IETF Logo Mail Archive

Re: [MLS] Substitute AES-128-GCM with AES-256-GCM for TreeKEM

Richard Barnes <rlb@ipv.sx> Thu, 20 September 2018 14:52 UTC

Return-Path: <rlb@ipv.sx>
X-Original-To: mls@ietfa.amsl.com
Delivered-To: mls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CAD79130DF1 for <mls@ietfa.amsl.com>; Thu, 20 Sep 2018 07:52:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.909
X-Spam-Level:
X-Spam-Status: No, score=-1.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, T_DKIMWL_WL_MED=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ipv-sx.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PhT02EHJqN2l for <mls@ietfa.amsl.com>; Thu, 20 Sep 2018 07:52:32 -0700 (PDT)
Received: from mail-ot1-x344.google.com (mail-ot1-x344.google.com [IPv6:2607:f8b0:4864:20::344]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 211D2130E1E for <mls@ietf.org>; Thu, 20 Sep 2018 07:52:32 -0700 (PDT)
Received: by mail-ot1-x344.google.com with SMTP id n5-v6so9702510otl.5 for <mls@ietf.org>; Thu, 20 Sep 2018 07:52:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipv-sx.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=tiOP4y82I7ZQtwx8WHnpgz+rqNewNDmqhSr9rFcx7Tw=; b=i1RiGyumMtu0pkLOwljyQYFO6IVck746Qg6zxfhZ1f5zt93zvuBJk0lI1f/ogWT6mo o9il6jSSjWSt4en/QQ3z2P/rJ3PReT+h1tRFTOf+HrxeHnX70YlICjG5HNmfKTt8+eLO ijYzZnwSTsTJ1aLqmwO6YROSn3Cv1Sre26KOPG9T//VoXwoHneK2Gug2VgXnNZrOGNun BLkVeonhsya0Sd+VXOebivNvUG8DUW34cUyw+5G3AiusAvepo4MrrVm2MOCnLdlo3VNZ 4FLx5G/VG2NU807l24B2lIgoUdzfRYdT1cWfyq1lPi751xAo5HTozNZxAW3mq0axz1wF 6jCQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=tiOP4y82I7ZQtwx8WHnpgz+rqNewNDmqhSr9rFcx7Tw=; b=UuSXRapvFVqNr+mC/aM35+MB+qE8hQf/FL7iKb5pQUNx/xu935DYzddUDt1JjealVV 9QorBrXlF8eMkW0ekG1MhtOZ0fhso+2I86xD87BE6SmmX8Md1LOhPbmjlLoHtXQQInfT sd6v/ygWCiMOR7BL3Cr9ZeuGuIAv/Suv9UUbLaS+FrUp1qJWa4IeOgLDKIks6OlLgctz kDGz23NA1a5mDGmVnZPSoa4SE5Ro9yDVguL1cnesYJsBNvshBgyxDWGquNBjqYEX8GHD HLa0MBsJh2/j3nzd2dIfrDNvs1YqoUV6aux9pEu0Bi+w2RPYbpgnv3Tj6cOylWzvwOZA xKMg==
X-Gm-Message-State: APzg51DnFD75jzM+SEuYp0TzVWl77IocuVsdGBUv/X6tZKJM3njGgJcm YkBUMx3K428U9Q9Vwr+VvQEzI3Llz0DnoS6g+Rg7g36UFBc=
X-Google-Smtp-Source: ANB0Vdacdee/gRYKg/SupJA7AFkd7kIeOoCo9viHepncOjaCJ3I4h5qImYopKvYZYLil10D+083KWxwIGukH/DAmfLY=
X-Received: by 2002:a9d:758c:: with SMTP id s12-v6mr21371852otk.53.1537455151150; Thu, 20 Sep 2018 07:52:31 -0700 (PDT)
MIME-Version: 1.0
References: <7397E576-521F-4198-9232-C59530877E19@wire.com> <CAL02cgQb0BnPKQ015Uh5VOAsvSD6iXK4AE==Vyw9WXac0Th_kg@mail.gmail.com> <911130F4-8B46-45C9-A4A6-8359A950DD48@wire.com> <E91763CB-C647-4E83-BC01-0ECD22254F46@akamai.com> <CAL02cgQ1SiGCZ8VUV+V8Ak5Qt7WiDsXD_nzDs_Kbpvn-pNyNHw@mail.gmail.com> <f5c6c101-cb5e-e78d-77bf-efe415945dda@wickr.com> <20180920143458.13a44cc1@T-200>
In-Reply-To: <20180920143458.13a44cc1@T-200>
From: Richard Barnes <rlb@ipv.sx>
Date: Thu, 20 Sep 2018 09:52:19 -0500
Message-ID: <CAL02cgStk7idop2nGH4W==3bK+g0GAo3JYKR=VsYT0bStGM9EQ@mail.gmail.com>
To: dennis.jackson@cs.ox.ac.uk
Cc: mls@ietf.org
Content-Type: multipart/alternative; boundary="000000000000248f3405764eacd1"
Archived-At: <https://mailarchive.ietf.org/arch/msg/mls/vHfAgoXchzHi7M4I0cbdOryEL1Q>
Subject: Re: [MLS] Substitute AES-128-GCM with AES-256-GCM for TreeKEM
X-BeenThere: mls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Messaging Layer Security <mls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mls>, <mailto:mls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mls/>
List-Post: <mailto:mls@ietf.org>
List-Help: <mailto:mls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mls>, <mailto:mls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Sep 2018 14:52:35 -0000

If QC becomes practical, all the DH stuff is out the window anyway :)

On Thu, Sep 20, 2018 at 8:36 AM Dennis Jackson <dennis.jackson@cs.ox.ac.uk>
wrote:

> One area in which the symmetric cipher keysize does matter is if you
> believe quantum computers will become viable in the next 5~10 years.
> Considering the efforts standards bodies and corporations are putting
> into developing post-quantum handshakes, this doesn't seem unreasonable.
>
> If QC becomes practical (even assuming no other cryptanalytic
> breakthroughs) AES-256 degrades to 128-bit security and AES-128
> degrades to only 64-bit security (no better than DES). However, none of
> the draft handshakes are post-quantum secure, which is arguably a bigger
> problem.
>
> Some options:
>
> a) do nothing
> b) specify a post quantum handshake alongside AES-256
> c) specify AES-256 in general and allow a PSK in addition to the usual
> handshake
>
> Wireguard uses c) to achieve "cheap" PQ-security without the
> burden of implementing a PQ handshake.
>
> I'm not advocating for any of these options, just noting where
> symmetric keysize is a consideration.
>
> On Thu, 20 Sep 2018 14:27:09 +0200
> Joel Alwen <jalwen@wickr.com> wrote:
>
> > On 20/09/2018 14:02, Richard Barnes wrote:
> >
> > > As I understand it:
> > >
> > > The parts of a ciphersuite work together, so the idea is roughly
> > > that there's no point in adding one super strong link to the chain
> > > if the others are weak.
> > >
> > > Following the TreeKEM / ECIES example below, if you generate a key
> > > for AES-256 off of a P-256 ECDH operation, then the whole thing can
> > > still be broken with 2^128 effort, by attacking the ECDH instead of
> > > the AES.
> >
> > - I agree with this point of view. To me it seems the con of the
> > switch to AES-256 is some (small) additional cost in bandwidth,
> > storage and computation but there is no pro in terms of added
> > security since keys are negotiated on a 128-bit secure curve. So it
> > doesn't make that much sense to me... Nor do I think, at least for
> > short and medium term security, that there is a problem with 128-bit
> > security.
> >
> > - Having said that, I think 256-bit security does have legitimate use
> > cases in practice. (Say, long-term forward secrecy and/or hedging
> > against future improvements in cryptanalyis.) Therefor I'm quite in
> > favor of including in MLS a recommended fully 256-bit secure
> > instantiation. E.g. SHA-512, Ed448-Goldilocks, AES-256-GCM. (My
> > preference for Ed448 over P521 stems from P521 being less efficient,
> > less easy to implement in side-channel resistant way and Ed448 soon
> > being included in TLS hopefully leading to solid implementations
> > becoming widely available.)
> >
> > - I think that mandating an explicit nonce reuse resistant mechanism
> > (whether via SIV or something else) makes a lot of sense and is
> > something MLS should do.
> >
>
>
>
> --
> PGP Fingerprint: 5B93 F0B9 D6A8 9BC1 546B C98C 6105 A775 8CD2 46AC
>
> _______________________________________________
> MLS mailing list
> MLS@ietf.org
> https://www.ietf.org/mailman/listinfo/mls
>

v2.23.0 | Report a Bug | By Email