IETF Logo Mail Archive

Re: [Cfrg] [SSH] [TLS] 3DES diediedie

"Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu> Thu, 25 August 2016 23:14 UTC

Return-Path: <prvs=7045e2e036=uri@ll.mit.edu>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9DB3112D658 for <cfrg@ietfa.amsl.com>; Thu, 25 Aug 2016 16:14:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.746
X-Spam-Level:
X-Spam-Status: No, score=-4.746 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.548, UNPARSEABLE_RELAY=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WXbuZuBjZLcK for <cfrg@ietfa.amsl.com>; Thu, 25 Aug 2016 16:14:50 -0700 (PDT)
Received: from llmx2.ll.mit.edu (LLMX2.LL.MIT.EDU [129.55.12.48]) by ietfa.amsl.com (Postfix) with ESMTP id 9FC3412D649 for <cfrg@irtf.org>; Thu, 25 Aug 2016 16:14:50 -0700 (PDT)
Received: from LLE2K10-HUB01.mitll.ad.local (LLE2K10-HUB01.mitll.ad.local) by llmx2.ll.mit.edu (unknown) with ESMTP id u7PNBAJB018738; Thu, 25 Aug 2016 19:11:10 -0400
From: "Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu>
To: "denis bider (Bitvise)" <ietf-ssh3@denisbider.com>, Tony Arcieri <bascule@gmail.com>, Peter Gutmann <pgut001@cs.auckland.ac.nz>
Thread-Topic: [Cfrg] [SSH] [TLS] 3DES diediedie
Thread-Index: AdH/JnOMg/CphhaeQ0GKsETs7Xni6g==
Date: Thu, 25 Aug 2016 23:14:39 +0000
Message-ID: <20160825231445.18292816.24106.87068@ll.mit.edu>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="SHA1"; boundary="===============2018919359=="
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2016-08-25_13:, , signatures=0
X-Proofpoint-Spam-Details: rule=inbound_notspam policy=inbound score=0 spamscore=0 suspectscore=0 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1604210000 definitions=main-1608250256
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/qIwOlJmA1ok8YzKN60MCVwCtZZk>
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] [SSH] [TLS] 3DES diediedie
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Aug 2016 23:14:53 -0000

Denis,

I concur. 

P.S. On my servers 3DES is prohibited by configuration, but security has (almost) ‎nothing to do with that - rather usage of AES of Suite B and AESNI-accelerated performance (and of course my connecting clients have the same mindset and priorities :).

Sent from my BlackBerry 10 smartphone on the Verizon Wireless 4G LTE network.
From: denis bider (Bitvise)
Sent: Thursday, August 25, 2016 18:39
To: Blumenthal, Uri - 0553 - MITLL; Tony Arcieri; Peter Gutmann
Cc: cfrg@irtf.org
Subject: Re: [Cfrg] [SSH] [TLS] 3DES diediedie

In SSH, 3des-ctr is currently a cipher in good standing (RFC 4344). CBC is already discouraged (and alerted by many security scanners) because of the issue of naive decryption of packet lengths in this mode.
 
I might be mistaken, but I do not see applicability of this issue in CTR mode. If two ciphertext blocks collide, I don’t see how one could take advantage even if one knows the plaintext corresponding to one of the blocks. If one knows a lot of the plaintext, and therefore finds two key-stream blocks that collide, I’m not seeing what use that could be, either.
 
In addition, SSH has an automatic re-key that is initiated by both clients and servers after every 1 GB of data transferred (128k blocks) in either direction, or every hour, whichever comes first. Most SSH implementations, except rare broken ones that I rarely hear of, either initiate key re-exchange themselves, or support it when it is initiated by the other party. Key re-exchange replaces both encryption keys and the initial IVs in both directions. This also makes attacks against 3des-cbc more difficult.
 
Correct me if I’m wrong, but I don’t see that any action needs to be taken in SSH against 3des-ctr, whereas CBC mode is defended by key re-exchange (with 128k blocks, collision probability less than 1 in 1 billion), and is itself already discouraged.
 
denis
 
 
From: Blumenthal, Uri - 0553 - MITLL
Sent: Thursday, August 25, 2016 09:56
To: Tony Arcieri ; Peter Gutmann
Cc: cfrg@irtf.org
Subject: Re: [Cfrg] [TLS] 3DES diediedie
 
>>  An attack that recovers cookie if you can record 785GB of traffic isn't anything I'm losing any sleep over.
>
> ..but is not a terribly dissimilar traffic volume to recover plaintexts from similar attacks against RC4,
> which received "diediedie" in RFC7465.
>
> Perhaps notable is the RC4 attacks work across multiple session keys, whereas SWEET32 requires the same key,
> but I think the practical consequences regarding data volume limits are similar.
 
I think this difference is crucial, because when the majority of the traffic was RC4, then scourging a lot of it and getting at least one key out of the attack seemed bad enough to do something about it. Hence RFC7465.
 
With 3DES, you need that much of traffic protected by the key you’re trying to attack. This completely removes any notion of practicality. I’m not losing my sleep over this either, and think this situation does not justify “diediedie”.
 
_______________________________________________
Cfrg mailing list
Cfrg@irtf.org
https://www.irtf.org/mailman/listinfo/cfrg

v2.23.0 | Report a Bug | By Email