IETF Logo Mail Archive

Re: [TLS] A closer look at ROBOT, BB Attacks, timing attacks in general, and what we can do in TLS

Yoav Nir <ynir.ietf@gmail.com> Fri, 15 December 2017 04:50 UTC

Return-Path: <ynir.ietf@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 91185126FB3 for <tls@ietfa.amsl.com>; Thu, 14 Dec 2017 20:50:58 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mcjyavfETz1A for <tls@ietfa.amsl.com>; Thu, 14 Dec 2017 20:50:56 -0800 (PST)
Received: from mail-wr0-x241.google.com (mail-wr0-x241.google.com [IPv6:2a00:1450:400c:c0c::241]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3303C126C22 for <tls@ietf.org>; Thu, 14 Dec 2017 20:50:56 -0800 (PST)
Received: by mail-wr0-x241.google.com with SMTP id z34so6961836wrz.10 for <tls@ietf.org>; Thu, 14 Dec 2017 20:50:56 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=U47s6t0m+CFNrqF6Li0btdNxlJ/A7buo0hVgSqREv58=; b=amLImGF1SV37GJMWMeo5U3ZPZFl8hinJH5HKsTjtkqnumRyI4OKmDwYU/Ylsm2fMRM 9I+SlIty1sUdI0r9Ne3W+jXdraa+h8TNL4n1kOaOs4PHsax3nMosXh53lWdA2p0IFScw xdtZTUyhs2Q4mARbjIvPJz6Ft4+qpsOFGJPmlGHlf40BBdCrIwymfnD8fxAvBnuAwP9c +gkz4UaIIG3ssP0QveHhDYIVD+l6W27OufjVLlaxTX6QbGTTVs4Iqk2xFyfZHIs8/VHK 41fZdgXOFSPJf0dby7Ewaep+D5Mpnt/BsKNMMqGXLVefBDM3TZOW0yzCjL60Jme72Tuf RfJw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=U47s6t0m+CFNrqF6Li0btdNxlJ/A7buo0hVgSqREv58=; b=I/UrNsdy350bOHl9hP6Xf6QqpyOXAKkyNRZ7pPWW6Uck3bV2PTkO4VI3B8q6GGUWBQ rGa3INNG4zFS4YpgpcJ+HQBHg+xccfFNORRdddR9qXSc6BMGJu/YmLsafhOneTKLFe5g HHsZ+fJuahFJtVFs+C/dwMXTHX93Sau8jriv8jeavoJqmRvQCcRhOjCkXPSlR/6TngmJ xOSl/7El90WTYuE9pUIN3J8a0XA7OxlL2ZT+GoLJd1X7jtJ15RzMXFmzi/6p3zz7IMKx d/ZV4Na8pXIGc03xwe2L7gpk1AQicmFpu0m3GLkERlmxaSFKgDMetsQmNQhqho3cnMpJ yr7g==
X-Gm-Message-State: AKGB3mLsdOYTFnzp1tNlfmvO1qCjn41fozUuCMjtvtxpIM+Wjm4J1VLk 9IahMGLuFP9foNMDQr8chSh1Ui8o
X-Google-Smtp-Source: ACJfBotUuTNoRNz2KyH77vwJhKRxi8Mga93QvbVXsA6gDhZd6xotq9yoVHB/1EaGZF0tH9dninr69Q==
X-Received: by 10.223.143.50 with SMTP id p47mr7875365wrb.104.1513313454700; Thu, 14 Dec 2017 20:50:54 -0800 (PST)
Received: from [192.168.1.18] ([46.120.57.147]) by smtp.gmail.com with ESMTPSA id i65sm18873642wme.20.2017.12.14.20.50.52 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 14 Dec 2017 20:50:53 -0800 (PST)
From: Yoav Nir <ynir.ietf@gmail.com>
Message-Id: <14591ED5-4238-4578-9D31-899E713C425B@gmail.com>
Content-Type: multipart/signed; boundary="Apple-Mail=_10D9055E-1371-4105-B31D-A1E86E3C5355"; protocol="application/pgp-signature"; micalg="pgp-sha512"
Mime-Version: 1.0 (Mac OS X Mail 11.2 \(3445.5.20\))
Date: Fri, 15 Dec 2017 06:50:50 +0200
In-Reply-To: <CAAF6GDe79w9XH1GrGvvR-+=uEKfi6GczacUX3Jhy0dL_zW67-Q@mail.gmail.com>
Cc: Hanno Böck <hanno@hboeck.de>, "tls@ietf.org" <tls@ietf.org>
To: Colm MacCárthaigh <colm@allcosts.net>
References: <CAAF6GDeeo2xjv1Xu7SFXVZ_zM=XUVJHT=eqH4_-G3+4UHsfvgg@mail.gmail.com> <CACsn0cmMbbT1iAfmxnXHe00dNiqBMyoNkk7e2CyTKWrcdRTtcQ@mail.gmail.com> <CAAF6GDf+GxToBAN83O3NtLO4zJ-8Qax8KjMCGhXv_EhY+NDsKg@mail.gmail.com> <20171215020116.04f9ae15@pc1> <CAAF6GDe79w9XH1GrGvvR-+=uEKfi6GczacUX3Jhy0dL_zW67-Q@mail.gmail.com>
X-Mailer: Apple Mail (2.3445.5.20)
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/6C-4en65n6mTSqqAv950ghg83IA>
Subject: Re: [TLS] A closer look at ROBOT, BB Attacks, timing attacks in general, and what we can do in TLS
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 15 Dec 2017 04:50:58 -0000


> On 15 Dec 2017, at 3:05, Colm MacCárthaigh <colm@allcosts.net> wrote:
> 
> 
> 
> On Thu, Dec 14, 2017 at 5:01 PM, Hanno Böck <hanno@hboeck.de <mailto:hanno@hboeck.de>> wrote:
> On Thu, 14 Dec 2017 16:45:57 -0800
> Colm MacCárthaigh <colm@allcosts.net <mailto:colm@allcosts.net>> wrote:
> 
> > But what would that look like? What would we do now, in advance, to
> > make it easy to turn off AES? For example.
> 
> I think this is the wrong way to look at it.
> 
> >From what I'm aware nobody is really concerned about the security of
> AES. I don't think that there's any need to prepare for turning off AES.
> 
> Well, DJB is a notable concerned critic of AES and its safety in some respects ... but I was using AES as kind of a worst-case scenario since so many things do depend on it and it's especially hard to leave. I'm not aware of some ground-breaking cryptanalysis :) But I do think the question is worth having an answer for. I think we *do* need to prepare for turning off AES, there's always a chance we might have to.

I think that was the point of standardizing ChaCha20-Poly1305.  In fact, that’s what is says in the second paragraph of the introduction in RFC 7539:

https://tools.ietf.org/html/rfc7539#section-1 <https://tools.ietf.org/html/rfc7539#section-1>

Yoav

v2.23.0 | Report a Bug | By Email