipher in CTR mode there would be no collisions until the counter had wrapped around to the starting value. Thus for 3DES with a full-width counter, there are no collisions until 2^64 + 1 blocks have been processed. Ironically, the limitation to 2^32 blocks is not because of the possibility of a collision, but because of the the impossibility of collisions. Collisions would be expected beginning around 2^32 blocks, but in 3DES CTR mode with a full width counter, they won't be any through 2^64 and thus the keystream can be distinguished from random. --David Jacobson > In addition, SSH has an automatic re-key that is initiated by both > clients and servers after every 1 GB of data transferred (128k blocks) > in either direction, or every hour, whichever comes first. Most SSH > implementations, except rare broken ones that I rarely hear of, either > initiate key re-exchange themselves, or support it when it is > initiated by the other party. Key re-exchange replaces both encryption > keys and the initial IVs in both directions. This also makes attacks > against 3des-cbc more difficult. > Correct me if I’m wrong, but I don’t see that any action needs to be > taken in SSH against 3des-ctr, whereas CBC mode is defended by key > re-exchange (with 128k blocks, collision probability less than 1 in 1 > billion), and is itself already discouraged. > denis > *From:* Blumenthal, Uri - 0553 - MITLL <mailto:uri@ll.mit.edu> > *Sent:* Thursday, August 25, 2016 09:56 > *To:* Tony Arcieri <mailto:bascule@gmail.com> ; Peter Gutmann > <mailto:pgut001@cs.auckland.ac.nz> > *Cc:* cfrg@irtf.org <mailto:cfrg@irtf.org> > *Subject:* Re: [Cfrg] [TLS] 3DES diediedie > >> An attack that recovers cookie if you can record 785GB of traffic > isn't anything I'm losing any sleep over. > > > > ..but is not a terribly dissimilar traffic volume to recover > plaintexts from similar attacks against RC4, > > which received "diediedie" in RFC7465. > > > > Perhaps notable is the RC4 attacks work across multiple session > keys, whereas SWEET32 requires the same key, > > but I think the practical consequences regarding data volume limits > are similar. > I think this difference is crucial, because when the majority of the > traffic was RC4, then scourging a lot of it and getting at least one > key out of the attack seemed bad enough to do something about it. > Hence RFC7465. > With 3DES, you need that much of traffic protected by the key you’re > trying to attack. This completely removes any notion of practicality. > I’m not losing my sleep over this either, and think this situation > does not justify “diediedie”. > _______________________________________________ > Cfrg mailing list > Cfrg@irtf.org > https://www.irtf.org/mailman/listinfo/cfrg > > > _______________________________________________ > Cfrg mailing list > Cfrg@irtf.org > https://www.irtf.org/mailman/listinfo/cfrg
- Re: [Cfrg] [TLS] 3DES diediedie Viktor Dukhovni
- [Cfrg] 3DES diediedie Tony Arcieri
- Re: [Cfrg] 3DES diediedie Benjamin Kaduk
- Re: [Cfrg] 3DES diediedie Tony Arcieri
- Re: [Cfrg] 3DES diediedie Tony Arcieri
- Re: [Cfrg] [TLS] 3DES diediedie Stephen Farrell
- Re: [Cfrg] [TLS] 3DES diediedie Tony Arcieri
- Re: [Cfrg] [TLS] 3DES diediedie Peter Gutmann
- Re: [Cfrg] [TLS] 3DES diediedie Tony Arcieri
- Re: [Cfrg] [TLS] 3DES diediedie John Mattsson
- Re: [Cfrg] [TLS] 3DES diediedie Stephen Farrell
- Re: [Cfrg] [TLS] 3DES diediedie Hubert Kario
- Re: [Cfrg] [TLS] 3DES diediedie david wong
- Re: [Cfrg] [TLS] 3DES diediedie Eric Rescorla
- Re: [Cfrg] [TLS] 3DES diediedie Ira McDonald
- Re: [Cfrg] [TLS] 3DES diediedie Hubert Kario
- Re: [Cfrg] [TLS] 3DES diediedie Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] [SSH] [TLS] 3DES diediedie denis bider (Bitvise)
- Re: [Cfrg] 3DES diediedie Geoffrey Keating
- Re: [Cfrg] [SSH] [TLS] 3DES diediedie Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] [SSH] [TLS] 3DES diediedie David Jacobson
- Re: [Cfrg] [TLS] 3DES diediedie Dmitry Belyavsky
- Re: [Cfrg] [TLS] 3DES diediedie Stanislav V. Smyshlyaev
- Re: [Cfrg] [TLS] 3DES diediedie Hanno Böck
- Re: [Cfrg] [TLS] 3DES diediedie Иван Лавриков
- Re: [Cfrg] 3DES diediedie David McGrew (mcgrew)
- Re: [Cfrg] [TLS] 3DES diediedie Watson Ladd
- Re: [Cfrg] [TLS] 3DES diediedie Peter Gutmann
- Re: [Cfrg] 3DES diediedie Peter Gutmann
- Re: [Cfrg] 3DES diediedie David McGrew (mcgrew)
- Re: [Cfrg] [TLS] 3DES diediedie Karthikeyan Bhargavan
- Re: [Cfrg] 3DES diediedie Peter Gutmann
- Re: [Cfrg] [TLS] 3DES diediedie Peter Gutmann
- Re: [Cfrg] [TLS] 3DES diediedie Stephen Farrell
- Re: [Cfrg] [TLS] 3DES diediedie Peter Gutmann
- Re: [Cfrg] [TLS] 3DES diediedie Hubert Kario
- Re: [Cfrg] 3DES diediedie David McGrew (mcgrew)
- Re: [Cfrg] [TLS] 3DES diediedie Joachim Strömbergson
- Re: [Cfrg] 3DES diediedie John Mattsson
- [Cfrg] (confusing the issues) Re: [TLS] 3DES died… Rene Struik
- Re: [Cfrg] 3DES diediedie Ilari Liusvaara
- Re: [Cfrg] [TLS] (confusing the issues) Re: 3DES … Dave Garrett
- Re: [Cfrg] 3DES diediedie Jon Callas
- Re: [Cfrg] (confusing the issues) Re: [TLS] 3DES … Jon Callas
- Re: [Cfrg] 3DES diediedie Steven M. Bellovin
- Re: [Cfrg] (confusing the issues) Re: [TLS] 3DES … Rene Struik
- Re: [Cfrg] (confusing the issues) Re: [TLS] 3DES … Greg Rose
- Re: [Cfrg] 3DES diediedie Peter Gutmann
- Re: [Cfrg] 3DES diediedie Peter Gutmann
- Re: [Cfrg] 3DES diediedie David McGrew (mcgrew)
- Re: [Cfrg] 3DES diediedie Peter Gutmann
- Re: [Cfrg] [TLS] 3DES diediedie Derek Atkins
- Re: [Cfrg] 3DES diediedie Derek Atkins
- Re: [Cfrg] 3DES diediedie Hilarie Orman
- Re: [Cfrg] [TLS] 3DES diediedie Brian Sniffen
- Re: [Cfrg] [TLS] 3DES diediedie Hilarie Orman
- Re: [Cfrg] 3DES diediedie Steven M. Bellovin
- Re: [Cfrg] [TLS] 3DES diediedie Joachim Strömbergson
- Re: [Cfrg] [TLS] 3DES diediedie Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] [TLS] 3DES diediedie Hilarie Orman
- Re: [Cfrg] [TLS] 3DES diediedie Joachim Strömbergson
- Re: [Cfrg] [TLS] 3DES diediedie Kyle Rose
- Re: [Cfrg] [TLS] 3DES diediedie Richard Hartmann
- Re: [Cfrg] 3DES diediedie Derek Atkins
- Re: [Cfrg] [TLS] 3DES diediedie Hilarie Orman
- Re: [Cfrg] [TLS] 3DES diediedie Ben Laurie
- Re: [Cfrg] [TLS] 3DES diediedie Ben Laurie
- Re: [Cfrg] [TLS] 3DES diediedie Joachim Strömbergson
- Re: [Cfrg] [TLS] 3DES diediedie Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] [TLS] 3DES diediedie Joachim Strömbergson
- Re: [Cfrg] [TLS] 3DES diediedie Derek Atkins
- Re: [Cfrg] [TLS] 3DES diediedie Derek Atkins
- Re: [Cfrg] [TLS] 3DES diediedie Stephen Farrell
- Re: [Cfrg] [TLS] 3DES diediedie Salz, Rich
- Re: [Cfrg] [TLS] 3DES diediedie Ira McDonald
- Re: [Cfrg] [TLS] 3DES diediedie Watson Ladd
- Re: [Cfrg] [TLS] 3DES diediedie Ira McDonald
- Re: [Cfrg] [TLS] 3DES diediedie Dave Garrett
- Re: [Cfrg] [TLS] 3DES diediedie Ira McDonald
- Re: [Cfrg] [TLS] 3DES diediedie Philip Levis
- Re: [Cfrg] [TLS] 3DES diediedie Stephen Farrell
- Re: [Cfrg] [TLS] 3DES diediedie Tony Arcieri
- Re: [Cfrg] [TLS] 3DES diediedie Peter Gutmann
- Re: [Cfrg] [TLS] 3DES diediedie Joachim Strömbergson
- Re: [Cfrg] [TLS] 3DES diediedie Ilari Liusvaara
- Re: [Cfrg] [TLS] 3DES diediedie Joachim Strömbergson
- Re: [Cfrg] [TLS] 3DES diediedie Stephen Farrell
- Re: [Cfrg] [TLS] 3DES diediedie Ilari Liusvaara
- Re: [Cfrg] [TLS] 3DES diediedie Joachim Strömbergson
- Re: [Cfrg] [TLS] 3DES diediedie Joachim Strömbergson
- Re: [Cfrg] [TLS] 3DES diediedie Richard Hartmann
- Re: [Cfrg] [TLS] 3DES diediedie Peter Gutmann
- Re: [Cfrg] [TLS] 3DES diediedie Peter Gutmann
- Re: [Cfrg] [TLS] 3DES diediedie Salz, Rich
- Re: [Cfrg] [TLS] 3DES diediedie Derek Atkins
- Re: [Cfrg] [TLS] 3DES diediedie Tony Arcieri
- Re: [Cfrg] [TLS] 3DES diediedie Peter Gutmann
- Re: [Cfrg] [TLS] 3DES diediedie Stephen Farrell
- Re: [Cfrg] [TLS] 3DES diediedie Derek Atkins
- Re: [Cfrg] [TLS] 3DES diediedie Derek Atkins
- Re: [Cfrg] [TLS] 3DES diediedie Derek Atkins
- Re: [Cfrg] [TLS] 3DES diediedie Kyle Rose
- Re: [Cfrg] [TLS] 3DES diediedie Tony Arcieri
- Re: [Cfrg] [TLS] 3DES diediedie Ilari Liusvaara
- Re: [Cfrg] [TLS] 3DES diediedie Yoav Nir
- Re: [Cfrg] [TLS] 3DES diediedie Kyle Rose
- Re: [Cfrg] [TLS] 3DES diediedie denis bider (Bitvise)