Re: [Cfrg] A little room for AES-192 in TLS?
Taylor R Campbell <campbell+cfrg@mumble.net> Sat, 14 January 2017 19:50 UTC
Return-Path: <campbell@mumble.net>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DF6F3129D64 for <cfrg@ietfa.amsl.com>; Sat, 14 Jan 2017 11:50:29 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.099
X-Spam-Level:
X-Spam-Status: No, score=-5.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-3.199] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iyEOabteqDSJ for <cfrg@ietfa.amsl.com>; Sat, 14 Jan 2017 11:50:28 -0800 (PST)
Received: from jupiter.mumble.net (jupiter.mumble.net [74.50.56.165]) by ietfa.amsl.com (Postfix) with ESMTP id E97051293DC for <cfrg@irtf.org>; Sat, 14 Jan 2017 11:50:27 -0800 (PST)
Received: by jupiter.mumble.net (Postfix, from userid 1014) id 749D960358; Sat, 14 Jan 2017 19:50:22 +0000 (UTC)
From: Taylor R Campbell <campbell+cfrg@mumble.net>
To: Leonard den Ottolander <leonard-lists@den.ottolander.nl>
In-reply-to: <1484420882.13637.56.camel@quad> (leonard-lists@den.ottolander.nl)
Date: Sat, 14 Jan 2017 19:50:26 +0000
Sender: Taylor R Campbell <campbell@mumble.net>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Message-Id: <20170114195022.749D960358@jupiter.mumble.net>
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/XOiYjx9Y3_10jg6a6tNetm1Sw-I>
Cc: cfrg@irtf.org
Subject: Re: [Cfrg] A little room for AES-192 in TLS?
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sat, 14 Jan 2017 19:50:30 -0000
Date: Sat, 14 Jan 2017 20:08:01 +0100 From: Leonard den Ottolander <leonard-lists@den.ottolander.nl> Seeing how AES-192 seems to hold up well against related key attacks (at least the (theoretical) one described in http://eprint.iacr.org/2009/317) I am rather surprised no AES-192 ciphers have been defined for TLS (http://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-4) I feel the cipher is being treated rather stepmotherly. I would be surprised if TLS relied in any way on resistance to related-key attacks. The only advantage for TLS's sake would be in situations requiring greater performance than AES-256 can attain, where a security level below 2^96 against future quantum cryptanalysis or multi-target attacks are acceptable. That said, proposals for TLS are probably better heard at the IETF working group for TLS. Also there still seems to be plenty of space available (slots 0x01-55,* and 0x56,0x01-0xC0,0x00) until this "definition by permutation" approach can be replaced by a cheaper "definition by slot" where the slots are chained, i.e. using identifiers for key exchanges, asymmetrical ciphers, symmetrical ciphers and block modes separately. It turns out that handing inexpert users a dizzying array of cryptographic acronym soups and seasonings to combine securely does not tend to yield very good results. The enormous enumeration of precombined cipher suites is bad enough; asking users to make sensible choices to combine their parts is worse.
- [Cfrg] A little room for AES-192 in TLS? Leonard den Ottolander
- Re: [Cfrg] A little room for AES-192 in TLS? Taylor R Campbell
- Re: [Cfrg] A little room for AES-192 in TLS? Leonard den Ottolander
- Re: [Cfrg] A little room for AES-192 in TLS? Taylor R Campbell
- Re: [Cfrg] A little room for AES-192 in TLS? Leonard den Ottolander
- Re: [Cfrg] A little room for AES-192 in TLS? John Mattsson
- Re: [Cfrg] A little room for AES-192 in TLS? Eric Rescorla
- Re: [Cfrg] A little room for AES-192 in TLS? Paterson, Kenny
- Re: [Cfrg] A little room for AES-192 in TLS? Stanislav V. Smyshlyaev
- Re: [Cfrg] A little room for AES-192 in TLS? Tony Arcieri
- Re: [Cfrg] A little room for AES-192 in TLS? Leonard den Ottolander
- Re: [Cfrg] A little room for AES-192 in TLS? Ilari Liusvaara
- Re: [Cfrg] A little room for AES-192 in TLS? Salz, Rich
- Re: [Cfrg] A little room for AES-192 in TLS? John Mattsson
- Re: [Cfrg] A little room for AES-192 in TLS? Tony Arcieri
- Re: [Cfrg] A little room for AES-192 in TLS? Leonard den Ottolander
- Re: [Cfrg] A little room for AES-192 in TLS? Salz, Rich
- Re: [Cfrg] A little room for AES-192 in TLS? Yoav Nir
- Re: [Cfrg] A little room for AES-192 in TLS? William Whyte
- Re: [Cfrg] A little room for AES-192 in TLS? Tony Arcieri
- Re: [Cfrg] A little room for AES-192 in TLS? Phillip Hallam-Baker
- Re: [Cfrg] A little room for AES-192 in TLS? Ted Krovetz
- Re: [Cfrg] A little room for AES-192 in TLS? Joan Daemen
- Re: [Cfrg] A little room for AES-192 in TLS? Leonard den Ottolander
- Re: [Cfrg] A little room for AES-192 in TLS? Phillip Hallam-Baker
- Re: [Cfrg] A little room for AES-192 in TLS? Leonard den Ottolander
- Re: [Cfrg] A little room for AES-192 in TLS? Phillip Hallam-Baker
- Re: [Cfrg] A little room for AES-192 in TLS? Paterson, Kenny