IETF Logo Mail Archive

Re: [Cfrg] [TLS] 3DES diediedie

Dmitry Belyavsky <beldmit@gmail.com> Fri, 26 August 2016 07:58 UTC

Return-Path: <beldmit@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1CC6112D10C for <cfrg@ietfa.amsl.com>; Fri, 26 Aug 2016 00:58:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PRORbBZf692N for <cfrg@ietfa.amsl.com>; Fri, 26 Aug 2016 00:58:41 -0700 (PDT)
Received: from mail-lf0-x231.google.com (mail-lf0-x231.google.com [IPv6:2a00:1450:4010:c07::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DC91C12D103 for <cfrg@irtf.org>; Fri, 26 Aug 2016 00:58:39 -0700 (PDT)
Received: by mail-lf0-x231.google.com with SMTP id b199so51188046lfe.0 for <cfrg@irtf.org>; Fri, 26 Aug 2016 00:58:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=boTcQ7K8fIxJiEapU1RWMKOAyzjDwY5g3JG8zxVyVXA=; b=dinbOzJHuHiIgxdSB/idlT3k7ocJKZ5SCAMnqvxsGnDhWxxEj+4O7Oy4SoaeiGolvo qNwy9g51mtQinpkmMLndz3ND7BxduapXiCKsKXegjGRkxFQciVk+htQA12rMo426l66H Kp93BSXDC+RCYjxWXVx3iOl/tr6yCi7lCIyb3fPaRhwyZIUzvgMDKgdhoP+8HxFjtvAb qLFqZMdkQhuHp4KoeTlREkLFdvfnAYY5OmHgWtsGbHUOkfoK93Q74bs6tusAn47e0x2f DKa43XOO01j+n/Tz8M8lKi9GJLRmmvlsCrvzKjHEpAU161NcHs47M87inKrc+892fjT8 z7kA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=boTcQ7K8fIxJiEapU1RWMKOAyzjDwY5g3JG8zxVyVXA=; b=A7Gc4vxGIms53tALmBI+9EWZB1x8/3STv0FLHaUPK3su009PvhiaFq78pwaULbrEaU 51qNJenMOZzXAFctKuDSQUKxA1HnKVsf4ZUP465bwXzTBLOXN1NYhw5lD3aJilSEezPQ xtf7WSoOutEFXFOaPTz0wpzfsM2ykRZd4IFkGfYNbnDaFEgy6olyoIn0x5NhfHsaC7W6 vtMIga6dQWrqODN+8Hb2qHiZYUKzrcCN3ezUSm5+A8yw1Z7SQBo/WRNtXFn8s55JrnGh R7DloSUNHBkLv3BgPnhuEMWjlez4m+xUn+7+M8T6Yd9e1JqqWr7sFam8NVgLxD8t7Sq1 WSnQ==
X-Gm-Message-State: AE9vXwMpNyXBNS3acnSjiF7IArGEeVHqUbbqWN2RdaSgD6+GV0RXATUZYWNM04rPZVrJ+GQRbEzQ7n+FNqxNBg==
X-Received: by 10.25.139.135 with SMTP id n129mr555943lfd.111.1472198317933; Fri, 26 Aug 2016 00:58:37 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.25.218.5 with HTTP; Fri, 26 Aug 2016 00:58:37 -0700 (PDT)
In-Reply-To: <CAHOTMV+r5PVxqnSozYyqJqq_YocMKV06aAa-43t+5Huzh7Lo=A@mail.gmail.com>
References: <CAHOTMV+r5PVxqnSozYyqJqq_YocMKV06aAa-43t+5Huzh7Lo=A@mail.gmail.com>
From: Dmitry Belyavsky <beldmit@gmail.com>
Date: Fri, 26 Aug 2016 10:58:37 +0300
Message-ID: <CADqLbz+nuAkc-m=O6110H2d-1xpy3DXq_XgpxfTfP=fEGt1+xg@mail.gmail.com>
To: Tony Arcieri <bascule@gmail.com>
Content-Type: multipart/alternative; boundary="001a113fc2f6c78b36053af4e1d7"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/sFakI7hSOIgQj6qU8Iqm4uqYgjA>
Cc: "cfrg@irtf.org" <cfrg@irtf.org>, "<tls@ietf.org>" <tls@ietf.org>
Subject: Re: [Cfrg] [TLS] 3DES diediedie
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 26 Aug 2016 07:58:44 -0000

Hello all,

Regarding the discussion of the Sweet32 attack, it's worth mentioning that
there is a specification of so called key meshing for the Russian GOST
cipher (which has 64-bit block as well).
Key meshing is a procedure of a predictable change of the current key after
processing an certain amount of data.
It is described in RFC 4357, Section 2.3 (
https://tools.ietf.org/html/rfc4357#section-2.3).

This key meshing defends against any attack that uses a big portion of data
encrypted with the same key.

May be it is useful to specify the similar procedure for modern ciphers too.


On Thu, Aug 25, 2016 at 5:08 AM, Tony Arcieri <bascule@gmail.com> wrote:

> This attack was published today[*]:
>
> https://sweet32.info/
>
> I bring it up because I think the threat model is similar to the threats
> that lead to RC4 "diediedie"
>
> https://www.rfc-editor.org/info/rfc7465
>
> Should there be a 3DES "diediedie"?
>
> I believe 3DES is MTI for TLS 1.0/1.1(?) but I think it would make sense
> for it to be banned from TLS 1.3.
>
> [*] Lest anyone claim the contrary, I am not surprised by this attack, and
> have pushed to have 3DES removed from TLS prior to the publication of this
> attack, and can probably find a TLS implementer who can back me up on that.
>
> --
> Tony Arcieri
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>
>


-- 
SY, Dmitry Belyavsky

v2.23.0 | Report a Bug | By Email