Re: HTTP/2 and Pervasive Monitoring

Martin Thomson <martin.thomson@gmail.com> Wed, 20 August 2014 17:04 UTC

Return-Path: <ietf-http-wg-request@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1B51E1A048F for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Wed, 20 Aug 2014 10:04:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.67
X-Spam-Level:
X-Spam-Status: No, score=-7.67 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.668, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZJNKyR5p-LRu for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Wed, 20 Aug 2014 10:03:58 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6C8B41A047C for <httpbisa-archive-bis2Juki@lists.ietf.org>; Wed, 20 Aug 2014 10:03:58 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.72) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1XK9Fu-0008DU-4s for ietf-http-wg-dist@listhub.w3.org; Wed, 20 Aug 2014 17:01:02 +0000
Resent-Date: Wed, 20 Aug 2014 17:01:02 +0000
Resent-Message-Id: <E1XK9Fu-0008DU-4s@frink.w3.org>
Received: from lisa.w3.org ([128.30.52.41]) by frink.w3.org with esmtp (Exim 4.72) (envelope-from <martin.thomson@gmail.com>) id 1XK9FO-0008BY-2F for ietf-http-wg@listhub.w3.org; Wed, 20 Aug 2014 17:00:30 +0000
Received: from mail-wi0-f169.google.com ([209.85.212.169]) by lisa.w3.org with esmtps (TLS1.0:RSA_ARCFOUR_SHA1:16) (Exim 4.72) (envelope-from <martin.thomson@gmail.com>) id 1XK9FL-0000og-CQ for ietf-http-wg@w3.org; Wed, 20 Aug 2014 17:00:30 +0000
Received: by mail-wi0-f169.google.com with SMTP id n3so6971891wiv.4 for <ietf-http-wg@w3.org>; Wed, 20 Aug 2014 10:00:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=nxlysbnf6yNViwnZ71BiTAIYAvr8sqUtPsn5JH46H08=; b=vdYSumlRZPBuSNIWdL9Fled2taqNdSDXrWQgfE6Mp6xctyb592RKGiaNOn6r1jwaf3 okgK2I6zH/auwxQJUGJ17Zv4pzem9MteoNh0qxLxcN5oDeUkRxDM9vOecVIzO2NmEhRx MNVHXph7X2yTdKPm5QH7GyhvaJ/pb2U+BSHirLPVSytTksGWwbCi8txnh4LZm0hhg5do pLR53m2e54P+05Sc8TXvmisxDrHbqIymZ35CQLQM/8ZWdYp5PbCG1/On6zmM6AXEnI7V 32FxSd0UfJ/KHyMr2FsPB+9KyhthUWbyT/t8MAyq3JEWhb0PCW785b056523r3pLxSCJ 1b7Q==
MIME-Version: 1.0
X-Received: by 10.180.73.6 with SMTP id h6mr16340307wiv.65.1408553999719; Wed, 20 Aug 2014 09:59:59 -0700 (PDT)
Received: by 10.194.6.229 with HTTP; Wed, 20 Aug 2014 09:59:59 -0700 (PDT)
In-Reply-To: <10689.1408519778@critter.freebsd.dk>
References: <38BD57DB-98A9-4282-82DD-BB89F11F7C84@mnot.net> <4851.1408094168@critter.freebsd.dk> <EB5B7C64-165B-48F1-94FF-1354E917A10F@mnot.net> <5871.1408106089@critter.freebsd.dk> <A9F561E4-E5C6-4E1D-89B1-F1EDA9FA1BAC@mnot.net> <10689.1408519778@critter.freebsd.dk>
Date: Wed, 20 Aug 2014 09:59:59 -0700
Message-ID: <CABkgnnVvm6vz=Tcv2n9YtH13E9-AUgdyXVY5RxLvmKkCcNSpgg@mail.gmail.com>
From: Martin Thomson <martin.thomson@gmail.com>
To: Poul-Henning Kamp <phk@phk.freebsd.dk>
Cc: Mark Nottingham <mnot@mnot.net>, HTTP Working Group <ietf-http-wg@w3.org>
Content-Type: text/plain; charset="UTF-8"
Received-SPF: pass client-ip=209.85.212.169; envelope-from=martin.thomson@gmail.com; helo=mail-wi0-f169.google.com
X-W3C-Hub-Spam-Status: No, score=-3.5
X-W3C-Hub-Spam-Report: AWL=-2.733, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001
X-W3C-Scan-Sig: lisa.w3.org 1XK9FL-0000og-CQ 8e7b2d4ca6f9feb3de9ba825764ca635
X-Original-To: ietf-http-wg@w3.org
Subject: Re: HTTP/2 and Pervasive Monitoring
Archived-At: <http://www.w3.org/mid/CABkgnnVvm6vz=Tcv2n9YtH13E9-AUgdyXVY5RxLvmKkCcNSpgg@mail.gmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/26678
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

On 20 August 2014 00:29, Poul-Henning Kamp <phk@phk.freebsd.dk> wrote:
> I don't think the algorithm matters, as long as it's not buggy, the
> bruteforcing will be done against the keys used.


Let's go with this and run with it a little.  Assume that you are
using AES-GCM or something like it.  That's 2^64 decryptions to get a
50/50 chance of success.  The constant factor is the speed of the
algorithm and it's key schedule.  If you can do 10Gb/s on a single
machine with Ilari's estimated ~1.7 cGHz and 14cGHz per core, that
means something in the order of 900 machine years to brute force a
single key.  Based on some rough guesses on AWS (ECU to cGHz
conversion) and current prices, that's going to set you back about
USD170K.  It's highly parallel, so don't expect to wait particularly
long.  Big caveat on the numbers, I've fudged a fair bit (on the
pessimistic side).

On the other hand, if you reduced the key size to 32-bit and increased
the enciphering rate by a linear factor (4), that reduces the number
of calculations significantly.  That works out a cost for a brute
force of USD0.0000000001

USD170K might be OK, depending on what you concern yourself with.
Though it makes me think that a move to 256-bit ciphers might need to
come sooner than I expected.  On the other hand, any significant
reduction in key size basically seems to amount to nothing short of an
ineffectual cipher.  Even a 64-bit cipher that increased throughput by
a factor of 16 would be a trivial cost to brute force.