IETF Logo Mail Archive

Re: [Cfrg] matching AES security

Phillip Hallam-Baker <phill@hallambaker.com> Wed, 30 July 2014 18:08 UTC

Return-Path: <hallam@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0DABE1A01C5 for <cfrg@ietfa.amsl.com>; Wed, 30 Jul 2014 11:08:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.278
X-Spam-Level:
X-Spam-Status: No, score=-1.278 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QKoTdKho1neG for <cfrg@ietfa.amsl.com>; Wed, 30 Jul 2014 11:08:30 -0700 (PDT)
Received: from mail-lb0-x22d.google.com (mail-lb0-x22d.google.com [IPv6:2a00:1450:4010:c04::22d]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3BA641A01C8 for <cfrg@irtf.org>; Wed, 30 Jul 2014 11:08:30 -0700 (PDT)
Received: by mail-lb0-f173.google.com with SMTP id p9so1191975lbv.32 for <cfrg@irtf.org>; Wed, 30 Jul 2014 11:08:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=3fMsw1XRiMXlYjqI/N7ZEmjEUKWy0sA0LztiRJiCiCs=; b=RYPaTt/M8NYAwYRl9+WT4mLHFZDVfqgnW9oCepnwiHdBeJFUJ3K+MrGYYZmzbioGUB kVK1qgt5hHjeuPMaCvR7O5MDXjwqsGgkfC71tuvdhdVkCgezqqSKQUCHPmGMohxYJyCb 6igNqEb+lhexnpb6WKG3JTvSdlGgSlMk9NHaU03SA5nC9R3KcC16Wrcqt/myq4MVse3p 01JYH/cfQhdYb9l0UBZWuXFDZV6azV1TItDuPPS0a5zzOUjVk8uE84Pvj8io7epOxUHi KYC9gt7hoD4FQo0kbsZvSRaHLkqOYS5ull/YNt1HrEezqaYaOaC4u7XZD2lIk7cTSJeL /LNg==
MIME-Version: 1.0
X-Received: by 10.152.179.229 with SMTP id dj5mr3995352lac.97.1406743708563; Wed, 30 Jul 2014 11:08:28 -0700 (PDT)
Sender: hallam@gmail.com
Received: by 10.112.122.50 with HTTP; Wed, 30 Jul 2014 11:08:28 -0700 (PDT)
In-Reply-To: <20140730163409.GH28679@cph.win.tue.nl>
References: <20140730123336.29011.qmail@cr.yp.to> <53D8FBDB.4060601@htt-consult.com> <20140730163409.GH28679@cph.win.tue.nl>
Date: Wed, 30 Jul 2014 14:08:28 -0400
X-Google-Sender-Auth: SM7SeDcvP6tNu0JTSOUlN8zFj58
Message-ID: <CAMm+LwieafzTxEh-_XDT+Y+Zu8Aor6rQs8xkb_VtV57Yk5jTuA@mail.gmail.com>
From: Phillip Hallam-Baker <phill@hallambaker.com>
To: Tanja Lange <tanja@hyperelliptic.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/_t2pJvnljQozSLeb5Ncx-2GpmpQ
Cc: "cfrg@irtf.org" <cfrg@irtf.org>, Robert Moskowitz <rgm-sec@htt-consult.com>
Subject: Re: [Cfrg] matching AES security
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 30 Jul 2014 18:08:32 -0000

On Wed, Jul 30, 2014 at 12:34 PM, Tanja Lange <tanja@hyperelliptic.org> wrote:
> Dear Bob,
>> In the typical devices I work with there will be at best one ECDHE
>> exchange per day. Sometimes only once per month. (one message/5min = 312
>> short messages/day to protect with AES-CCM or GCM). (we are working on
>> changing once per life of sensor)
>>
>> Now if you look at the server side that is receiving messages from
>> 10,000 fielded sensors and thus has 10,000 ECDHE exchanges/day (or per
>> month), then the risk is a tad different?
>>
> For every ECDHE there is a fresh AES key, so for whatever number
> of key exchanges you assume there is also an AES target. This is on
> top of long-term connections that update the AES keys and devices
> that use only symmetric keys. If that number is less than 2^50 then
> the worry about finding AES-128 keys by chance gets smaller, but
> in any case it's significantly easier than breaking the DLP on an
> elliptic curve over a field of ~256 bits (which needs 2^128 group
> operations, so more than 2^140 bit operations).


I am not keen on rekeying for the sake of it. There are security costs
as well as benefits. In particular a lot of systems have the property
that they are break once, run anywhere. Just as we now think 50
ciphers give less security than 5 as the strength is determined by the
weakest one an attacker can get the parties to use, rekeying for the
sake of it is probably a bad thing.

Forward Secrecy is a good thing of course, but generating ephemeral
keys or mix ins is not what I think of when someone says rekey. To me,
rekey implies rebuilding the authentication relationship between the
end points. Thats a lot more work.


I am working on making it possible to rekey PPE once a week because I
want to create a forcing function for usability. Security people often
think they can get users to do silly things every 90, 60 or even 30
days. But even security folk get fed up of hoops when its once a week.
But LOTS of folk got very worried about that suggestion and I agree
that it would be bad operationally. I doubt rekey more than once a
quarter is desirable, even if the whole process is transparent.

The only reason I rekey at all is because people read their mail on
mobile devices and those get lost. So rekeying is a good way to limit
exposure to that risk. But I don't plan to ever roll per device
credentials or keys. If a public key algorithm isn't good for a
billion uses without security concern, then don't use it.


AES does have slightly different concerns. But really, if you are
worried about the need to rekey then you should go to a 256 bit key
first and then think about rekeying AES.

v2.23.0 | Report a Bug | By Email