Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt
"Dang, Quynh (Fed)" <quynh.dang@nist.gov> Wed, 13 July 2016 13:58 UTC
Return-Path: <quynh.dang@nist.gov>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E361C12D81D for <tls@ietfa.amsl.com>; Wed, 13 Jul 2016 06:58:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nistgov.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KMPhRmkqKa7D for <tls@ietfa.amsl.com>; Wed, 13 Jul 2016 06:58:47 -0700 (PDT)
Received: from gcc01-dm2-obe.outbound.protection.outlook.com (mail-dm2gcc01on0109.outbound.protection.outlook.com [23.103.201.109]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B998C12D80A for <tls@ietf.org>; Wed, 13 Jul 2016 06:58:46 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nistgov.onmicrosoft.com; s=selector1-nist-gov; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=XyL9SgNVdSnOawiedQhTwY74oS71/Feup6VEOhtYMe0=; b=W8eOZ+y0X2bh75Y0+3o3PjbWvVreZcXSKLSJC65HDLx/V517bD52y1Fb12NwdphtQnayooJVgsKyKxVZCrnfW+CLDH1Btz6DnYTAfZVNzxTlTouL1M8RjOk7tIcapWmD28H+GwhEVzQKOWihIYV5OA6fbDXMCqeFsInsG0jemLY=
Received: from BN1PR09MB0171.namprd09.prod.outlook.com (10.255.192.149) by BN1PR09MB0170.namprd09.prod.outlook.com (10.255.192.148) with Microsoft SMTP Server (TLS) id 15.1.534.14; Wed, 13 Jul 2016 13:58:44 +0000
Received: from BN1PR09MB0171.namprd09.prod.outlook.com ([10.255.192.149]) by BN1PR09MB0171.namprd09.prod.outlook.com ([10.255.192.149]) with mapi id 15.01.0534.023; Wed, 13 Jul 2016 13:58:44 +0000
From: "Dang, Quynh (Fed)" <quynh.dang@nist.gov>
To: Watson Ladd <watsonbladd@gmail.com>, Atul Luykx <Atul.Luykx@esat.kuleuven.be>
Thread-Topic: [TLS] New draft: draft-ietf-tls-tls13-14.txt
Thread-Index: AQHR26erSXFdspEwbEKLZA1rqxpGgqAUgWIAgABTxYD//9AKAIAATFUAgAANRgD//8XVgIAARoOAgAANwgCAABz0gIAAvyMAgABYXICAAA+PAP//xg2A
Date: Wed, 13 Jul 2016 13:58:44 +0000
Message-ID: <D3ABBB57.27CAC%qdang@nist.gov>
References: <CABcZeBMiLmwBeuLt=v4qdcJwe5rdsK_9R4-2TUXYC=sttmwH-g@mail.gmail.com> <D3AA5BD6.27AC0%qdang@nist.gov> <D3AAB674.709EA%kenny.paterson@rhul.ac.uk> <D3AA7549.27B09%qdang@nist.gov> <d1f35d74e93b4067bf17f587b904ebff@XCH-RTP-006.cisco.com> <D3AAD721.70A11%kenny.paterson@rhul.ac.uk> <D3AA9B01.27B9F%qdang@nist.gov> <D3AAE2B7.70A78%kenny.paterson@rhul.ac.uk> <ede4e2ffadd142f781e7a9c04081c825@XCH-RTP-006.cisco.com> <0ad33f70cbe2aabba1f16f4cac876b0f@esat.kuleuven.be> <D3AB99DD.27C8B%qdang@nist.gov> <553ea052cc05b4f7315e19c943b0c2b0@esat.kuleuven.be> <CACsn0ckFJSEabLOw60-1Pt=e3gLj1W+5yVvWRGzB=avNMQ_X+g@mail.gmail.com>
In-Reply-To: <CACsn0ckFJSEabLOw60-1Pt=e3gLj1W+5yVvWRGzB=avNMQ_X+g@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.6.3.160329
authentication-results: spf=none (sender IP is ) smtp.mailfrom=quynh.dang@nist.gov;
x-ms-exchange-messagesentrepresentingtype: 1
x-originating-ip: [129.6.105.150]
x-ms-office365-filtering-correlation-id: 68b144fd-43e3-4a84-96bb-08d3ab25cdf9
x-microsoft-exchange-diagnostics: 1; BN1PR09MB0170; 6:ARW6foUVo4vwOJ1zPEJwTpHEyBIk/7aql+A6fTuiO6oyFdLBzZKWidhm6s6vYEWBnHLLSFWyrI5TWlDZ65YU3+ekjvSlXO5D5icKF6Sz0eseOCUOlH5do0BCRFp+RqsY4SdoMbwe3btWyf3JBtkC2ssIsnetnp/DRkJC1TqouG8DhA2eTkU8eeklcnbcPGlTYRfyVxfr4S6jc4IRFgerZmPYjnzQ+RdYx52tUnUK+3Jp73zNuQZYgMsoUAH+7n2pU5AMem0IsCpfDx10OQ/34OtFLZPDGVFsUDn8fp4mfxW1xfRIMDis2+QuFmTwotL+MyEapMHTgwXbCaJnby/qvg==; 5:05xJtsLcBhwXjfatE6z8tlxoDMz6d2GYNXPOzx65dMzLbK6j+CgG/lHgmSQY6Ny4hk5DWOsEterBTAT8+y/V3pj8wAmbyXdK/4abIxeJPGz/BJmSMXiyj99G1gPqXKgKbm6eU2vpRzl9o0yYBImz7g==; 24:Uit16EKYqteaj4EQUArTJY2AhclhiOLtoNs8Qb1goRLwehOZsVMhpKTIegrKXizxDEjz49M2i8tGO23Qm8z/G3ksBjLrwBOkjO8fWFQ++Xc=; 7:3l4+3sfkBZYnLF+ZZFaYzwVC6bk4AARuC+wzBv2izkF12Zk/bWtjIZzJ59ht5iiQW8p3fDJB3Nzw7+YKb1xGoCDQHKokQ0bLuLcddsh/ap2lTP0UtT6FrszHC63bgSLBSQN/Ueh2JiOYw72zjfU1Ltdba8y4xW8IJYe6XjnUvNDkFmra7BPtT0EmqPpwzt/hxs9ugwo0Oa9x5WRAj5NiJXjCBCyc4Dn1xv0ixgy/QIvBjHMgiuapRSCCnNSNn4Pt
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BN1PR09MB0170;
x-ld-processed: 2ab5d82f-d8fa-4797-a93e-054655c61dec,ExtAddr
x-microsoft-antispam-prvs: <BN1PR09MB0170D57AFC2E12079A2FEF58F3310@BN1PR09MB0170.namprd09.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(65766998875637)(192374486261705)(266576461109395);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(601004)(2401047)(8121501046)(5005006)(10201501046)(3002001)(6055026); SRVR:BN1PR09MB0170; BCL:0; PCL:0; RULEID:; SRVR:BN1PR09MB0170;
x-forefront-prvs: 000227DA0C
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(7916002)(24454002)(377424004)(13464003)(377454003)(199003)(189002)(51444003)(3660700001)(54356999)(19580395003)(19580405001)(7846002)(7736002)(93886004)(2906002)(305945005)(50986999)(83506001)(106116001)(106356001)(81156014)(76176999)(81166006)(586003)(3280700002)(2900100001)(2950100001)(101416001)(36756003)(11100500001)(4326007)(5001770100001)(8936002)(92566002)(4001350100001)(8676002)(122556002)(3846002)(6116002)(99286002)(97736004)(68736007)(5002640100001)(66066001)(189998001)(230783001)(15975445007)(10400500002)(102836003)(87936001)(77096005)(1720100001)(105586002)(86362001); DIR:OUT; SFP:1102; SCL:1; SRVR:BN1PR09MB0170; H:BN1PR09MB0171.namprd09.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
received-spf: None (protection.outlook.com: nist.gov does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="iso-8859-1"
Content-ID: <4494E173C17C58498F8517D945B3E38D@namprd09.prod.outlook.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: nist.gov
X-MS-Exchange-CrossTenant-originalarrivaltime: 13 Jul 2016 13:58:44.3456 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 2ab5d82f-d8fa-4797-a93e-054655c61dec
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN1PR09MB0170
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/5GLcVLF5U0yYqcQgc1nRNdc8RoQ>
Cc: David McGrew <mcgrew@cisco.com>, "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Jul 2016 13:58:52 -0000
On 7/13/16, 9:26 AM, "Watson Ladd" <watsonbladd@gmail.com> wrote: >On Wed, Jul 13, 2016 at 5:30 AM, Atul Luykx <Atul.Luykx@esat.kuleuven.be> >wrote: >> Hey Quynh, >> >>> How can one use the distinguishing attack with the data complexity >>>bound I >>> suggested for recovering 1 bit of the encryption key in the context of >>>TLS >>> ? >> >> You cannot recover any bits of the encryption key unless you attack AES. >> >> No-one, as far as I know, has analyzed what kind of attacks one can >>perform >> against GCM around and beyond the birthday bound (except for the forgery >> attacks, which require repeated nonces or known forgeries). However, >>for CTR >> mode, the underlying encryption of GCM, David McGrew typed up a document >> describing an attack one could perform to recover information about the >> plaintext: >> http://eprint.iacr.org/2012/623 >> He describes it for 64 bit block ciphers, but the attacks work equally >>well >> for 128 bit block ciphers, at a higher data complexity of course. >> >> Basically, there are a lot of unknowns, and it could be that the bounds >>you >> recommend will be good enough in practice. However, it's important to be >> clear about the risks involved in venturing into unknown territory. >> >> Atul > >Furthermore the cost of avoiding this is trivial. The rekeying >mechanism has been designed to have minimal code complexity. GCM with data complexity of about 3^38 records is not vulnerable to that plaintext recovery attack. Therefore, there are no needs to rekey before that data complexity is reached. For counter-mode, I think the attack works if there is a large set of known plaintexts. In protocols such as TLS and Ipsec, there are known plaintexts, but I donĀ¹t think the amount of known plaintexts (even though the amount of encrypted repeated-plaintexts can be big) is enough to create risk for AES_128 by the targeted plaintext recovery attack. A known plaintext can be encrypted multiple times with different keys, not with the same key. Regards, Quynh. >> >> >> On 2016-07-13 13:14, Dang, Quynh (Fed) wrote: >>> >>> Hi Atul, >>> >>> On 7/12/16, 3:50 PM, "Atul Luykx" <Atul.Luykx@esat.kuleuven.be> wrote: >>> >>>>> To be clear, this probability is that an attacker would be able to >>>>> take a huge (4+ Petabyte) ciphertext, and a compatibly sized >>>>>potential >>>>> (but incorrect) plaintext, and with probability 2^{-32}, be able to >>>>> determine that this plaintext was not the one used for the ciphertext >>>>> (and with probability 0.999999999767..., know nothing about whether >>>>> his guessed plaintext was correct or not). >>>> >>>> >>>> You need to be careful when making such claims. There are schemes for >>>> which when you reach the birthday bound you can perform partial key >>>> recovery. >>>> >>>> The probabilities we calculated guarantee that there won't be any >>>> attacks (with the usual assumptions...). Beyond the bounds, there are >>>>no >>>> guarantees. In particular, you cannot conclude that one, for example, >>>> loses 1 bit of security once beyond the birthday bound. >>> >>> >>> How can one use the distinguishing attack with the data complexity >>>bound I >>> suggested for recovering 1 bit of the encryption key in the context of >>>TLS >>> ? >>> >>> >>> Regards, >>> Quynh. >>> >>> >>> >>> >>>> >>>> Atul >>>> >>>> On 2016-07-12 20:06, Scott Fluhrer (sfluhrer) wrote: >>>>>> >>>>>> -----Original Message----- >>>>>> From: Paterson, Kenny [mailto:Kenny.Paterson@rhul.ac.uk] >>>>>> Sent: Tuesday, July 12, 2016 1:17 PM >>>>>> To: Dang, Quynh (Fed); Scott Fluhrer (sfluhrer); Eric Rescorla; >>>>>> tls@ietf.org >>>>>> Subject: Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt >>>>>> >>>>>> Hi >>>>>> >>>>>> On 12/07/2016 18:04, "Dang, Quynh (Fed)" <quynh.dang@nist.gov> >>>>>>wrote: >>>>>> >>>>>> >Hi Kenny, >>>>>> > >>>>>> >On 7/12/16, 12:33 PM, "Paterson, Kenny" <Kenny.Paterson@rhul.ac.uk> >>>>>> wrote: >>>>>> > >>>>>> >>Finally, you write "to come to the 2^38 record limit, they assume >>>>>> that >>>>>> >>each record is the maximum 2^14 bytes". For clarity, we did not >>>>>> >>recommend a limit of 2^38 records. That's Quynh's preferred >>>>>>number, >>>>>> >>and is unsupported by our analysis. >>>>>> > >>>>>> >What is problem with my suggestion even with the record size being >>>>>>the >>>>>> >maximum value? >>>>>> >>>>>> There may be no problem with your suggestion. I was simply trying to >>>>>> make it >>>>>> clear that 2^38 records was your suggestion for the record limit and >>>>>> not ours. >>>>>> Indeed, if one reads our note carefully, one will find that we do >>>>>>not >>>>>> make any >>>>>> specific recommendations. We consider the decision to be one for the >>>>>> WG; >>>>>> our preferred role is to supply the analysis and help interpret it >>>>>>if >>>>>> people >>>>>> want that. Part of that involves correcting possible misconceptions >>>>>> and >>>>>> misinterpretations before they get out of hand. >>>>>> >>>>>> Now 2^38 does come out of our analysis if you are willing to accept >>>>>> single key >>>>>> attack security (in the indistinguishability sense) of 2^{-32}. So >>>>>>in >>>>>> that limited >>>>>> sense, 2^38 is supported by our analysis. But it is not our >>>>>> recommendation. >>>>>> >>>>>> But, speaking now in a personal capacity, I consider that security >>>>>> margin to be >>>>>> too small (i.e. I think that 2^{-32} is too big a success >>>>>> probability). >>>>> >>>>> >>>>> To be clear, this probability is that an attacker would be able to >>>>> take a huge (4+ Petabyte) ciphertext, and a compatibly sized >>>>>potential >>>>> (but incorrect) plaintext, and with probability 2^{-32}, be able to >>>>> determine that this plaintext was not the one used for the ciphertext >>>>> (and with probability 0.999999999767..., know nothing about whether >>>>> his guessed plaintext was correct or not). >>>>> >>>>> I'm just trying to get people to understand what we're talking about. >>>>> This is not "with probability 2^{-32}, he can recover the plaintext" >>>>> >>>>> >>>>>> >>>>>> Regards, >>>>>> >>>>>> Kenny >>>>> >>>>> >>>>> _______________________________________________ >>>>> TLS mailing list >>>>> TLS@ietf.org >>>>> https://www.ietf.org/mailman/listinfo/tls >> >> >> _______________________________________________ >> TLS mailing list >> TLS@ietf.org >> https://www.ietf.org/mailman/listinfo/tls > > > >-- >"Man is born free, but everywhere he is in chains". >--Rousseau.
- Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Atul Luykx
- Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt David McGrew
- Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt David McGrew
- Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Peter Gutmann
- Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Atul Luykx
- Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt David McGrew
- Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Paterson, Kenny
- Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Dang, Quynh (Fed)
- Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Watson Ladd
- Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Atul Luykx
- Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Hubert Kario
- Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Dang, Quynh (Fed)
- Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Dang, Quynh (Fed)
- Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Dang, Quynh (Fed)
- Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Benjamin Kaduk
- Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Eric Rescorla
- Re: [TLS] TLS 1.3 signature algorithms in TLS 1.2 David Benjamin
- Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Ilari Liusvaara
- Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Benjamin Kaduk
- Re: [TLS] TLS 1.3 signature algorithms in TLS 1.2 Ilari Liusvaara
- Re: [TLS] TLS 1.3 signature algorithms in TLS 1.2 Ilari Liusvaara
- Re: [TLS] TLS 1.3 signature algorithms in TLS 1.2 David Benjamin
- Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Atul Luykx
- Re: [TLS] TLS 1.3 signature algorithms in TLS 1.2 Ilari Liusvaara
- Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Paterson, Kenny
- Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Paterson, Kenny
- Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Paterson, Kenny
- Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Scott Fluhrer (sfluhrer)
- Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Dang, Quynh (Fed)
- Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Dang, Quynh (Fed)
- Re: [TLS] TLS 1.3 signature algorithms in TLS 1.2 David Benjamin
- [TLS] TLS 1.3 signature algorithms in TLS 1.2 David Benjamin
- Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Paterson, Kenny
- Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Scott Fluhrer (sfluhrer)
- Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Dang, Quynh (Fed)
- Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Paterson, Kenny
- Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Dang, Quynh (Fed)
- Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Dang, Quynh (Fed)
- [TLS] New draft: draft-ietf-tls-tls13-14.txt Eric Rescorla
- Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Ilari Liusvaara
- Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Dave Garrett
- Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Ilari Liusvaara
- Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Dang, Quynh (Fed)
- Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Paterson, Kenny
- Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Dang, Quynh (Fed)
- Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Paterson, Kenny
- Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Paterson, Kenny