Re: [Cfrg] A little room for AES-192 in TLS?

Phillip Hallam-Baker <phill@hallambaker.com> Wed, 18 January 2017 17:53 UTC

Return-Path: <hallam@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AFDDD12954A for <cfrg@ietfa.amsl.com>; Wed, 18 Jan 2017 09:53:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.597
X-Spam-Level:
X-Spam-Status: No, score=-2.597 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.001, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Msn6Z0Xz57i3 for <cfrg@ietfa.amsl.com>; Wed, 18 Jan 2017 09:53:05 -0800 (PST)
Received: from mail-wm0-x22c.google.com (mail-wm0-x22c.google.com [IPv6:2a00:1450:400c:c09::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9F74A1294C8 for <cfrg@irtf.org>; Wed, 18 Jan 2017 09:53:04 -0800 (PST)
Received: by mail-wm0-x22c.google.com with SMTP id r126so255735553wmr.0 for <cfrg@irtf.org>; Wed, 18 Jan 2017 09:53:04 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=UQdj+zsacwnAAPSOPhdAttAK+wVrJswtvHEWTDYlGpk=; b=MMdxNURHR04nEv1NlMDuqumvxjw8yvetwJy2vD6WmDUJIJLU0NH4knasQijT+wu6zQ Tnj26IK+2DwhFHlt240+M1+xZH5Jo06beb9YuDi+RWGUPy1B8fItnuBXbyRjeMiW4Zkv PC2S2FR0WZb3F+gYLNu/5gvPGpD9h+4SzHnO6YbDTERrxG0Y2EgDcWDODDe3vRPvkdl8 HnfpgBD6VymveeQS5Y8zRjQCdiLJ+ft74z73Z8olJKEAYcygwA6e2LuTwm4l6B++lhZj AocOMxsEOmHQ+8s7kO2PSWYhIvcbptECtAkfk1P4yp86NEu4lSGaGmQHAxdyiLm2Aj40 65tA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=UQdj+zsacwnAAPSOPhdAttAK+wVrJswtvHEWTDYlGpk=; b=A7XN7wQcqLP6ziigVyUMAfW1LV7t0sTNHs8XWqiu8Deqp3sNCQVAN9XcRgRz8KoiUZ FzAS1vBLdlD6XY4DHq3X7Gglzku6ZJ0J3nCu/KQYdpvigdvQL4odZYQmJjNxiOhHaUA3 I5zYC92hH1fkNgb4tjsNeFeATCyqPRaDGXUhaosn6NkZFUPHWfwRFSIqDspUJPHGQsGW twrrtLxDxOHXJTWKr0UvE2cHbbajO8RFjsRXscuwVw8y61jL1o9UmcPP5dJinirD1kiS iLQkJBIJrmzN9QJ4HJfCj+W5YJSP2/IvlHHmYPW+5wDnJQnD8HhawX9hp3VcakMZLIWl WCOw==
X-Gm-Message-State: AIkVDXK5oRNxBKw9XVT3WIwlyu7cLTbXA+rYv89WEgsJ5x3kayY/N5RWSWHR6I4MoMzVDOqmVTDjMh5hBcLrqQ==
X-Received: by 10.28.211.200 with SMTP id k191mr3597234wmg.137.1484761983114; Wed, 18 Jan 2017 09:53:03 -0800 (PST)
MIME-Version: 1.0
Sender: hallam@gmail.com
Received: by 10.194.221.6 with HTTP; Wed, 18 Jan 2017 09:53:02 -0800 (PST)
In-Reply-To: <1484759562.5121.70.camel@quad>
References: <20170115205926.853FB60A6D@jupiter.mumble.net> <1484577818.5104.1.camel@quad> <D4A2A7CE.57FDF%john.mattsson@ericsson.com> <CABcZeBPGxT=9iiChy4PxD_zMHWcHU=AhCLoe7wEHHtryw2rfwg@mail.gmail.com> <D4A2B50D.7E040%kenny.paterson@rhul.ac.uk> <CAHOTMVJrHBn4AR7PCJ14xKYCVjdxF7SiswiOABX_g6A5gsQGDg@mail.gmail.com> <1484593651.5104.49.camel@quad> <1df3ba4212e44f9d8e3e6fabf8610cc0@usma1ex-dag1mb1.msg.corp.akamai.com> <1484662079.5135.49.camel@quad> <9d54608c721c465788a38e5cc8e8cac6@usma1ex-dag1mb1.msg.corp.akamai.com> <CACz1E9rZrso0184wiiK04UJnv4sBWZwtM2yYumha08Z-4n0=KQ@mail.gmail.com> <CAHOTMVLGoj7RPFQBTRu_d+kOoBfrKmi+CG+ityyW=x3G4t_AaQ@mail.gmail.com> <CAMm+Lwh05t6AMoRdgmMLZNsAVWAXxax84WOxMB8Cp_gBq5oZVA@mail.gmail.com> <c185b3ee5008c559b1a42c5e298e0c74@mail.noekeon.org> <1484759562.5121.70.camel@quad>
From: Phillip Hallam-Baker <phill@hallambaker.com>
Date: Wed, 18 Jan 2017 12:53:02 -0500
X-Google-Sender-Auth: rSFZ9uyCvN6Q2WTilwGz0dL25A4
Message-ID: <CAMm+LwjNmbYWTRPeCM9i=TKoi9KM5bar4qpif24t9Fyhak5zsg@mail.gmail.com>
To: Leonard den Ottolander <leonard-lists@den.ottolander.nl>
Content-Type: multipart/alternative; boundary=001a114743749463bd0546621694
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/b3gSWqxp9MrfewQoZSx50gKgcxs>
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] A little room for AES-192 in TLS?
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Jan 2017 17:53:07 -0000

On Wed, Jan 18, 2017 at 12:12 PM, Leonard den Ottolander <
leonard-lists@den.ottolander.nl> wrote:

>
> - AES-192 was excluded from TLS for arbitrary reasons.
> - AES-256 has known weaknesses in its key schedule that some researcher
> consider severe.
> - AES-192 offers better security than AES-128. There is serious doubt
> AES-256 can offer the same level of security. This makes AES-192 a valid
> alternative.
> - Implementations of AES-192 are readily available.
>
>
​AES 192 was excluded for the perfectly good reason that there is no
compelling argument for inclusion.

I would like to see the number of suites reduced because the strength of a
cryptographic system depends on the strength of the weakest cipher. Thus
adding ciphers to a system invariably weakens it.

The only way to improve security is to eliminate ciphers. AES 128 is
necessary, so is AES 256. ​I have never seen a point to 192.

If the AES key schedule is bjorked, time for a new cipher comp. At one
point there was the possibility of a really fun itinerary, but the
governments that might have sponsored a non-US cipher standard are not
exactly crypto friendly right now.