IETF Logo Mail Archive

Re: [MLS] Substitute AES-128-GCM with AES-256-GCM for TreeKEM

Richard Barnes <rlb@ipv.sx> Wed, 19 September 2018 18:37 UTC

Return-Path: <rlb@ipv.sx>
X-Original-To: mls@ietfa.amsl.com
Delivered-To: mls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 73212130E63 for <mls@ietfa.amsl.com>; Wed, 19 Sep 2018 11:37:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.908
X-Spam-Level:
X-Spam-Status: No, score=-1.908 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, T_DKIMWL_WL_MED=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ipv-sx.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qZYl4htXBx3O for <mls@ietfa.amsl.com>; Wed, 19 Sep 2018 11:37:26 -0700 (PDT)
Received: from mail-ot1-x331.google.com (mail-ot1-x331.google.com [IPv6:2607:f8b0:4864:20::331]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 13489127B92 for <mls@ietf.org>; Wed, 19 Sep 2018 11:37:26 -0700 (PDT)
Received: by mail-ot1-x331.google.com with SMTP id w17-v6so6812467otk.3 for <mls@ietf.org>; Wed, 19 Sep 2018 11:37:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipv-sx.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=rBIwBZY8/CcExZ2Wy4jf497bbEja8WHdVikn0tAZv84=; b=QICv1pBnJ4Mowlz1eGn0PLhHPvdayDTe1XlgmUwZBljA6pULRB07J/e9v3/xY26sEr dX6kNKBzOvJ3TpMUC6jRRlNCPxWjbAqn0xp/s82yeoYVx9g5Br5LiTfCOnmeJrDF1y0Q MiEA6oG69GO1JhtJO/lBHMAtR2VBarvoQYUJMbHEb3UDCp+whq1UHMGOcOAHFUjFW9ZE Yl1g/8DrzbhtNPcBHU8qdYIc88XbaisG7bqtddlJI5koss1Q22AfG5nr5fGmtwU5yS1a qmCc/0kOb3tl8Q/y2FrlSewjSR/noYHOwni5vsA3TAVP10w8/8JcnXthvnZ20ja7Qmju aJdQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=rBIwBZY8/CcExZ2Wy4jf497bbEja8WHdVikn0tAZv84=; b=Q9PDL3Xg0nBBUJgo7Bk18Yl/gFr8i8pXrXjwnhnTgKXRIYRfkng6tlnORd8hF7WEy2 98gk3FZjBPcVFiDww0E5orkmMsCix4ZjhuetyuFovTugDXSL2joIcnNvDgSIQEyXw8BX KqpKJk/hHA/z2E9ZJdDvjc/4f965hT5d4DNBf5XqhYcau/YKRueAVsj2/3saZBHVS47c ZRxNajYKOc0eQ4x9y62a5AufAhibTR6ofBarG8Eu4uB1uQ75bQmtT3V5fZdzCGUw74Ye Ib8gV+GAhWpD7qFGrt0x5F7SkQ2ZviFqEmlXuYbXwc5R327zff/G3+KB2YA4oj4elLnK e4MQ==
X-Gm-Message-State: APzg51CtY++5mT091Kq+wi3SgBtQco2MABYKVtsc3DE7ldVw+PRZ1jJa 2zHm0LCuy+ZGnSUzSro/I48jSNZhsa+dKqRGVxqY9g==
X-Google-Smtp-Source: ANB0VdYfQnyCOe851iC/HSVvkkO22lmw6ZDp3mlbn8giDSETB0HULZ6rwB+v8b1tmVC9t8w7znuL5FKza3lH+Y2FvoA=
X-Received: by 2002:a9d:1422:: with SMTP id h31-v6mr19583184oth.41.1537382245125; Wed, 19 Sep 2018 11:37:25 -0700 (PDT)
MIME-Version: 1.0
References: <7397E576-521F-4198-9232-C59530877E19@wire.com> <CAL02cgQb0BnPKQ015Uh5VOAsvSD6iXK4AE==Vyw9WXac0Th_kg@mail.gmail.com> <20180919193057.338a3638@T-200>
In-Reply-To: <20180919193057.338a3638@T-200>
From: Richard Barnes <rlb@ipv.sx>
Date: Wed, 19 Sep 2018 13:37:13 -0500
Message-ID: <CAL02cgSeMCr1E+ut7ViioT5Tq9x3CE_pD6MEWP6VMjGoNX3wVQ@mail.gmail.com>
To: dennis.jackson@cs.ox.ac.uk
Cc: mls@ietf.org
Content-Type: multipart/alternative; boundary="0000000000009ae9aa05763db2f1"
Archived-At: <https://mailarchive.ietf.org/arch/msg/mls/y5-u8uHYquXQ38jcPS_4AgT_JB8>
Subject: Re: [MLS] Substitute AES-128-GCM with AES-256-GCM for TreeKEM
X-BeenThere: mls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Messaging Layer Security <mls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mls>, <mailto:mls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mls/>
List-Post: <mailto:mls@ietf.org>
List-Help: <mailto:mls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mls>, <mailto:mls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 19 Sep 2018 18:37:29 -0000

In this case, I think we can do better than SIV by requiring that nonces be
generated in a certain way.  When I added TreeKEM, I erred in having an
independent nonce field in the ECIESCiphertext struct.  Instead, we should
generate the nonce from the ECDH exchange, in parallel with the key,
precisely as TLS does.

On Wed, Sep 19, 2018 at 1:31 PM Dennis Jackson <dennis.jackson@cs.ox.ac.uk>
wrote:

> Would it be reasonable to apply a misuse resistant scheme such as
> AES-GCM-SIV? [1].
>
> I am more concerned by implementations getting nonce generation wrong
> than the delta between 128 / 256 keys.
>
> [1] https://eprint.iacr.org/2017/168.pdf
>
> On Wed, 19 Sep 2018 13:14:48 -0500
> Richard Barnes <rlb@ipv.sx> wrote:
>
> > The obvious argument against this is that you don't ultimately get the
> > benefit of the bigger key.  Since you're generating the key off of a
> > P-256 operation, your security level to limited to 128 bits.  The
> > only way that argument wouldn't hold is if you thought for some
> > reason that AES-128-GCM was going to degrade faster than P-256, or if
> > you wanted to argue that AES-128-GCM isn't really providing a 128-bit
> > security level.
> >
> > You could, of course, have a cipher suite where you upgrade
> > everything: AES-256-GCM, P-521, SHA-512.  But in that case, the size
> > of a message basically doubles.  Concretely: an element in a TreeKEM
> > path has (1) a public key for the node (2) an encrypted node secret
> > with is (2a) a public key (2b) an encrypted hash output and (2c) a
> > GCM tag.  With the *256 suite, that comes to 178 = 65 + (65 + 32 +
> > 16) and with the *512 suite, 346 = 133
> > + (133 + 64 + 16).
> >
> > If other folks are keen on AES-256-GCM, I don't think there's any
> > major harm in upgrading the P-256-based scheme to use AES-256-GCM,
> > but I don't think there's much benefit either.  Likewise, if folks
> > want to add a higher-security-level suite, I wouldn't be opposed, but
> > I don't think it'll get much use.  In the Firefox TLS telemetry [1],
> > the AES-256-GCM ciphersuites get more than 6x the use that the
> > AES-128-GCM suites do.
> >
> > --Richard
> >
> > [1] https://mzl.la/2PPT1YL
> > 1 = RSA + AES-128-GCM = 55%
> > 2 = ECDSA + AES-128-GCM = 18%
> > 13 = ECDSA + AES-256-GCM =1%
> > 14 = RSA + AES-256-GCM = 10%
> >
> > On Wed, Sep 19, 2018 at 12:17 PM Raphael Robert <raphael@wire.com>
> > wrote:
> >
> > > I am proposing to substitute AES-128-GCM with AES-256-GCM for
> > > TreeKEM:
> > >
> > > https://github.com/mlswg/mls-protocol/pull/60
> > >
> > > There was no particular reason why AES-128-GCM was chosen
> > > initially, and there is no obvious security downside to AES-256-GCM.
> > >
> > > Raphael
> > > _______________________________________________
> > > MLS mailing list
> > > MLS@ietf.org
> > > https://www.ietf.org/mailman/listinfo/mls
> > >
>
>
>
> --
> PGP Fingerprint: 5B93 F0B9 D6A8 9BC1 546B C98C 6105 A775 8CD2 46AC
>
> _______________________________________________
> MLS mailing list
> MLS@ietf.org
> https://www.ietf.org/mailman/listinfo/mls
>

v2.46.0 | Report a Bug | By Email | System Status