Re: [TLS] Comments on nonce construction and cipher text size restriction.
"Dang, Quynh (Fed)" <quynh.dang@nist.gov> Tue, 24 May 2016 19:00 UTC
Return-Path: <quynh.dang@nist.gov>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0E48D12DA4E for <tls@ietfa.amsl.com>; Tue, 24 May 2016 12:00:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nistgov.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YknrHH615MUM for <tls@ietfa.amsl.com>; Tue, 24 May 2016 12:00:38 -0700 (PDT)
Received: from gcc01-CY1-obe.outbound.protection.outlook.com (mail-cy1gcc01on0132.outbound.protection.outlook.com [23.103.200.132]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 552D912DA1B for <tls@ietf.org>; Tue, 24 May 2016 12:00:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nistgov.onmicrosoft.com; s=selector1-nist-gov; h=From:To:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=YRtx9Gw/sjDRmZ3s2+krWgDVJhPD3Ntup51q3MdYtV0=; b=GaKL3hX7MjsRqS7RyYwFs6NAWtA60hlF2udEmMg7iHvmWOHIVDnar1tt0CdTfmlJSD/uJYrPc8dBtY5SO2cXpB+7alKURSJ0bssLmta24SbAqL2sO20eKixaGZ+nLAy5kpvHA1TIDyLgJvQZz7LU648FkbVQ8pVjbnmwnLLqyjM=
Received: from BN1PR09MB124.namprd09.prod.outlook.com (10.255.200.27) by BN1PR09MB123.namprd09.prod.outlook.com (10.255.200.25) with Microsoft SMTP Server (TLS) id 15.1.501.7; Tue, 24 May 2016 19:00:27 +0000
Received: from BN1PR09MB124.namprd09.prod.outlook.com ([10.255.200.27]) by BN1PR09MB124.namprd09.prod.outlook.com ([10.255.200.27]) with mapi id 15.01.0501.012; Tue, 24 May 2016 19:00:27 +0000
From: "Dang, Quynh (Fed)" <quynh.dang@nist.gov>
To: Martin Thomson <martin.thomson@gmail.com>, "Dang, Quynh (Fed)" <quynh.dang@nist.gov>
Thread-Topic: [TLS] Comments on nonce construction and cipher text size restriction.
Thread-Index: AQHRtc/HWUjUunA/c0agQBPElmd3kJ/IQt6A///W7ACAAFLGgP//wdGA
Date: Tue, 24 May 2016 19:00:27 +0000
Message-ID: <D36A1CA2.267DC%qdang@nist.gov>
References: <D369E95C.267A5%qdang@nist.gov> <CABkgnnVAVYDuWUV0EJ=9iJ69KOwYxR=tzRRB+A96qwKmco8qEg@mail.gmail.com> <D36A0B54.267BA%qdang@nist.gov> <CABkgnnUa8G7UJ9BuQ8zHzuwe54-D_gPKFBE9DPSK6C=a-O28Kw@mail.gmail.com>
In-Reply-To: <CABkgnnUa8G7UJ9BuQ8zHzuwe54-D_gPKFBE9DPSK6C=a-O28Kw@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.6.3.160329
authentication-results: gmail.com; dkim=none (message not signed) header.d=none;gmail.com; dmarc=none action=none header.from=nist.gov;
x-ms-exchange-messagesentrepresentingtype: 1
x-originating-ip: [129.6.109.185]
x-ms-office365-filtering-correlation-id: 2c8a0ec4-ca72-4dad-0123-08d38405ab90
x-microsoft-exchange-diagnostics: 1; BN1PR09MB123; 5:TvcOfL9EpkbOGpPkA8aGZeZ8gDI3enPwYe7ZlRjNr8fkwarhNWNq3Q+cZVTix0kaW1qByq9HZgH0rycLDsl5H/SUDZknTWCvR994OWxLc9l11gb16tpdEH+b5PklHqWT/pxpUWIFyscRLHBPm5CdAw==; 24:B9aDPJ1mkzN0VLEAOx4IjB+Ss00l+bkHD+MTYeRjOvrDck/0zAQNFqxVZ/5DiWaXcIQHSXmYsQSBpMXGQ3RUJUPUgfInfTLbgFfK71QS9u8=; 7:WA+CGISqm+jZzIk4dkw9xEDnUSSoRfSqVJpq6nCoTgJZEBksE3c72VQqTkUNvcAws5HG9D8geyl7L4+kD3JPONn+FA1cihDytyMJyBXEhdZJR5blNsjw+V27KryfmtzH61Xhd/NyZ8eOnopkm/BtQknSxW+u3FgyOu5RY27fVbLBn72qT92biWr1RrMT0zlJ
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BN1PR09MB123;
x-microsoft-antispam-prvs: <BN1PR09MB123876FF101662DAC4F6A4FF34F0@BN1PR09MB123.namprd09.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:;
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(601004)(2401047)(8121501046)(5005006)(3002001)(10201501046)(6055026); SRVR:BN1PR09MB123; BCL:0; PCL:0; RULEID:; SRVR:BN1PR09MB123;
x-forefront-prvs: 09525C61DB
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(377454003)(24454002)(86362001)(87936001)(106116001)(36756003)(76176999)(77096005)(99286002)(66066001)(50986999)(586003)(5002640100001)(5004730100002)(2950100001)(122556002)(189998001)(4001450100002)(54356999)(8676002)(2900100001)(3280700002)(10400500002)(83506001)(6116002)(102836003)(3660700001)(3846002)(5001770100001)(5008740100001)(92566002)(4001350100001)(8936002)(19580395003)(11100500001)(81166006)(1220700001)(19580405001)(2906002)(4326007); DIR:OUT; SFP:1102; SCL:1; SRVR:BN1PR09MB123; H:BN1PR09MB124.namprd09.prod.outlook.com; FPR:; SPF:None; MLV:sfv; LANG:en;
spamdiagnosticoutput: 1:23
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="euc-kr"
Content-ID: <09AF87433E218748A0F08A4DC50190DA@namprd09.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: nist.gov
X-MS-Exchange-CrossTenant-originalarrivaltime: 24 May 2016 19:00:27.2571 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 2ab5d82f-d8fa-4797-a93e-054655c61dec
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN1PR09MB123
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/5XwEpdHh1NRoUJwjF-appADgvgE>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Comments on nonce construction and cipher text size restriction.
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 24 May 2016 19:00:40 -0000
On 5/24/16, 2:42 PM, "Martin Thomson" <martin.thomson@gmail.com> wrote: >On 24 May 2016 at 10:46, Dang, Quynh (Fed) <quynh.dang@nist.gov> wrote: >>>We discussed this at quite some length. I originally took your >>>position, but the IVs add an extra layer of safety at very little >>>cost. >> >> I don¹t see any extra layer here. > > >The argument here is that there are only 2^128 keys and some protocols >have predictable plaintext. A predictable nonce would allow an >attacker to do some pre-calculation with a large number of keys to get >a chance of a collision (and a break). It's a long bow, but not >entirely implausible. Ciphers use nonces are designed/proved to be secure when nonces are predictable: nonces are not random values. >
- [TLS] Comments on nonce construction and cipher t… Dang, Quynh (Fed)
- Re: [TLS] Comments on nonce construction and ciph… Martin Thomson
- Re: [TLS] Comments on nonce construction and ciph… Ilari Liusvaara
- Re: [TLS] Comments on nonce construction and ciph… Colm MacCárthaigh
- Re: [TLS] Comments on nonce construction and ciph… Dang, Quynh (Fed)
- Re: [TLS] Comments on nonce construction and ciph… Dang, Quynh (Fed)
- Re: [TLS] Comments on nonce construction and ciph… Ilari Liusvaara
- Re: [TLS] Comments on nonce construction and ciph… Martin Thomson
- Re: [TLS] Comments on nonce construction and ciph… Dang, Quynh (Fed)
- Re: [TLS] Comments on nonce construction and ciph… Eric Rescorla
- Re: [TLS] Comments on nonce construction and ciph… Quynh Dang
- Re: [TLS] Comments on nonce construction and ciph… Eric Rescorla
- Re: [TLS] Comments on nonce construction and ciph… Quynh Dang