IETF Logo Mail Archive

Re: [MLS] Substitute AES-128-GCM with AES-256-GCM for TreeKEM

Dennis Jackson <dennis.jackson@cs.ox.ac.uk> Wed, 19 September 2018 18:55 UTC

Return-Path: <dennis.jackson@cs.ox.ac.uk>
X-Original-To: mls@ietfa.amsl.com
Delivered-To: mls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BC601130E86 for <mls@ietfa.amsl.com>; Wed, 19 Sep 2018 11:55:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oxxAZWSJUFVZ for <mls@ietfa.amsl.com>; Wed, 19 Sep 2018 11:55:22 -0700 (PDT)
Received: from relay14.mail.ox.ac.uk (relay14.mail.ox.ac.uk [163.1.2.162]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5FDBC12F1AC for <mls@ietf.org>; Wed, 19 Sep 2018 11:55:22 -0700 (PDT)
Received: from smtp5.mail.ox.ac.uk ([163.1.2.207]) by relay14.mail.ox.ac.uk with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from <dennis.jackson@cs.ox.ac.uk>) id 1g2hd9-0006Uj-lx for mls@ietf.org; Wed, 19 Sep 2018 19:55:20 +0100
Received: from 61.ip-51-38-113.eu ([51.38.113.61] helo=T-200) by smtp5.mail.ox.ac.uk with esmtpsa (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.89) (envelope-from <dennis.jackson@cs.ox.ac.uk>) id 1g2hd9-0007Id-Hw for mls@ietf.org; Wed, 19 Sep 2018 19:55:19 +0100
Date: Wed, 19 Sep 2018 19:55:17 +0100
From: Dennis Jackson <dennis.jackson@cs.ox.ac.uk>
To: mls@ietf.org
Message-ID: <20180919195517.60776d47@T-200>
In-Reply-To: <CAL02cgSeMCr1E+ut7ViioT5Tq9x3CE_pD6MEWP6VMjGoNX3wVQ@mail.gmail.com>
References: <7397E576-521F-4198-9232-C59530877E19@wire.com> <CAL02cgQb0BnPKQ015Uh5VOAsvSD6iXK4AE==Vyw9WXac0Th_kg@mail.gmail.com> <20180919193057.338a3638@T-200> <CAL02cgSeMCr1E+ut7ViioT5Tq9x3CE_pD6MEWP6VMjGoNX3wVQ@mail.gmail.com>
X-Mailer: Claws Mail 3.13.2 (GTK+ 2.24.30; x86_64-pc-linux-gnu)
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
Content-Transfer-Encoding: 7bit
X-Oxford-Username: exet4027
X-Oxmail-Spam-Status: score=0.0 tests=none
X-Oxmail-Spam-Level: /
Archived-At: <https://mailarchive.ietf.org/arch/msg/mls/oGHRRKp0T7uoMnG3RWr4dghxgY4>
Subject: Re: [MLS] Substitute AES-128-GCM with AES-256-GCM for TreeKEM
X-BeenThere: mls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Messaging Layer Security <mls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mls>, <mailto:mls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mls/>
List-Post: <mailto:mls@ietf.org>
List-Help: <mailto:mls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mls>, <mailto:mls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 19 Sep 2018 18:55:26 -0000

Currently the specification seems to require the application layer
messages are protected by the same AEAD defined in the handshake. [1] Do
you intend for the nonces to be deterministically generated for
application messages as well? If so, there is a risk state handling
bugs which SIV would mitigate. 

Alternatively, if the message layer is going to use a misuse resistant
algorithm, we might as well use it in the handshake as well? 

[1] Based on
https://github.com/mlswg/mls-protocol/blob/master/draft-ietf-mls-protocol.md
which differs from the current IETF draft. 

On Wed, 19 Sep 2018 13:37:13 -0500
Richard Barnes <rlb@ipv.sx> wrote:

> In this case, I think we can do better than SIV by requiring that
> nonces be generated in a certain way.  When I added TreeKEM, I erred
> in having an independent nonce field in the ECIESCiphertext struct.
> Instead, we should generate the nonce from the ECDH exchange, in
> parallel with the key, precisely as TLS does.
> 
> On Wed, Sep 19, 2018 at 1:31 PM Dennis Jackson
> <dennis.jackson@cs.ox.ac.uk> wrote:
> 
> > Would it be reasonable to apply a misuse resistant scheme such as
> > AES-GCM-SIV? [1].
> >
> > I am more concerned by implementations getting nonce generation
> > wrong than the delta between 128 / 256 keys.
> >
> > [1] https://eprint.iacr.org/2017/168.pdf
> >
> > On Wed, 19 Sep 2018 13:14:48 -0500
> > Richard Barnes <rlb@ipv.sx> wrote:
> >  
> > > The obvious argument against this is that you don't ultimately
> > > get the benefit of the bigger key.  Since you're generating the
> > > key off of a P-256 operation, your security level to limited to
> > > 128 bits.  The only way that argument wouldn't hold is if you
> > > thought for some reason that AES-128-GCM was going to degrade
> > > faster than P-256, or if you wanted to argue that AES-128-GCM
> > > isn't really providing a 128-bit security level.
> > >
> > > You could, of course, have a cipher suite where you upgrade
> > > everything: AES-256-GCM, P-521, SHA-512.  But in that case, the
> > > size of a message basically doubles.  Concretely: an element in a
> > > TreeKEM path has (1) a public key for the node (2) an encrypted
> > > node secret with is (2a) a public key (2b) an encrypted hash
> > > output and (2c) a GCM tag.  With the *256 suite, that comes to
> > > 178 = 65 + (65 + 32 + 16) and with the *512 suite, 346 = 133
> > > + (133 + 64 + 16).
> > >
> > > If other folks are keen on AES-256-GCM, I don't think there's any
> > > major harm in upgrading the P-256-based scheme to use AES-256-GCM,
> > > but I don't think there's much benefit either.  Likewise, if folks
> > > want to add a higher-security-level suite, I wouldn't be opposed,
> > > but I don't think it'll get much use.  In the Firefox TLS
> > > telemetry [1], the AES-256-GCM ciphersuites get more than 6x the
> > > use that the AES-128-GCM suites do.
> > >
> > > --Richard
> > >
> > > [1] https://mzl.la/2PPT1YL
> > > 1 = RSA + AES-128-GCM = 55%
> > > 2 = ECDSA + AES-128-GCM = 18%
> > > 13 = ECDSA + AES-256-GCM =1%
> > > 14 = RSA + AES-256-GCM = 10%
> > >
> > > On Wed, Sep 19, 2018 at 12:17 PM Raphael Robert <raphael@wire.com>
> > > wrote:
> > >  
> > > > I am proposing to substitute AES-128-GCM with AES-256-GCM for
> > > > TreeKEM:
> > > >
> > > > https://github.com/mlswg/mls-protocol/pull/60
> > > >
> > > > There was no particular reason why AES-128-GCM was chosen
> > > > initially, and there is no obvious security downside to
> > > > AES-256-GCM.
> > > >
> > > > Raphael
> > > > _______________________________________________
> > > > MLS mailing list
> > > > MLS@ietf.org
> > > > https://www.ietf.org/mailman/listinfo/mls
> > > >  
> >
> >
> >
> > --
> > PGP Fingerprint: 5B93 F0B9 D6A8 9BC1 546B C98C 6105 A775 8CD2 46AC
> >
> > _______________________________________________
> > MLS mailing list
> > MLS@ietf.org
> > https://www.ietf.org/mailman/listinfo/mls
> >  



-- 
PGP Fingerprint: 5B93 F0B9 D6A8 9BC1 546B C98C 6105 A775 8CD2 46AC

v2.46.0 | Report a Bug | By Email | System Status