Re: [TLS] Data limit for GCM under a given key.
Yoav Nir <ynir.ietf@gmail.com> Sat, 07 November 2015 18:38 UTC
Return-Path: <ynir.ietf@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9B0D11B2A32 for <tls@ietfa.amsl.com>; Sat, 7 Nov 2015 10:38:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.999
X-Spam-Level:
X-Spam-Status: No, score=-0.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, FREEMAIL_REPLY=1, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rJ9-HyPJZLFk for <tls@ietfa.amsl.com>; Sat, 7 Nov 2015 10:38:49 -0800 (PST)
Received: from mail-wi0-x232.google.com (mail-wi0-x232.google.com [IPv6:2a00:1450:400c:c05::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EBA231B2A1E for <tls@ietf.org>; Sat, 7 Nov 2015 10:38:48 -0800 (PST)
Received: by wimw2 with SMTP id w2so48060611wim.1 for <tls@ietf.org>; Sat, 07 Nov 2015 10:38:47 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :message-id:references:to; bh=hzpqMH42aMYbvrYoE9fZCl6Y9qYnVJA82mVwUhjkGyE=; b=Hq2hg7t7caI5kluK5pKMbJMnZWn0/LqXNbyRV+LEVALa010BYCEBRY9HOtHHqOEJJf /uQkkiZFtQLlTS1GrUO05+QMUUPgSzQIZLJzGqSNNCmNWarux/WC2XMLir66Yt+rCkPr ZoFJEq15UnD8umwL56IrLoHiJ8zTyqX7TlxiSJCF7Hgdkh1qYj3uXDeWrUFTfiGMHUji tg+1Q7f/dMmdSlZ3hNi8lZBHcxlzQAiLRcoqOCtfNaO0FDY8CAnVXT4YRpoRszkUdkb0 DV3gCN9SS6MoLBPWutG/LBGsLV7N6lGc8opACKHjoZlPZFiWPD84yzGnB6vbs84c6GcH O3fg==
X-Received: by 10.194.205.9 with SMTP id lc9mr5593986wjc.120.1446921527451; Sat, 07 Nov 2015 10:38:47 -0800 (PST)
Received: from [10.219.15.163] (smb-adpcdg1-06.hotspot.hub-one.net. [213.174.99.134]) by smtp.gmail.com with ESMTPSA id t126sm5156010wmd.23.2015.11.07.10.38.45 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Sat, 07 Nov 2015 10:38:46 -0800 (PST)
Content-Type: multipart/alternative; boundary="Apple-Mail=_26FFB217-9B84-4993-BA9D-15FC51048070"
Mime-Version: 1.0 (Mac OS X Mail 9.1 \(3096.5\))
From: Yoav Nir <ynir.ietf@gmail.com>
In-Reply-To: <CABcZeBPTiVNk5EQU+tx9FdzbLTqDrf8+NmZqWu-1uHHtSiko=Q@mail.gmail.com>
Date: Sat, 07 Nov 2015 19:38:45 +0100
Message-Id: <FB3A7024-0895-4B18-BA9E-E258C5AE2612@gmail.com>
References: <CABcZeBODjk8rapgbNTST8bmFFVzKqB4tJyrvje-CTgk1=gfqFw@mail.gmail.com> <CAHOTMV++hODJgstmROMv6BPUveDQgH=+KoN8UKCecRxtQQ+N9g@mail.gmail.com> <CABcZeBN749=rdOD3fsqwV3hj1X538G_-hbh2QvSmbMj6qWwOvA@mail.gmail.com> <201511062139.11139.davemgarrett@gmail.com> <5FA3B020-DDCC-4745-B969-9A54A98C9948@gmail.com> <CABcZeBPTiVNk5EQU+tx9FdzbLTqDrf8+NmZqWu-1uHHtSiko=Q@mail.gmail.com>
To: Eric Rescorla <ekr@rtfm.com>
X-Mailer: Apple Mail (2.3096.5)
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/8OpEESOUOYVSbA8NOW0CxthupBE>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Data limit for GCM under a given key.
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 07 Nov 2015 18:38:50 -0000
> On 7 Nov 2015, at 12:50 PM, Eric Rescorla <ekr@rtfm.com> wrote: > > > > On Fri, Nov 6, 2015 at 7:46 PM, Yoav Nir <ynir.ietf@gmail.com <mailto:ynir.ietf@gmail.com>> wrote: > > > On 7 Nov 2015, at 11:39 AM, Dave Garrett <davemgarrett@gmail.com <mailto:davemgarrett@gmail.com>> wrote: > > > > On Friday, November 06, 2015 08:13:44 pm Eric Rescorla wrote: > >> Update: we discussed this extensively in Yokohama and based on Watson's > >> feedback and offline comments from David McGrew, the consensus was that we > >> needed to add some sort of rekeying mechanism to support long-lived flows. > >> Expect a PR on this next week. > >> > >> Note: We'll still need guidance to implementations on when to re-key, but > >> we don't expect to have a hard protocol limit. > > > > If re-keying is back up for discussion, let me restate my request for it to be routine, rather than only an niche-case feature. Any re-key schedule should be considered valid, but the spec should set a "SHOULD"-level requirement that the minimum be once every N hours or M terabytes, whichever comes first (where N & M are some bike-shedable numbers with some expectation of randomization in values for each period). > > N and M will be different depending on the algorithms, no? > > I think before we start with pull requests we should be certain of what the requirements are for this rekeying. > > These were discussed extensively both in the interim and at IETF. The purpose of rekeying in this context is to deal with cryptographic exhaustion, namely having more ciphertext under the same key than is safe for a > given algorithm (where safe is defined by an analysis like the one Watson > has posted upthread). Sure, but once you provide a rekeying capability, the connection can keep going forever. That means you could be running for weeks and terabytes without injecting any freshness, and the the internal state remains in memory for all that time. A compromise of the state in the future allows decrypting everything since the beginning of the connection. This is not the same as having to tear down the connection at the cryptographic exhaustion. It is possible to get this kind of forward secrecy if the rekeying includes modifying the internal state in a non-reversible way such as hashing the master secret into a new master secret (or using HKDF-Extract), but that hurts the goal of having each side recycle the keys at its own pace (which is a strange goal, because my security depends on the security of my receiving keys as much as it depends on the security of my transmitting keys). Yoav
- [TLS] Version in record MAC Eric Rescorla
- Re: [TLS] Version in record MAC Colm MacCárthaigh
- Re: [TLS] Version in record MAC David Benjamin
- Re: [TLS] Version in record MAC Martin Thomson
- Re: [TLS] Version in record MAC Eric Rescorla
- Re: [TLS] Version in record MAC Martin Thomson
- Re: [TLS] Version in record MAC Eric Rescorla
- Re: [TLS] Version in record MAC Martin Thomson
- Re: [TLS] Version in record MAC Russ Housley
- Re: [TLS] Version in record MAC Adam Langley
- Re: [TLS] Version in record MAC Eric Rescorla
- Re: [TLS] Version in record MAC David McGrew (mcgrew)
- Re: [TLS] Version in record MAC Eric Rescorla
- Re: [TLS] Version in record MAC Eric Rescorla
- Re: [TLS] Version in record MAC Ilari Liusvaara
- Re: [TLS] Version in record MAC Eric Rescorla
- Re: [TLS] Version in record MAC Adam Langley
- Re: [TLS] Version in record MAC Eric Rescorla
- Re: [TLS] Version in record MAC Eric Rescorla
- [TLS] Collision issue in ciphertexts. Dang, Quynh
- Re: [TLS] [Cfrg] Collision issue in ciphertexts. Watson Ladd
- Re: [TLS] [Cfrg] Collision issue in ciphertexts. Dang, Quynh
- [TLS] Data limit for GCM under a given key. Dang, Quynh
- Re: [TLS] Data limit for GCM under a given key. Watson Ladd
- Re: [TLS] Data limit for GCM under a given key. Dang, Quynh
- Re: [TLS] Data limit for GCM under a given key. Watson Ladd
- Re: [TLS] Data limit for GCM under a given key. Tony Arcieri
- Re: [TLS] Data limit for GCM under a given key. Eric Rescorla
- Re: [TLS] Data limit for GCM under a given key. Yoav Nir
- Re: [TLS] Data limit for GCM under a given key. Dave Garrett
- Re: [TLS] Data limit for GCM under a given key. Eric Rescorla
- Re: [TLS] Data limit for GCM under a given key. Eric Rescorla
- Re: [TLS] Data limit for GCM under a given key. Eric Rescorla
- Re: [TLS] Data limit for GCM under a given key. Dave Garrett
- Re: [TLS] Data limit for GCM under a given key. Dang, Quynh
- Re: [TLS] Data limit for GCM under a given key. Quynh Dang
- Re: [TLS] Data limit for GCM under a given key. Yoav Nir