IETF Logo Mail Archive

Re: [MLS] Substitute AES-128-GCM with AES-256-GCM for TreeKEM

Dennis Jackson <dennis.jackson@cs.ox.ac.uk> Wed, 19 September 2018 18:31 UTC

Return-Path: <dennis.jackson@cs.ox.ac.uk>
X-Original-To: mls@ietfa.amsl.com
Delivered-To: mls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7B385127B92 for <mls@ietfa.amsl.com>; Wed, 19 Sep 2018 11:31:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kSoinDgK3PYU for <mls@ietfa.amsl.com>; Wed, 19 Sep 2018 11:31:02 -0700 (PDT)
Received: from relay16.mail.ox.ac.uk (relay16.mail.ox.ac.uk [163.1.2.166]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 35191130E63 for <mls@ietf.org>; Wed, 19 Sep 2018 11:31:02 -0700 (PDT)
Received: from smtp6.mail.ox.ac.uk ([163.1.2.206]) by relay16.mail.ox.ac.uk with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from <dennis.jackson@cs.ox.ac.uk>) id 1g2hFb-0003KB-sB for mls@ietf.org; Wed, 19 Sep 2018 19:31:00 +0100
Received: from 61.ip-51-38-113.eu ([51.38.113.61] helo=T-200) by smtp6.mail.ox.ac.uk with esmtpsa (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.89) (envelope-from <dennis.jackson@cs.ox.ac.uk>) id 1g2hFb-0002Ly-LJ for mls@ietf.org; Wed, 19 Sep 2018 19:30:59 +0100
Date: Wed, 19 Sep 2018 19:30:57 +0100
From: Dennis Jackson <dennis.jackson@cs.ox.ac.uk>
To: mls@ietf.org
Message-ID: <20180919193057.338a3638@T-200>
In-Reply-To: <CAL02cgQb0BnPKQ015Uh5VOAsvSD6iXK4AE==Vyw9WXac0Th_kg@mail.gmail.com>
References: <7397E576-521F-4198-9232-C59530877E19@wire.com> <CAL02cgQb0BnPKQ015Uh5VOAsvSD6iXK4AE==Vyw9WXac0Th_kg@mail.gmail.com>
X-Mailer: Claws Mail 3.13.2 (GTK+ 2.24.30; x86_64-pc-linux-gnu)
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
Content-Transfer-Encoding: 7bit
X-Oxford-Username: exet4027
X-Oxmail-Spam-Status: score=0.0 tests=none
X-Oxmail-Spam-Level: /
Archived-At: <https://mailarchive.ietf.org/arch/msg/mls/CCxJ-J5fW68G-x5fgrjs7isOIAs>
Subject: Re: [MLS] Substitute AES-128-GCM with AES-256-GCM for TreeKEM
X-BeenThere: mls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Messaging Layer Security <mls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mls>, <mailto:mls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mls/>
List-Post: <mailto:mls@ietf.org>
List-Help: <mailto:mls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mls>, <mailto:mls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 19 Sep 2018 18:31:06 -0000

Would it be reasonable to apply a misuse resistant scheme such as
AES-GCM-SIV? [1]. 

I am more concerned by implementations getting nonce generation wrong
than the delta between 128 / 256 keys.  

[1] https://eprint.iacr.org/2017/168.pdf

On Wed, 19 Sep 2018 13:14:48 -0500
Richard Barnes <rlb@ipv.sx> wrote:

> The obvious argument against this is that you don't ultimately get the
> benefit of the bigger key.  Since you're generating the key off of a
> P-256 operation, your security level to limited to 128 bits.  The
> only way that argument wouldn't hold is if you thought for some
> reason that AES-128-GCM was going to degrade faster than P-256, or if
> you wanted to argue that AES-128-GCM isn't really providing a 128-bit
> security level.
> 
> You could, of course, have a cipher suite where you upgrade
> everything: AES-256-GCM, P-521, SHA-512.  But in that case, the size
> of a message basically doubles.  Concretely: an element in a TreeKEM
> path has (1) a public key for the node (2) an encrypted node secret
> with is (2a) a public key (2b) an encrypted hash output and (2c) a
> GCM tag.  With the *256 suite, that comes to 178 = 65 + (65 + 32 +
> 16) and with the *512 suite, 346 = 133
> + (133 + 64 + 16).
> 
> If other folks are keen on AES-256-GCM, I don't think there's any
> major harm in upgrading the P-256-based scheme to use AES-256-GCM,
> but I don't think there's much benefit either.  Likewise, if folks
> want to add a higher-security-level suite, I wouldn't be opposed, but
> I don't think it'll get much use.  In the Firefox TLS telemetry [1],
> the AES-256-GCM ciphersuites get more than 6x the use that the
> AES-128-GCM suites do.
> 
> --Richard
> 
> [1] https://mzl.la/2PPT1YL
> 1 = RSA + AES-128-GCM = 55%
> 2 = ECDSA + AES-128-GCM = 18%
> 13 = ECDSA + AES-256-GCM =1%
> 14 = RSA + AES-256-GCM = 10%
> 
> On Wed, Sep 19, 2018 at 12:17 PM Raphael Robert <raphael@wire.com>
> wrote:
> 
> > I am proposing to substitute AES-128-GCM with AES-256-GCM for
> > TreeKEM:
> >
> > https://github.com/mlswg/mls-protocol/pull/60
> >
> > There was no particular reason why AES-128-GCM was chosen
> > initially, and there is no obvious security downside to AES-256-GCM.
> >
> > Raphael
> > _______________________________________________
> > MLS mailing list
> > MLS@ietf.org
> > https://www.ietf.org/mailman/listinfo/mls
> >  



-- 
PGP Fingerprint: 5B93 F0B9 D6A8 9BC1 546B C98C 6105 A775 8CD2 46AC

v2.46.0 | Report a Bug | By Email | System Status