Re: [Cfrg] Closing out tls1.3 "Limits on key usage" PRs (#765/#769)
Andrey Jivsov <crypto@brainhub.org> Sat, 11 February 2017 22:38 UTC
Return-Path: <crypto@brainhub.org>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5FA5412958C for <cfrg@ietfa.amsl.com>; Sat, 11 Feb 2017 14:38:01 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZHwwhblxb0jy for <cfrg@ietfa.amsl.com>; Sat, 11 Feb 2017 14:37:59 -0800 (PST)
Received: from resqmta-po-12v.sys.comcast.net (resqmta-po-12v.sys.comcast.net [IPv6:2001:558:fe16:19:96:114:154:171]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F1EAB129583 for <cfrg@irtf.org>; Sat, 11 Feb 2017 14:37:58 -0800 (PST)
Received: from resomta-po-18v.sys.comcast.net ([96.114.154.242]) by resqmta-po-12v.sys.comcast.net with SMTP id cgIcc86kenZkvcgIoc1Bq0; Sat, 11 Feb 2017 22:37:58 +0000
Received: from [192.168.0.10] ([24.5.144.109]) by resomta-po-18v.sys.comcast.net with SMTP id cgIncdVZwCvcHcgIncPYsY; Sat, 11 Feb 2017 22:37:58 +0000
To: cfrg@irtf.org
References: <352D31A3-5A8B-4790-9473-195C256DEEC8@sn3rd.com> <f4503c6d-5274-83c5-65be-4bb70d59a24a@brainhub.org>
From: Andrey Jivsov <crypto@brainhub.org>
Message-ID: <74cbf937-7aae-1110-955c-3d04190bad0d@brainhub.org>
Date: Sat, 11 Feb 2017 14:37:55 -0800
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.7.0
MIME-Version: 1.0
In-Reply-To: <f4503c6d-5274-83c5-65be-4bb70d59a24a@brainhub.org>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 8bit
X-CMAE-Envelope: MS4wfOEE0kZtyfT7ncvO0gV1RGJG5TQMw2InD9Dm+SeYK406c4lrHYDvjtC/JkLZJybMk56PFc/Rw+/tlZ2sV7KLNYC0bVWOwRO8x4L77ON+RGa4DURaQ/nK +Iew6Ey1Dirfkjh4KfjesG2iRcydatGJAZdJatGsTHsWwfyE5LjuaQ24
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/a9_jdg0gxr-Js3h9gVJxbm5oS5M>
Subject: Re: [Cfrg] Closing out tls1.3 "Limits on key usage" PRs (#765/#769)
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sat, 11 Feb 2017 22:38:01 -0000
Correction: we rekey faster than needed when we count in records if the average record is shorter than the maximum allowed. Regardless, because the record size can vary by a factor of 1000 in size (up to 2^14), it's cleaner to count in bytes. This matters the most for 3DES, but I don't see much difference in implementation complexity between counting in records v.s. bytes. On 02/11/2017 02:26 PM, Andrey Jivsov wrote: > > On 02/09/2017 09:07 PM, Sean Turner wrote: >> All, >> >> We’ve got two outstanding PRs that propose changes to >> draft-ietf-tls-tls13 Section 5.5 “Limits on Key Usage”. As it >> relates to rekeying, these limits have been discussed a couple of >> times and we need to resolve once and for all whether the TLS WG >> wants to: >> >> a) Close these two PRs and go with the existing text [0] >> b) Adopt PR#765 [1] >> c) Adopt PR#769 [2] >> >> Please indicate you preference to the TLS mailing list before Feb >> 17. Note that unless there’s clear consensus to change the text will >> remain as is (i.e., option a). >> >> J&S >> >> [0] https://tlswg.github.io/tls13-spec/#rfc.section.5.5 >> [1] https://github.com/tlswg/tls13-spec/pull/765 >> [2] https://github.com/tlswg/tls13-spec/pull/769 > > I am an author of [2]. > > I originally thought that [0] could be improved, but [1], as seems to > be a consensus, made the text even less clear, which motivated me to > contribute. > > I see 2 main issues with [0]: > > 1. Counting in records. Worse, it counts in maximum-size records. > > The original problem is measured in cipherblocks (16 bytes in TLS > 1.3). Advanced products have the max TLS record size configurable. TLS > stacks should not be expected to buffer the data to fill up the > record, therefore, they are also sending many shorter records. > > How should an implementer read [0]? If an implementation sends or > receives shorter records, it has to re-key sooner. > > Counting in bytes or cipher blocks is better. Implementers wishing to > count in records can translate bytes into records easier that perform > the reverse with [0] (however, I don't understand how counting in > records can work correctly). > > 2. The numbers in [0] are not explained. > > Given that I don't know the "components" of the formula, I am not > exactly sure how to make adjustments for the #1. > > The text in [0] should be clarified to show "components", e.g. what > success probability was used. > > ( I recall that when [0] was worked on, there were discussions about > multi-session issues. Was this a consideration? ) > > > Finally, [1] assumed P=1/2^32 as a consensus-building choice. NIST > uses this value to state limits on AES-GCM IVs > (http://dx.doi.org/10.6028/NIST.SP.800-38D sec 8, > http://csrc.nist.gov/groups/STM/cmvp/documents/fips140-2/FIPS1402IG.pdf > sec A.5) > > I would be happy with a lower value of P. > > I think, however, that a comparison with the 3DES can be helpful. The > recent SWEET32 attack on 3DES works with the practical P=1/2. Using > P=1/2^32 for 3DES implies rekeying after 0.5Mbytes of traffic. I > suspect that these who implemented data limits for 3DES rekey less > often than on each 0.5Mb.
- [Cfrg] Closing out tls1.3 "Limits on key usage" P… Sean Turner
- Re: [Cfrg] Closing out tls1.3 "Limits on key usag… Stanislav V. Smyshlyaev
- Re: [Cfrg] Closing out tls1.3 "Limits on key usag… Martin Thomson
- Re: [Cfrg] Closing out tls1.3 "Limits on key usag… Paterson, Kenny
- Re: [Cfrg] Closing out tls1.3 "Limits on key usag… Ilari Liusvaara
- Re: [Cfrg] Closing out tls1.3 "Limits on key usag… Dang, Quynh (Fed)
- Re: [Cfrg] [TLS] Closing out tls1.3 "Limits on ke… Dang, Quynh (Fed)
- Re: [Cfrg] Closing out tls1.3 "Limits on key usag… Rene Struik
- Re: [Cfrg] [TLS] Closing out tls1.3 "Limits on ke… Paterson, Kenny
- Re: [Cfrg] [TLS] Closing out tls1.3 "Limits on ke… Dang, Quynh (Fed)
- Re: [Cfrg] [TLS] Closing out tls1.3 "Limits on ke… Dang, Quynh (Fed)
- Re: [Cfrg] [TLS] Closing out tls1.3 "Limits on ke… Rene Struik
- Re: [Cfrg] [TLS] Closing out tls1.3 "Limits on ke… Paterson, Kenny
- Re: [Cfrg] [TLS] Closing out tls1.3 "Limits on ke… Dang, Quynh (Fed)
- Re: [Cfrg] [TLS] Closing out tls1.3 "Limits on ke… Dang, Quynh (Fed)
- Re: [Cfrg] Closing out tls1.3 "Limits on key usag… Andrey Jivsov
- Re: [Cfrg] Closing out tls1.3 "Limits on key usag… Andrey Jivsov
- Re: [Cfrg] Closing out tls1.3 "Limits on key usag… Martin Thomson
- Re: [Cfrg] Closing out tls1.3 "Limits on key usag… Andrey Jivsov
- Re: [Cfrg] Closing out tls1.3 "Limits on key usag… Markulf Kohlweiss
- Re: [Cfrg] [TLS] Closing out tls1.3 "Limits on ke… Dang, Quynh (Fed)
- Re: [Cfrg] Closing out tls1.3 "Limits on key usag… Aaron Zauner
- Re: [Cfrg] Closing out tls1.3 "Limits on key usag… Tony Arcieri
- Re: [Cfrg] [TLS] Closing out tls1.3 "Limits on ke… Dang, Quynh (Fed)
- Re: [Cfrg] [TLS] Closing out tls1.3 "Limits on ke… Atul Luykx
- Re: [Cfrg] [TLS] Closing out tls1.3 "Limits on ke… Dang, Quynh (Fed)
- Re: [Cfrg] [TLS] Closing out tls1.3 "Limits on ke… Dang, Quynh (Fed)
- Re: [Cfrg] [TLS] Closing out tls1.3 "Limits on ke… Yoav Nir
- Re: [Cfrg] [TLS] Closing out tls1.3 "Limits on ke… Atul Luykx
- Re: [Cfrg] [TLS] Closing out tls1.3 "Limits on ke… Yoav Nir
- Re: [Cfrg] [TLS] Closing out tls1.3 "Limits on ke… Dang, Quynh (Fed)
- Re: [Cfrg] [TLS] Closing out tls1.3 "Limits on ke… Paterson, Kenny
- Re: [Cfrg] [TLS] Closing out tls1.3 "Limits on ke… Martin Thomson
- Re: [Cfrg] [TLS] Closing out tls1.3 "Limits on ke… Yoav Nir
- Re: [Cfrg] [TLS] Closing out tls1.3 "Limits on ke… Martin Thomson
- Re: [Cfrg] [TLS] Closing out tls1.3 "Limits on ke… Yoav Nir
- Re: [Cfrg] [TLS] Closing out tls1.3 "Limits on ke… Martin Thomson
- Re: [Cfrg] [TLS] Closing out tls1.3 "Limits on ke… Dang, Quynh (Fed)
- Re: [Cfrg] [TLS] Closing out tls1.3 "Limits on ke… Aaron Zauner
- Re: [Cfrg] [TLS] Closing out tls1.3 "Limits on ke… Aaron Zauner
- Re: [Cfrg] Closing out tls1.3 "Limits on key usag… Dang, Quynh (Fed)
- Re: [Cfrg] Closing out tls1.3 "Limits on key usag… Aaron Zauner
- Re: [Cfrg] Closing out tls1.3 "Limits on key usag… Dang, Quynh (Fed)
- Re: [Cfrg] Closing out tls1.3 "Limits on key usag… Aaron Zauner
- Re: [Cfrg] Closing out tls1.3 "Limits on key usag… Dang, Quynh (Fed)
- Re: [Cfrg] [TLS] Closing out tls1.3 "Limits on ke… Paterson, Kenny
- Re: [Cfrg] [TLS] Closing out tls1.3 "Limits on ke… Dang, Quynh (Fed)
- Re: [Cfrg] [TLS] Closing out tls1.3 "Limits on ke… Watson Ladd
- Re: [Cfrg] [TLS] Closing out tls1.3 "Limits on ke… Dang, Quynh (Fed)
- Re: [Cfrg] [TLS] Closing out tls1.3 "Limits on ke… Martin Thomson
- Re: [Cfrg] [TLS] Closing out tls1.3 "Limits on ke… Dang, Quynh (Fed)
- Re: [Cfrg] [TLS] Closing out tls1.3 "Limits on ke… Brian Smith
- Re: [Cfrg] [TLS] Closing out tls1.3 "Limits on ke… Andrey Jivsov
- Re: [Cfrg] [TLS] Closing out tls1.3 "Limits on ke… Hal Murray
- Re: [Cfrg] [TLS] Closing out tls1.3 "Limits on ke… Andrey Jivsov
- Re: [Cfrg] [TLS] Closing out tls1.3 "Limits on ke… Yoav Nir
- Re: [Cfrg] Closing out tls1.3 "Limits on key usag… Sean Turner
- Re: [Cfrg] Closing out tls1.3 "Limits on key usag… Russ Housley