IETF Logo Mail Archive

Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt

"Dang, Quynh (Fed)" <quynh.dang@nist.gov> Wed, 13 July 2016 13:58 UTC

Return-Path: <quynh.dang@nist.gov>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E361C12D81D for <tls@ietfa.amsl.com>; Wed, 13 Jul 2016 06:58:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nistgov.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KMPhRmkqKa7D for <tls@ietfa.amsl.com>; Wed, 13 Jul 2016 06:58:47 -0700 (PDT)
Received: from gcc01-dm2-obe.outbound.protection.outlook.com (mail-dm2gcc01on0109.outbound.protection.outlook.com [23.103.201.109]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B998C12D80A for <tls@ietf.org>; Wed, 13 Jul 2016 06:58:46 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nistgov.onmicrosoft.com; s=selector1-nist-gov; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=XyL9SgNVdSnOawiedQhTwY74oS71/Feup6VEOhtYMe0=; b=W8eOZ+y0X2bh75Y0+3o3PjbWvVreZcXSKLSJC65HDLx/V517bD52y1Fb12NwdphtQnayooJVgsKyKxVZCrnfW+CLDH1Btz6DnYTAfZVNzxTlTouL1M8RjOk7tIcapWmD28H+GwhEVzQKOWihIYV5OA6fbDXMCqeFsInsG0jemLY=
Received: from BN1PR09MB0171.namprd09.prod.outlook.com (10.255.192.149) by BN1PR09MB0170.namprd09.prod.outlook.com (10.255.192.148) with Microsoft SMTP Server (TLS) id 15.1.534.14; Wed, 13 Jul 2016 13:58:44 +0000
Received: from BN1PR09MB0171.namprd09.prod.outlook.com ([10.255.192.149]) by BN1PR09MB0171.namprd09.prod.outlook.com ([10.255.192.149]) with mapi id 15.01.0534.023; Wed, 13 Jul 2016 13:58:44 +0000
From: "Dang, Quynh (Fed)" <quynh.dang@nist.gov>
To: Watson Ladd <watsonbladd@gmail.com>, Atul Luykx <Atul.Luykx@esat.kuleuven.be>
Thread-Topic: [TLS] New draft: draft-ietf-tls-tls13-14.txt
Thread-Index: AQHR26erSXFdspEwbEKLZA1rqxpGgqAUgWIAgABTxYD//9AKAIAATFUAgAANRgD//8XVgIAARoOAgAANwgCAABz0gIAAvyMAgABYXICAAA+PAP//xg2A
Date: Wed, 13 Jul 2016 13:58:44 +0000
Message-ID: <D3ABBB57.27CAC%qdang@nist.gov>
References: <CABcZeBMiLmwBeuLt=v4qdcJwe5rdsK_9R4-2TUXYC=sttmwH-g@mail.gmail.com> <D3AA5BD6.27AC0%qdang@nist.gov> <D3AAB674.709EA%kenny.paterson@rhul.ac.uk> <D3AA7549.27B09%qdang@nist.gov> <d1f35d74e93b4067bf17f587b904ebff@XCH-RTP-006.cisco.com> <D3AAD721.70A11%kenny.paterson@rhul.ac.uk> <D3AA9B01.27B9F%qdang@nist.gov> <D3AAE2B7.70A78%kenny.paterson@rhul.ac.uk> <ede4e2ffadd142f781e7a9c04081c825@XCH-RTP-006.cisco.com> <0ad33f70cbe2aabba1f16f4cac876b0f@esat.kuleuven.be> <D3AB99DD.27C8B%qdang@nist.gov> <553ea052cc05b4f7315e19c943b0c2b0@esat.kuleuven.be> <CACsn0ckFJSEabLOw60-1Pt=e3gLj1W+5yVvWRGzB=avNMQ_X+g@mail.gmail.com>
In-Reply-To: <CACsn0ckFJSEabLOw60-1Pt=e3gLj1W+5yVvWRGzB=avNMQ_X+g@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.6.3.160329
authentication-results: spf=none (sender IP is ) smtp.mailfrom=quynh.dang@nist.gov;
x-ms-exchange-messagesentrepresentingtype: 1
x-originating-ip: [129.6.105.150]
x-ms-office365-filtering-correlation-id: 68b144fd-43e3-4a84-96bb-08d3ab25cdf9
x-microsoft-exchange-diagnostics: 1; BN1PR09MB0170; 6:ARW6foUVo4vwOJ1zPEJwTpHEyBIk/7aql+A6fTuiO6oyFdLBzZKWidhm6s6vYEWBnHLLSFWyrI5TWlDZ65YU3+ekjvSlXO5D5icKF6Sz0eseOCUOlH5do0BCRFp+RqsY4SdoMbwe3btWyf3JBtkC2ssIsnetnp/DRkJC1TqouG8DhA2eTkU8eeklcnbcPGlTYRfyVxfr4S6jc4IRFgerZmPYjnzQ+RdYx52tUnUK+3Jp73zNuQZYgMsoUAH+7n2pU5AMem0IsCpfDx10OQ/34OtFLZPDGVFsUDn8fp4mfxW1xfRIMDis2+QuFmTwotL+MyEapMHTgwXbCaJnby/qvg==; 5:05xJtsLcBhwXjfatE6z8tlxoDMz6d2GYNXPOzx65dMzLbK6j+CgG/lHgmSQY6Ny4hk5DWOsEterBTAT8+y/V3pj8wAmbyXdK/4abIxeJPGz/BJmSMXiyj99G1gPqXKgKbm6eU2vpRzl9o0yYBImz7g==; 24:Uit16EKYqteaj4EQUArTJY2AhclhiOLtoNs8Qb1goRLwehOZsVMhpKTIegrKXizxDEjz49M2i8tGO23Qm8z/G3ksBjLrwBOkjO8fWFQ++Xc=; 7:3l4+3sfkBZYnLF+ZZFaYzwVC6bk4AARuC+wzBv2izkF12Zk/bWtjIZzJ59ht5iiQW8p3fDJB3Nzw7+YKb1xGoCDQHKokQ0bLuLcddsh/ap2lTP0UtT6FrszHC63bgSLBSQN/Ueh2JiOYw72zjfU1Ltdba8y4xW8IJYe6XjnUvNDkFmra7BPtT0EmqPpwzt/hxs9ugwo0Oa9x5WRAj5NiJXjCBCyc4Dn1xv0ixgy/QIvBjHMgiuapRSCCnNSNn4Pt
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BN1PR09MB0170;
x-ld-processed: 2ab5d82f-d8fa-4797-a93e-054655c61dec,ExtAddr
x-microsoft-antispam-prvs: <BN1PR09MB0170D57AFC2E12079A2FEF58F3310@BN1PR09MB0170.namprd09.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(65766998875637)(192374486261705)(266576461109395);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(601004)(2401047)(8121501046)(5005006)(10201501046)(3002001)(6055026); SRVR:BN1PR09MB0170; BCL:0; PCL:0; RULEID:; SRVR:BN1PR09MB0170;
x-forefront-prvs: 000227DA0C
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(7916002)(24454002)(377424004)(13464003)(377454003)(199003)(189002)(51444003)(3660700001)(54356999)(19580395003)(19580405001)(7846002)(7736002)(93886004)(2906002)(305945005)(50986999)(83506001)(106116001)(106356001)(81156014)(76176999)(81166006)(586003)(3280700002)(2900100001)(2950100001)(101416001)(36756003)(11100500001)(4326007)(5001770100001)(8936002)(92566002)(4001350100001)(8676002)(122556002)(3846002)(6116002)(99286002)(97736004)(68736007)(5002640100001)(66066001)(189998001)(230783001)(15975445007)(10400500002)(102836003)(87936001)(77096005)(1720100001)(105586002)(86362001); DIR:OUT; SFP:1102; SCL:1; SRVR:BN1PR09MB0170; H:BN1PR09MB0171.namprd09.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
received-spf: None (protection.outlook.com: nist.gov does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="iso-8859-1"
Content-ID: <4494E173C17C58498F8517D945B3E38D@namprd09.prod.outlook.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: nist.gov
X-MS-Exchange-CrossTenant-originalarrivaltime: 13 Jul 2016 13:58:44.3456 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 2ab5d82f-d8fa-4797-a93e-054655c61dec
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN1PR09MB0170
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/5GLcVLF5U0yYqcQgc1nRNdc8RoQ>
Cc: David McGrew <mcgrew@cisco.com>, "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Jul 2016 13:58:52 -0000


On 7/13/16, 9:26 AM, "Watson Ladd" <watsonbladd@gmail.com> wrote:

>On Wed, Jul 13, 2016 at 5:30 AM, Atul Luykx <Atul.Luykx@esat.kuleuven.be>
>wrote:
>> Hey Quynh,
>>
>>> How can one use the distinguishing attack with the data complexity
>>>bound I
>>> suggested for recovering 1 bit of the encryption key in the context of
>>>TLS
>>> ?
>>
>> You cannot recover any bits of the encryption key unless you attack AES.
>>
>> No-one, as far as I know, has analyzed what kind of attacks one can
>>perform
>> against GCM around and beyond the birthday bound (except for the forgery
>> attacks, which require repeated nonces or known forgeries). However,
>>for CTR
>> mode, the underlying encryption of GCM, David McGrew typed up a document
>> describing an attack one could perform to recover information about the
>> plaintext:
>> http://eprint.iacr.org/2012/623
>> He describes it for 64 bit block ciphers, but the attacks work equally
>>well
>> for 128 bit block ciphers, at a higher data complexity of course.
>>
>> Basically, there are a lot of unknowns, and it could be that the bounds
>>you
>> recommend will be good enough in practice. However, it's important to be
>> clear about the risks involved in venturing into unknown territory.
>>
>> Atul
>
>Furthermore the cost of avoiding this is trivial. The rekeying
>mechanism has been designed to have minimal code complexity.

GCM with data complexity of about 3^38 records is not vulnerable to that
plaintext recovery attack. Therefore, there are no needs to rekey before
that data complexity is reached.

For counter-mode, I think the attack works if there is a large set of
known plaintexts. In protocols such as TLS and Ipsec, there are known
plaintexts, but I donĀ¹t think the amount of known plaintexts (even though
the amount of encrypted repeated-plaintexts can be big) is enough to
create risk for AES_128 by the targeted plaintext recovery attack. A known
plaintext can be encrypted multiple times with different keys, not with
the same key. 

Regards,
Quynh. 


>>
>>
>> On 2016-07-13 13:14, Dang, Quynh (Fed) wrote:
>>>
>>> Hi Atul,
>>>
>>> On 7/12/16, 3:50 PM, "Atul Luykx" <Atul.Luykx@esat.kuleuven.be> wrote:
>>>
>>>>> To be clear, this probability is that an attacker would be able to
>>>>> take a huge (4+ Petabyte) ciphertext, and a compatibly sized
>>>>>potential
>>>>> (but incorrect) plaintext, and with probability 2^{-32}, be able to
>>>>> determine that this plaintext was not the one used for the ciphertext
>>>>> (and with probability 0.999999999767..., know nothing about whether
>>>>> his guessed plaintext was correct or not).
>>>>
>>>>
>>>> You need to be careful when making such claims. There are schemes for
>>>> which when you reach the birthday bound you can perform partial key
>>>> recovery.
>>>>
>>>> The probabilities we calculated guarantee that there won't be any
>>>> attacks (with the usual assumptions...). Beyond the bounds, there are
>>>>no
>>>> guarantees. In particular, you cannot conclude that one, for example,
>>>> loses 1 bit of security once beyond the birthday bound.
>>>
>>>
>>> How can one use the distinguishing attack with the data complexity
>>>bound I
>>> suggested for recovering 1 bit of the encryption key in the context of
>>>TLS
>>> ?
>>>
>>>
>>> Regards,
>>> Quynh.
>>>
>>>
>>>
>>>
>>>>
>>>> Atul
>>>>
>>>> On 2016-07-12 20:06, Scott Fluhrer (sfluhrer) wrote:
>>>>>>
>>>>>> -----Original Message-----
>>>>>> From: Paterson, Kenny [mailto:Kenny.Paterson@rhul.ac.uk]
>>>>>> Sent: Tuesday, July 12, 2016 1:17 PM
>>>>>> To: Dang, Quynh (Fed); Scott Fluhrer (sfluhrer); Eric Rescorla;
>>>>>> tls@ietf.org
>>>>>> Subject: Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt
>>>>>>
>>>>>> Hi
>>>>>>
>>>>>> On 12/07/2016 18:04, "Dang, Quynh (Fed)" <quynh.dang@nist.gov>
>>>>>>wrote:
>>>>>>
>>>>>> >Hi Kenny,
>>>>>> >
>>>>>> >On 7/12/16, 12:33 PM, "Paterson, Kenny" <Kenny.Paterson@rhul.ac.uk>
>>>>>> wrote:
>>>>>> >
>>>>>> >>Finally, you write "to come to the 2^38 record limit, they assume
>>>>>> that
>>>>>> >>each record is the maximum 2^14 bytes". For clarity, we did not
>>>>>> >>recommend a limit of 2^38 records. That's Quynh's preferred
>>>>>>number,
>>>>>> >>and is unsupported by our analysis.
>>>>>> >
>>>>>> >What is problem with my suggestion even with the record size being
>>>>>>the
>>>>>> >maximum value?
>>>>>>
>>>>>> There may be no problem with your suggestion. I was simply trying to
>>>>>> make it
>>>>>> clear that 2^38 records was your suggestion for the record limit and
>>>>>> not ours.
>>>>>> Indeed, if one reads our note carefully, one will find that we do
>>>>>>not
>>>>>> make any
>>>>>> specific recommendations. We consider the decision to be one for the
>>>>>> WG;
>>>>>> our preferred role is to supply the analysis and help interpret it
>>>>>>if
>>>>>> people
>>>>>> want that. Part of that involves correcting possible misconceptions
>>>>>> and
>>>>>> misinterpretations before they get out of hand.
>>>>>>
>>>>>> Now 2^38 does come out of our analysis if you are willing to accept
>>>>>> single key
>>>>>> attack security (in the indistinguishability sense) of 2^{-32}. So
>>>>>>in
>>>>>> that limited
>>>>>> sense, 2^38 is supported by our analysis. But it is not our
>>>>>> recommendation.
>>>>>>
>>>>>> But, speaking now in a personal capacity, I consider that security
>>>>>> margin to be
>>>>>> too small (i.e. I think that 2^{-32} is too big a success
>>>>>> probability).
>>>>>
>>>>>
>>>>> To be clear, this probability is that an attacker would be able to
>>>>> take a huge (4+ Petabyte) ciphertext, and a compatibly sized
>>>>>potential
>>>>> (but incorrect) plaintext, and with probability 2^{-32}, be able to
>>>>> determine that this plaintext was not the one used for the ciphertext
>>>>> (and with probability 0.999999999767..., know nothing about whether
>>>>> his guessed plaintext was correct or not).
>>>>>
>>>>> I'm just trying to get people to understand what we're talking about.
>>>>> This is not "with probability 2^{-32}, he can recover the plaintext"
>>>>>
>>>>>
>>>>>>
>>>>>> Regards,
>>>>>>
>>>>>> Kenny
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> TLS mailing list
>>>>> TLS@ietf.org
>>>>> https://www.ietf.org/mailman/listinfo/tls
>>
>>
>> _______________________________________________
>> TLS mailing list
>> TLS@ietf.org
>> https://www.ietf.org/mailman/listinfo/tls
>
>
>
>-- 
>"Man is born free, but everywhere he is in chains".
>--Rousseau.

v2.23.0 | Report a Bug | By Email