Re: [Cfrg] [TLS] Closing out tls1.3 "Limits on key usage" PRs (#765/#769).

Brian Smith <brian@briansmith.org> Thu, 02 March 2017 21:44 UTC

Return-Path: <brian@briansmith.org>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 914911295EF for <cfrg@ietfa.amsl.com>; Thu, 2 Mar 2017 13:44:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Level:
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=briansmith-org.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GpKmkJogGfaQ for <cfrg@ietfa.amsl.com>; Thu, 2 Mar 2017 13:44:14 -0800 (PST)
Received: from mail-it0-x231.google.com (mail-it0-x231.google.com [IPv6:2607:f8b0:4001:c0b::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D3544129535 for <cfrg@irtf.org>; Thu, 2 Mar 2017 13:44:13 -0800 (PST)
Received: by mail-it0-x231.google.com with SMTP id 203so1946582ith.0 for <cfrg@irtf.org>; Thu, 02 Mar 2017 13:44:13 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=briansmith-org.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=PmXHXrUwBBn3FKB1UU9gitiSHibI8xN3gm54gcAYriU=; b=nVw1c2CYUAg2mngp1P/32NRJLF60WVhHh9snq/T6MNTSUENcNmMs3+n36J0Gm4dieL WXAa8EFoaHcqfV5FVHGuVPjlrTIC3da9ED58GUDkIWVi1Zo9JJkPhdP77vDbbEarXkSi T5cFmzyTAHG/X+NeMUVTFhqYXOsvYxC2js5PpW/Hzailv+rVbXc/4dbyFzE7rkhDHjWI 2LXyyhfN2i6/G0TJtrIWq3SLsuL4KjPwpxK7HedbkrFG8HyIOC793+a067NeRSBHOJ7d A+5SyLNPlZTnViNplQ4rWdEIq2xg1a55n8DXA/ghM3za1Js8M/rHUwkigAx3zVa7ZE2v 4asQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=PmXHXrUwBBn3FKB1UU9gitiSHibI8xN3gm54gcAYriU=; b=eePb6xWxbc1jP83aJ4r5FTymB7hrGiL0NiEAXXtUCGFnlsZkg3fQINIkekZ8+69GAo AdozoUrIfMunUx9BbtNjcOeZr2F0o6RZq7Kh1XYmI2va20qR2azul4t/BSJ3THtHTYWx 8Q5mjMX0YTx+c7X5wROtI8+KGVNUERJ9mPa8MFGsY+qFnM6uj/+Y9XKI+mFOcM5BlkZZ 5u21u5NeBH8Dpx7+zx5hlohgkksvfi3uJBe2SHXloGepBb7hXHw56bCOlYAKNFBJPXW+ hgxqZ4y6JnjTFo83uN6ag1cuHQtCm5tq1tuzkqPZi0EInahv9m5ogP/smS5MYadXUm7d RWIw==
X-Gm-Message-State: AMke39l/OhC/9WElsY5s6i6DxuKteLTWxlyvMbGbtAfiLfoNDzO8Wd8eWyn8pfYCs340lTKYaWe9JjHlwdVeVA==
X-Received: by 10.36.60.211 with SMTP id m202mr493249ita.58.1488491053194; Thu, 02 Mar 2017 13:44:13 -0800 (PST)
MIME-Version: 1.0
Received: by 10.36.87.82 with HTTP; Thu, 2 Mar 2017 13:44:12 -0800 (PST)
In-Reply-To: <2572E3FC-0139-4946-A12D-9D9509C402F1@azet.org>
References: <352D31A3-5A8B-4790-9473-195C256DEEC8@sn3rd.com> <CY4PR09MB1464243342F19FCBE48C37E7F3550@CY4PR09MB1464.namprd09.prod.outlook.com> <26137F3B-5655-44CA-877E-7168CE02DBF1@azet.org> <D4DC341D.311E1%qdang@nist.gov> <2572E3FC-0139-4946-A12D-9D9509C402F1@azet.org>
From: Brian Smith <brian@briansmith.org>
Date: Thu, 2 Mar 2017 11:44:12 -1000
Message-ID: <CAFewVt5gCGrGrJRMQFiqXP_zeNONS45VhmJWYiyXyTkKt6ezPw@mail.gmail.com>
To: Aaron Zauner <azet@azet.org>
Content-Type: text/plain; charset=UTF-8
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/XEaK69ylbT9oxVhFaVU1zaSC5QE>
Cc: IRTF CFRG <cfrg@irtf.org>, "<tls@ietf.org>" <tls@ietf.org>
Subject: Re: [Cfrg] [TLS] Closing out tls1.3 "Limits on key usage" PRs (#765/#769).
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Mar 2017 21:44:15 -0000

Aaron Zauner <azet@azet.org> wrote:
> I'm not sure that text on key-usage limits in blocks in a spec
> that fundamentally deals in records is less confusing, quite
> the opposite (at least to me).

1. Consider an implementation that negotiates with another
implementation to use a very large record size such as 1MB records. If
the limit is specified in terms of records then the limit would need
to be readjusted to the new max record size, or else the new extension
is potentially unsafe to use. This shows that specifying the limits in
terms of records is brittle.

2. If it is only safe to use an AES-GCM key for a certain number of
blocks, where in the code is the best place to enforce the limit on
the number of blocks? IMO, it is better to enforce it in the AES-GCM
implementation itself, underneath the TLS layer. In that case the
limit is best expressed in terms of the number of blocks. Specifying
the limit in terms of records would be optimizing for implementations
that enforce the limit at the wrong layer of abstraction.

> As I pointed out earlier: I strongly recommend that any changes
> to the spec are as clear als possible to engineers
> (non-crypto/math people) -- e.g. why the spec is suddenly
> dealing in blocks instead of records et cetera. Again; I really
> don't see any reason to change text here - to me all suggested
> changes are even more confusing.

Given a limit in blocks, the arithmetic to keep track of the number of
blocks is trivial, and very similar to the arithmetic that's already
needed to split up a large byte stream into records and keep track of
the record sequence number.

Cheers,
Brian
-- 
https://briansmith.org/