IETF Logo Mail Archive

Re: [Cfrg] A little room for AES-192 in TLS?

Leonard den Ottolander <leonard-lists@den.ottolander.nl> Wed, 18 January 2017 18:11 UTC

Return-Path: <leonard-lists@den.ottolander.nl>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CE81B1294DB for <cfrg@ietfa.amsl.com>; Wed, 18 Jan 2017 10:11:51 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.1
X-Spam-Level:
X-Spam-Status: No, score=-5.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-3.199, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GSOHTht2aDHg for <cfrg@ietfa.amsl.com>; Wed, 18 Jan 2017 10:11:50 -0800 (PST)
Received: from mail.ottolander.nl (mail.ottolander.nl [176.9.136.165]) by ietfa.amsl.com (Postfix) with ESMTP id ADCF61294AC for <cfrg@irtf.org>; Wed, 18 Jan 2017 10:11:50 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by mail.ottolander.nl (Postfix) with ESMTP id E6F5143 for <cfrg@irtf.org>; Wed, 18 Jan 2017 19:11:49 +0100 (CET)
X-Virus-Scanned: amavisd-new at ottolander.nl
Received: from mail.ottolander.nl ([127.0.0.1]) by localhost (mail.ottolander.nl [127.0.0.1]) (amavisd-new, port 10026) with LMTP id T7AJvvRcqRCp for <cfrg@irtf.org>; Wed, 18 Jan 2017 19:11:49 +0100 (CET)
Received: from [192.168.0.60] (leonard-home [87.212.131.169]) by mail.ottolander.nl (Postfix) with ESMTPSA id D457B42 for <cfrg@irtf.org>; Wed, 18 Jan 2017 19:11:48 +0100 (CET)
From: Leonard den Ottolander <leonard-lists@den.ottolander.nl>
To: cfrg@irtf.org
In-Reply-To: <CAMm+LwjNmbYWTRPeCM9i=TKoi9KM5bar4qpif24t9Fyhak5zsg@mail.gmail.com>
References: <20170115205926.853FB60A6D@jupiter.mumble.net> <1484577818.5104.1.camel@quad> <D4A2A7CE.57FDF%john.mattsson@ericsson.com> <CABcZeBPGxT=9iiChy4PxD_zMHWcHU=AhCLoe7wEHHtryw2rfwg@mail.gmail.com> <D4A2B50D.7E040%kenny.paterson@rhul.ac.uk> <CAHOTMVJrHBn4AR7PCJ14xKYCVjdxF7SiswiOABX_g6A5gsQGDg@mail.gmail.com> <1484593651.5104.49.camel@quad> <1df3ba4212e44f9d8e3e6fabf8610cc0@usma1ex-dag1mb1.msg.corp.akamai.com> <1484662079.5135.49.camel@quad> <9d54608c721c465788a38e5cc8e8cac6@usma1ex-dag1mb1.msg.corp.akamai.com> <CACz1E9rZrso0184wiiK04UJnv4sBWZwtM2yYumha08Z-4n0=KQ@mail.gmail.com> <CAHOTMVLGoj7RPFQBTRu_d+kOoBfrKmi+CG+ityyW=x3G4t_AaQ@mail.gmail.com> <CAMm+Lwh05t6AMoRdgmMLZNsAVWAXxax84WOxMB8Cp_gBq5oZVA@mail.gmail.com> <c185b3ee5008c559b1a42c5e298e0c74@mail.noekeon.org> <1484759562.5121.70.camel@quad> <CAMm+LwjNmbYWTRPeCM9i=TKoi9KM5bar4qpif24t9Fyhak5zsg@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"
Date: Wed, 18 Jan 2017 19:11:48 +0100
Message-ID: <1484763108.5121.77.camel@quad>
Mime-Version: 1.0
X-Mailer: Evolution 2.32.3 (2.32.3-36.1.lj.el6)
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/r59eBeY3x9FSRfS5PmT-NNzNpnY>
Subject: Re: [Cfrg] A little room for AES-192 in TLS?
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Jan 2017 18:11:52 -0000

Hello Phillip,

On Wed, 2017-01-18 at 12:53 -0500, Phillip Hallam-Baker wrote:
> On Wed, Jan 18, 2017 at 12:12 PM, Leonard den Ottolander <
> leonard-lists@den.ottolander.nl> wrote:
> 
> >
> > - AES-192 was excluded from TLS for arbitrary reasons.
> > - AES-256 has known weaknesses in its key schedule that some researcher
> > consider severe.
> > - AES-192 offers better security than AES-128. There is serious doubt
> > AES-256 can offer the same level of security. This makes AES-192 a valid
> > alternative.
> > - Implementations of AES-192 are readily available.
> >
> >
> ​AES 192 was excluded for the perfectly good reason that there is no
> compelling argument for inclusion.
> 
> I would like to see the number of suites reduced because the strength of a
> cryptographic system depends on the strength of the weakest cipher. Thus
> adding ciphers to a system invariably weakens it.

It appears AES-256 is a weaker link than AES-192 so your general
argument about more is less seems invalid in this case. AES-256 shows
weaknesses that are not so prominent in AES-192.

> The only way to improve security is to eliminate ciphers. AES 128 is
> necessary, so is AES 256. ​I have never seen a point to 192.

I'm trying to make exactly that point :-) . AES-192 does not suffer from
the same weaknesses as AES-256 so the former is probably a more robust
cipher choice than the latter.

> If the AES key schedule is bjorked, time for a new cipher comp. At one
> point there was the possibility of a really fun itinerary, but the
> governments that might have sponsored a non-US cipher standard are not
> exactly crypto friendly right now.

The problems with the key schedule are with AES-256 specifically. Not
with AES in general.

I forgot to mention that AES-192 profits from the hardware support (CPU
AES instructions) that exist. This is not (yet) true for new ciphers.

Regards,
Leonard.

-- 
mount -t life -o ro /dev/dna /genetic/research

v2.23.0 | Report a Bug | By Email