Re: [TLS] Data limit for GCM under a given key.
Watson Ladd <watsonbladd@gmail.com> Wed, 04 November 2015 20:17 UTC
Return-Path: <watsonbladd@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F3FA41B3404 for <tls@ietfa.amsl.com>; Wed, 4 Nov 2015 12:17:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id krTkOmKWN-fj for <tls@ietfa.amsl.com>; Wed, 4 Nov 2015 12:17:02 -0800 (PST)
Received: from mail-wm0-x231.google.com (mail-wm0-x231.google.com [IPv6:2a00:1450:400c:c09::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 521B81B33FD for <tls@ietf.org>; Wed, 4 Nov 2015 12:17:02 -0800 (PST)
Received: by wmeg8 with SMTP id g8so51167749wme.1 for <tls@ietf.org>; Wed, 04 Nov 2015 12:17:00 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=OAMv2YAYErOeXCZxJ8me2YM1b4XldRObu+gpbEO1KNA=; b=NjKTfEJWTeLt3hEgnZDfLscatQ9hYdCEBLd2HHBndGmbQe3+JFyxHfX76eqYf0zry+ NtIcojonBSC3sbaz2nN4mrdT1YV47wS+77/TPczFoDT4wcMN9POJifekN47NfQwJMsXl gZZT8CrQeA94aXpq5D+j7rcOhaW14j8zTN2SNA2E/5EmlVIYPcmt+CmWMWOY69s8FA03 Zs6JA2qytwI6zCv4SzYYDukBeZLaBjXuV7hNqnko2Hatdk6eIw4DPtrVZfzkOHIJ6dQp Z7x4QxTQOXfAY7zOiLPhD0KekGBjgfRXxYATd53+3pFnOMkhcZfPa3tCByRWRX3PEMpW 5mzg==
MIME-Version: 1.0
X-Received: by 10.28.143.8 with SMTP id r8mr30096752wmd.3.1446668220761; Wed, 04 Nov 2015 12:17:00 -0800 (PST)
Received: by 10.28.101.212 with HTTP; Wed, 4 Nov 2015 12:17:00 -0800 (PST)
In-Reply-To: <BN1PR09MB124A4974829B07CC2E8CC68F32A0@BN1PR09MB124.namprd09.prod.outlook.com>
References: <CABcZeBODjk8rapgbNTST8bmFFVzKqB4tJyrvje-CTgk1=gfqFw@mail.gmail.com> <CABkgnnV+QrjcXJdZwwAGW-SpX0Z0_JroEVT-kMJgUAVe7DDQUw@mail.gmail.com> <CABcZeBOrL=TosONYfM_QPPYfT5N4VH7yR4hFw3Qt8W4V0uznkw@mail.gmail.com> <CABkgnnXis0mwqcsd1D0S61kqL6kvq9=ZU0BRbwbLH7Jesj0Y-w@mail.gmail.com> <CABcZeBNpV3uqOF4YohiCrtq03hR7LPnPGdny6yWB+zysVufiqA@mail.gmail.com> <CABkgnnWVJeeBuMitweCj=nOSB5cA-R-6btdQeWp0Bdnomd2XtQ@mail.gmail.com> <CAMfhd9V4WVxKbJh6KkNdVFGBGKh=tG5kC_7sPthOwhrrUi5eoQ@mail.gmail.com> <CABcZeBOc_9i83j4rjxve8PuBPWdd8eCVN2wQth3G0=T_xz1UKg@mail.gmail.com> <811734cd29d64adc98c5388870611575@XCH-ALN-004.cisco.com> <CABcZeBNZJkrVsA9UEN-ywpzUOZy4wJ=2=QDg-KhjNUCvMKi=HA@mail.gmail.com> <CABcZeBNOJNwL9Akbhnpd2fg8rk80BNYRkODRpqDb9nk2K_m1mg@mail.gmail.com> <BN1PR09MB124321AF53FE4EB4F47AFE9F32C0@BN1PR09MB124.namprd09.prod.outlook.com> <CACsn0ckVoXHvLWMwC4ksv3Rr305uL-_7UDNFT+0RnbkjDs2Vxw@mail.gmail.com> <BN1PR09MB124B270CE55528F10656DECF32C0@BN1PR09MB124.namprd09.prod.outlook.com> <BN1PR09MB124A4974829B07CC2E8CC68F32A0@BN1PR09MB124.namprd09.prod.outlook.com>
Date: Wed, 04 Nov 2015 15:17:00 -0500
Message-ID: <CACsn0ckKjzXsOEWzbY-rQ6gYW8ze_hB2f=gzie2pjfM9wPuQWg@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: "Dang, Quynh" <quynh.dang@nist.gov>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/6Xy6Rrb9T93GVBUQI2i2Pcj6rvo>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Data limit for GCM under a given key.
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Nov 2015 20:17:05 -0000
On Wed, Nov 4, 2015 at 2:29 PM, Dang, Quynh <quynh.dang@nist.gov> wrote: > Hi Eric and all, > > > The limit of 2^48 packets under a given key for GCM you mentioned today is > the limit for SRTP > (https://tools.ietf.org/html/draft-ietf-avtcore-srtp-aes-gcm-17#section-6). > The nonce space of the IV construction is only 48 bits and that is why it > has the limit of 2^48. The limit here should be 2^48 blocks, not records as > stated in the document. > > > As I explained before, GCM is counter mode for encryption. For a given key, > the nonce never repeats globally, then confidentiality of the encrypted data > is preserved. When the nonce space is 2^n values, then 2^n message blocks > can have secure confidentiality protection. This is completely untrue. If you actually understood the definitions, and thought about the matter for 15 minutes, you would realize that permutations are distinguishable from functions after 2^(n/2) queries with high probabilities, and this breaks IND-$. This is an elementary result found on page 134 of Boneh-Shoup. > > > Regarding to authentication, as I explained before, if the tag size is n, > then you have collision issue among the tags when the number of tags goes > around 2^(n/2) which is not a good thing, but strictly speaking, this does > not break your authentication. Carter-Wegman security results are weaker than for PRF-based MACs. > > > However, rekeying often is a good thing which could help prevent disaster to > keep go on if there is something wrong with the IV or the key. > > > Quynh. > > > > > ________________________________ > From: Dang, Quynh > Sent: Monday, November 2, 2015 3:00 PM > To: Watson Ladd > Cc: tls@ietf.org; cfrg@ietf.org; Eric Rescorla > Subject: Re: [Cfrg] Collision issue in ciphertexts. > > > Now, you talked about a MAC function (with AES). I previously talked about > encryption. > > > If I , the only person, uses the MAC key, when I generate more than 2^64 MAC > values (Let's say each MAC value is 96 bits), I have many collided MAC > pairs. But, I am the only one (beside the person(s) verifying my MACs) who > knows the MAC key in order to generate those verified MAC values. > > > If the MAC length is k bits, an attacker is allowed to send 2^n failed > verifications, his or her chance of success is approximately 2^n / 2^k. > Let's imagine n is 64 and k is 96, the success chance is 1/2^36 which is > practically ZERO! > > > If I am an attacker, I would choose a message that I want to be verified, > and I keep changing the MAC key to generate different MAC values with > different keys and hope one of them will get verified. Let's assume the MAC > key to be 96 bits ( 96 bits of random bits, the other 32 bits are known). In > theory, when I get close to 2^96 attempts, I would expect some chance of > success. To deal with this attacker, one would change the MAC key when the > number of failed attempts gets close to a number that you don't want. For > example, if you don't want a success chance of an attack to be above 1 / > 2^36, then you need to change your MAC key when the number of failed > verifications reaches 2^64 when your MAC length is 96 bits. > > > After you change the MAC key, I ( the attacker) will have to start > everything again because all of the failed MACs I generated before are > useless now. > > > ________________________________ > From: Watson Ladd <watsonbladd@gmail.com> > Sent: Monday, November 2, 2015 5:07 AM > To: Dang, Quynh > Cc: tls@ietf.org; cfrg@ietf.org; Eric Rescorla > Subject: Re: [Cfrg] Collision issue in ciphertexts. > > > > On Nov 2, 2015 2:14 AM, "Dang, Quynh" <quynh.dang@nist.gov> wrote: >> >> Hi Eric, >> >> >> As you asked the question about how many ciphertext blocks should be safe >> under a single key, I think it is safe to have 2^96 blocks under a given key >> if the IV (counter) is 96 bits. > > This is wrong for PRP, right for PRF. It's not that hard to find the right > result. > >> >> >> When there is a collision between two ciphertext blocks when two different >> counter values are used , the chance of the same plaintext was used twice is >> 1^128. Collisions start to happen a lot when the number of ciphertext >> blocks are above 2^64. However, each collision just reveals that the >> corresponding plaintext blocks are probably different ones. > > Which breaks IND-$. Let's not be clever, but stick to ensuring proven > definitions are true. > >> >> >> >> Quynh. >> >> >> _______________________________________________ >> Cfrg mailing list >> Cfrg@irtf.org >> https://www.irtf.org/mailman/listinfo/cfrg >> > > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls > -- "Man is born free, but everywhere he is in chains". --Rousseau.
- [TLS] Version in record MAC Eric Rescorla
- Re: [TLS] Version in record MAC Colm MacCárthaigh
- Re: [TLS] Version in record MAC David Benjamin
- Re: [TLS] Version in record MAC Martin Thomson
- Re: [TLS] Version in record MAC Eric Rescorla
- Re: [TLS] Version in record MAC Martin Thomson
- Re: [TLS] Version in record MAC Eric Rescorla
- Re: [TLS] Version in record MAC Martin Thomson
- Re: [TLS] Version in record MAC Russ Housley
- Re: [TLS] Version in record MAC Adam Langley
- Re: [TLS] Version in record MAC Eric Rescorla
- Re: [TLS] Version in record MAC David McGrew (mcgrew)
- Re: [TLS] Version in record MAC Eric Rescorla
- Re: [TLS] Version in record MAC Eric Rescorla
- Re: [TLS] Version in record MAC Ilari Liusvaara
- Re: [TLS] Version in record MAC Eric Rescorla
- Re: [TLS] Version in record MAC Adam Langley
- Re: [TLS] Version in record MAC Eric Rescorla
- Re: [TLS] Version in record MAC Eric Rescorla
- [TLS] Collision issue in ciphertexts. Dang, Quynh
- Re: [TLS] [Cfrg] Collision issue in ciphertexts. Watson Ladd
- Re: [TLS] [Cfrg] Collision issue in ciphertexts. Dang, Quynh
- [TLS] Data limit for GCM under a given key. Dang, Quynh
- Re: [TLS] Data limit for GCM under a given key. Watson Ladd
- Re: [TLS] Data limit for GCM under a given key. Dang, Quynh
- Re: [TLS] Data limit for GCM under a given key. Watson Ladd
- Re: [TLS] Data limit for GCM under a given key. Tony Arcieri
- Re: [TLS] Data limit for GCM under a given key. Eric Rescorla
- Re: [TLS] Data limit for GCM under a given key. Yoav Nir
- Re: [TLS] Data limit for GCM under a given key. Dave Garrett
- Re: [TLS] Data limit for GCM under a given key. Eric Rescorla
- Re: [TLS] Data limit for GCM under a given key. Eric Rescorla
- Re: [TLS] Data limit for GCM under a given key. Eric Rescorla
- Re: [TLS] Data limit for GCM under a given key. Dave Garrett
- Re: [TLS] Data limit for GCM under a given key. Dang, Quynh
- Re: [TLS] Data limit for GCM under a given key. Quynh Dang
- Re: [TLS] Data limit for GCM under a given key. Yoav Nir