IETF Logo Mail Archive

Re: [MLS] Substitute AES-128-GCM with AES-256-GCM for TreeKEM

Richard Barnes <rlb@ipv.sx> Wed, 19 September 2018 18:15 UTC

Return-Path: <rlb@ipv.sx>
X-Original-To: mls@ietfa.amsl.com
Delivered-To: mls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D7BDD130E6A for <mls@ietfa.amsl.com>; Wed, 19 Sep 2018 11:15:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.908
X-Spam-Level:
X-Spam-Status: No, score=-1.908 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, T_DKIMWL_WL_MED=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ipv-sx.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dCeOD73YHGv1 for <mls@ietfa.amsl.com>; Wed, 19 Sep 2018 11:15:00 -0700 (PDT)
Received: from mail-ot1-x32a.google.com (mail-ot1-x32a.google.com [IPv6:2607:f8b0:4864:20::32a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B3B40130E5F for <mls@ietf.org>; Wed, 19 Sep 2018 11:15:00 -0700 (PDT)
Received: by mail-ot1-x32a.google.com with SMTP id h26-v6so6706636otl.9 for <mls@ietf.org>; Wed, 19 Sep 2018 11:15:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipv-sx.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Fv/o4vPVBCb9serxksfuVbqT2VY2U8Z1RriOiLtshbs=; b=YQoMjTrkdAoRAH181uX+8VIBUvh0V4kg/XuLLgiDa3DXHMKcCez784K9h4zCXj20MW y9hxByYNxo6cNXfEPELvu7ea0UG43u3bkRq+XYVaxmES2UZaH6KBl9iFaOMuVLFwRqeO 4ehdvm9dBOhYVAKVeXPZ9URPQwhwIn5kvsVvAjaaS7y+1SepHHSR/HASn+M3Nfv4UhfZ P0SWIdjompwDQ5BozWGZ1Tcdybe7ZOxhsXgFItTodPhU0qkGbCLEshEUSYmuX56Dn9ty plEvUR8IbmRLfL6ZasFoiNqLNu0HXar7dAuaCUM9EOGtWCl0dApN0p0uyyuIE6iatR/+ 6Jrw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Fv/o4vPVBCb9serxksfuVbqT2VY2U8Z1RriOiLtshbs=; b=mk8GX8jFwYKzjL93LX/Bis6nv0BUAMjsTQDpmYnYEuXyBmXGSmDwEQMYMMistNKpcr qy4Gu5Hd8X75KxPxXLk1WOadDM4uvr0NEfsR0vs/G/FoK9r7fZ1PeGVAfV7cTS4KNASP lbX++1U1Zjek2pS8qJusZQmTwS0eROLPpKfAZW2XNaySZpL/Zb1qnLpiKqoShbOSV5wA EzH3ssQwe2TgQKz85Ucvo78PZeqSfSxkqC2xeZX5jiBHr3syiMuzlszdu28k8qLqbKeN xZxIfyNR/7aKbaO0BQQWXs7wMZ7bczqqWUF03zpoBCiaTZ50/edJXn3eMst4HvYoPawI PTBA==
X-Gm-Message-State: APzg51B72NGLZA8uXfx+FgHbXkryByTAHxFN+j+vSQdbmYcwBxpSl19j X+o3qqo1R0wN1jdkejpW/k5SgA3Fz1cBxnOLj+rczSlTwBxzXg==
X-Google-Smtp-Source: ANB0VdaHyKhw4RzsEPmfsVXcBDfl2xoEwZdPaXDBr1kq52OXY+x4sbRPj010gcVNC+K0BQkdyHgVvRqzMDCECBzMClQ=
X-Received: by 2002:a9d:2bcf:: with SMTP id u73-v6mr19186655ota.365.1537380899722; Wed, 19 Sep 2018 11:14:59 -0700 (PDT)
MIME-Version: 1.0
References: <7397E576-521F-4198-9232-C59530877E19@wire.com>
In-Reply-To: <7397E576-521F-4198-9232-C59530877E19@wire.com>
From: Richard Barnes <rlb@ipv.sx>
Date: Wed, 19 Sep 2018 13:14:48 -0500
Message-ID: <CAL02cgQb0BnPKQ015Uh5VOAsvSD6iXK4AE==Vyw9WXac0Th_kg@mail.gmail.com>
To: Raphael Robert <raphael@wire.com>
Cc: mls@ietf.org
Content-Type: multipart/alternative; boundary="00000000000069b5c505763d62ff"
Archived-At: <https://mailarchive.ietf.org/arch/msg/mls/p5TNvwb4hSfi3CqY_4F-flBcd1A>
Subject: Re: [MLS] Substitute AES-128-GCM with AES-256-GCM for TreeKEM
X-BeenThere: mls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Messaging Layer Security <mls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mls>, <mailto:mls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mls/>
List-Post: <mailto:mls@ietf.org>
List-Help: <mailto:mls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mls>, <mailto:mls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 19 Sep 2018 18:15:03 -0000

The obvious argument against this is that you don't ultimately get the
benefit of the bigger key.  Since you're generating the key off of a P-256
operation, your security level to limited to 128 bits.  The only way that
argument wouldn't hold is if you thought for some reason that AES-128-GCM
was going to degrade faster than P-256, or if you wanted to argue that
AES-128-GCM isn't really providing a 128-bit security level.

You could, of course, have a cipher suite where you upgrade everything:
AES-256-GCM, P-521, SHA-512.  But in that case, the size of a message
basically doubles.  Concretely: an element in a TreeKEM path has (1) a
public key for the node (2) an encrypted node secret with is (2a) a public
key (2b) an encrypted hash output and (2c) a GCM tag.  With the *256 suite,
that comes to 178 = 65 + (65 + 32 + 16) and with the *512 suite, 346 = 133
+ (133 + 64 + 16).

If other folks are keen on AES-256-GCM, I don't think there's any major
harm in upgrading the P-256-based scheme to use AES-256-GCM, but I don't
think there's much benefit either.  Likewise, if folks want to add a
higher-security-level suite, I wouldn't be opposed, but I don't think it'll
get much use.  In the Firefox TLS telemetry [1], the AES-256-GCM
ciphersuites get more than 6x the use that the AES-128-GCM suites do.

--Richard

[1] https://mzl.la/2PPT1YL
1 = RSA + AES-128-GCM = 55%
2 = ECDSA + AES-128-GCM = 18%
13 = ECDSA + AES-256-GCM =1%
14 = RSA + AES-256-GCM = 10%

On Wed, Sep 19, 2018 at 12:17 PM Raphael Robert <raphael@wire.com> wrote:

> I am proposing to substitute AES-128-GCM with AES-256-GCM for TreeKEM:
>
> https://github.com/mlswg/mls-protocol/pull/60
>
> There was no particular reason why AES-128-GCM was chosen initially, and
> there is no obvious security downside to AES-256-GCM.
>
> Raphael
> _______________________________________________
> MLS mailing list
> MLS@ietf.org
> https://www.ietf.org/mailman/listinfo/mls
>

v2.23.0 | Report a Bug | By Email