IETF Logo Mail Archive

Re: [Cfrg] A little room for AES-192 in TLS?

William Whyte <wwhyte@securityinnovation.com> Tue, 17 January 2017 16:03 UTC

Return-Path: <wwhyte@securityinnovation.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 28C13129553 for <cfrg@ietfa.amsl.com>; Tue, 17 Jan 2017 08:03:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=securityinnovation.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IC4TujXwKzZi for <cfrg@ietfa.amsl.com>; Tue, 17 Jan 2017 08:03:36 -0800 (PST)
Received: from mail-io0-x22d.google.com (mail-io0-x22d.google.com [IPv6:2607:f8b0:4001:c06::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A5B7E129566 for <cfrg@irtf.org>; Tue, 17 Jan 2017 08:03:35 -0800 (PST)
Received: by mail-io0-x22d.google.com with SMTP id l66so118139096ioi.1 for <cfrg@irtf.org>; Tue, 17 Jan 2017 08:03:35 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=securityinnovation.com; s=google; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=qvncIrjmXRxC6c1bwO1AzTyvbann5hPKaX9Ef6n9264=; b=DuBcSFGoIRgj1aXcxJzLlIMMnse9Vv5FwGKv2uOjMjhtqnRQGAfsXYMYD+7YtnNYkP VvEwr80VhJ5lHp/PnVlboHETJpQwGB8hse2u4muZ9tOvJuCwg7eH2aZkG8skab4BkIf3 GUoiuQVwZ71yZCxoxVjZ8iwKUS4BvccPEPY98=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=qvncIrjmXRxC6c1bwO1AzTyvbann5hPKaX9Ef6n9264=; b=g6vRWDUC2w11XZDoH6cLkeouzQsBSW/5HpFXtjrSjnkt+Nk6ZD06xMfK5Ai5lrVc8O 4JO+2GE3kV7mq7AkkX3j7VigyVRpvmm9af1K5JNCZhYibna7R4Dc0Bmqg4iU83CWNNiX +1PcgpLfLjqe1kychy5lMpA0qQfmP233nxGOQcGIFBjpfqN8HIfQye9Gkl2tQulQElqc ygIrhwM2VvZ/l7XzJq1YNAG5eZpbLpRFF04CqIQhBE+nz6ry/hKkNTmPpcsJMkpPQEaI FvNsjQpUdlJRmbAS6fGBr3GDjoSBs1srpD4LKZiQvIov7eu3pxb/LzRfKi8dMAeAMLon ai3g==
X-Gm-Message-State: AIkVDXI1jJQAUaN+9bQCD9TN0zOOlS6eNK9HPBVCSboM5BEWlKzRmsSGs/Ixd9+BondJGXSja2kSyEDkdcByEiTP
X-Received: by 10.107.56.6 with SMTP id f6mr41037817ioa.58.1484669014811; Tue, 17 Jan 2017 08:03:34 -0800 (PST)
MIME-Version: 1.0
Received: by 10.107.27.142 with HTTP; Tue, 17 Jan 2017 08:03:32 -0800 (PST)
In-Reply-To: <9d54608c721c465788a38e5cc8e8cac6@usma1ex-dag1mb1.msg.corp.akamai.com>
References: <20170115205926.853FB60A6D@jupiter.mumble.net> <1484577818.5104.1.camel@quad> <D4A2A7CE.57FDF%john.mattsson@ericsson.com> <CABcZeBPGxT=9iiChy4PxD_zMHWcHU=AhCLoe7wEHHtryw2rfwg@mail.gmail.com> <D4A2B50D.7E040%kenny.paterson@rhul.ac.uk> <CAHOTMVJrHBn4AR7PCJ14xKYCVjdxF7SiswiOABX_g6A5gsQGDg@mail.gmail.com> <1484593651.5104.49.camel@quad> <1df3ba4212e44f9d8e3e6fabf8610cc0@usma1ex-dag1mb1.msg.corp.akamai.com> <1484662079.5135.49.camel@quad> <9d54608c721c465788a38e5cc8e8cac6@usma1ex-dag1mb1.msg.corp.akamai.com>
From: William Whyte <wwhyte@securityinnovation.com>
Date: Tue, 17 Jan 2017 11:03:32 -0500
Message-ID: <CACz1E9rZrso0184wiiK04UJnv4sBWZwtM2yYumha08Z-4n0=KQ@mail.gmail.com>
To: "Salz, Rich" <rsalz@akamai.com>
Content-Type: multipart/alternative; boundary="001a114ab93c3d119f05464c71d9"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/iX2GjOJ9-ay3OrNAS2Lq-nMIHzg>
Cc: "cfrg@irtf.org" <cfrg@irtf.org>, Leonard den Ottolander <leonard-lists@den.ottolander.nl>
Subject: Re: [Cfrg] A little room for AES-192 in TLS?
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Jan 2017 16:03:44 -0000

It seems like we need a better 256-bit algorithm than AES-256: the related
key attacks might not be a concern in TLS, but if use of AES-256 in TLS
causes its widespread use in other contexts, it will sooner or later be
used in a context where the related key attacks matter. I would support
deprecating AES-256 throughout IETF in favor of a better alternative.

It doesn't seem like AES-192 is the right choice for that alternative.
Among other things, it's not 256-bit :-).

What *should* CFRG be recommending as a 256-bit symmetric algorithm?

Cheers,

William

On Tue, Jan 17, 2017 at 9:48 AM, Salz, Rich <rsalz@akamai.com> wrote:

> > Are you suggesting that because this research is 8 years old its
> findings are
> > not valid?
>
> Yes, kinda.  If the sky really was falling eight years ago, then where are
> the other papers?
>
> > "The most disturbing aspect of the new attacks is that AES-256 can no
> longer
> > be considered as a safe black box construction, which can be dropped into
> > any security application with little thought about how it is used."
>
> Well, luckily, that is not the case with TLS.  The particular attack about
> keys, as has been explained, isn't relevant to AES-in-TLS.  Your
> compromise, while not only outside the typical IETF scope, has been shown
> to fail as the other side will abort the connection.
>
> > work best against AES-256 (which was supposed to be the strongest member
> > of the AES family), and do not currently seem to work against AES-128."
>
> Luckily we use AES128.
>
> > And you cannot argue nobody wants to use it as it is not available for
> use. If I
> > wanted to I could not use AES-192 except in private use scenario's as
> noone
> > is offering such ciphers, i.e.
>
> Yes.
>
> > I
> > acknowledge adding ciphers is not a zero effort, but to describe it as
> complex
> > is inaccurate.
>
> We disagree.
>
> You can write up an individual RFC that defines AES192 ciphers for use in
> TLS, and ask IANA to register them, and then "let the market decide."  I
> suggest you focus on a couple, and not try for full parity by defining a
> couple of dozen, as the registrar is likely to reject it.
>
> Or you can keep posting here (and as previously pointed out, more
> appropriately the TLS list) and see if you can convince anyone.
>
>
>
> _______________________________________________
> Cfrg mailing list
> Cfrg@irtf.org
> https://www.irtf.org/mailman/listinfo/cfrg
>

v2.23.0 | Report a Bug | By Email