Re: [Cfrg] Closing out tls1.3 "Limits on key usage" PRs (#765/#769)

[Andrey Jivsov <crypto@brainhub.org>]

Correction: we rekey faster than needed when we count in records if the 
average record is shorter than the maximum allowed. Regardless, because 
the record size can vary by a factor of 1000 in size (up to 2^14), it's 
cleaner to count in bytes. This matters the most for 3DES, but I don't 
see much difference in implementation complexity between counting in 
records v.s. bytes.

On 02/11/2017 02:26 PM, Andrey Jivsov wrote:
>
> On 02/09/2017 09:07 PM, Sean Turner wrote:
>> All,
>>
>> We’ve got two outstanding PRs that propose changes to 
>> draft-ietf-tls-tls13 Section 5.5 “Limits on Key Usage”.  As it 
>> relates to rekeying, these limits have been discussed a couple of 
>> times and we need to resolve once and for all whether the TLS WG 
>> wants to:
>>
>> a) Close these two PRs and go with the existing text [0]
>> b) Adopt PR#765 [1]
>> c) Adopt PR#769 [2]
>>
>> Please indicate you preference to the TLS mailing list before Feb 
>> 17.  Note that unless there’s clear consensus to change the text will 
>> remain as is (i.e., option a).
>>
>> J&S
>>
>> [0] https://tlswg.github.io/tls13-spec/#rfc.section.5.5
>> [1] https://github.com/tlswg/tls13-spec/pull/765
>> [2] https://github.com/tlswg/tls13-spec/pull/769
>
> I am an author of [2].
>
> I originally thought that [0] could be improved, but [1], as seems to 
> be a consensus, made the text even less clear, which motivated me to 
> contribute.
>
> I see 2 main issues with [0]:
>
> 1. Counting in records. Worse, it counts in maximum-size records.
>
> The original problem is measured in cipherblocks (16 bytes in TLS 
> 1.3). Advanced products have the max TLS record size configurable. TLS 
> stacks should not be expected to buffer the data to fill up the 
> record, therefore, they are also sending many shorter records.
>
> How should an implementer read [0]? If an implementation sends or 
> receives shorter records, it has to re-key sooner.
>
> Counting in bytes or cipher blocks is better. Implementers wishing to 
> count in records can translate bytes into records easier that perform 
> the reverse with [0] (however, I don't understand how counting in 
> records can work correctly).
>
> 2. The numbers in [0] are not explained.
>
> Given that I don't know the "components" of the formula, I am not 
> exactly sure how to make adjustments for the #1.
>
> The text in [0] should be clarified to show "components", e.g. what 
> success probability was used.
>
> ( I recall that when [0] was worked on, there were discussions about 
> multi-session issues. Was this a consideration? )
>
>
> Finally, [1] assumed P=1/2^32 as a consensus-building choice. NIST 
> uses this value to state limits on AES-GCM IVs 
> (http://dx.doi.org/10.6028/NIST.SP.800-38D sec 8, 
> http://csrc.nist.gov/groups/STM/cmvp/documents/fips140-2/FIPS1402IG.pdf 
> sec A.5)
>
> I would be happy with a lower value of P.
>
> I think, however, that a comparison with the 3DES can be helpful. The 
> recent SWEET32 attack on 3DES works with the practical P=1/2. Using 
> P=1/2^32 for 3DES implies rekeying after 0.5Mbytes of traffic. I 
> suspect that these who implemented data limits for 3DES rekey less 
> often than on each 0.5Mb.