Re: [TLS] Data volume limits

"Dang, Quynh" <> Tue, 29 December 2015 12:00 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 4FF1B1A8729 for <>; Tue, 29 Dec 2015 04:00:54 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id Z70zU1T9zX45 for <>; Tue, 29 Dec 2015 04:00:52 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id D0A771A872B for <>; Tue, 29 Dec 2015 04:00:51 -0800 (PST)
Received: from ( by ( with Microsoft SMTP Server (TLS) id 15.1.361.13; Tue, 29 Dec 2015 12:00:49 +0000
Received: from ([]) by ([]) with mapi id 15.01.0361.006; Tue, 29 Dec 2015 12:00:49 +0000
From: "Dang, Quynh" <>
To: "" <>
Thread-Topic: [TLS] Data volume limits
Date: Tue, 29 Dec 2015 12:00:49 +0000
Message-ID: <>
References: <> <> <> <> <>, <>, <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
authentication-results: spf=none (sender IP is );
x-originating-ip: []
x-microsoft-exchange-diagnostics: 1; BN1PR09MB123; 5:1+HpTiy6xfn2DDl/CP9vo1xtf6xYY069iIiaIpMj8TVb1RNyBpmnvPq/0xpJxRorT0yG0gvaB2iUg75Ea3A8gNAMJdT7VHzMpZKj9Hqeun0Ekik2WH5Iu7mGKHsOI6oit59G8fHh+9ZDu4yGvrNH7Q==; 24:mVITaID88w4sBFIP7UI2kBlllrlUbNfNb/fUbMr4BTiDcarakqdsgwKwiUv3SUEJuK7rUhZAfTcSTpyniaWHdoOyYDVKhVkx/661rMpxBFE=
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BN1PR09MB123;
x-microsoft-antispam-prvs: <>
x-exchange-antispam-report-test: UriScan:(65766998875637);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(601004)(2401047)(8121501046)(520078)(5005006)(3002001)(10201501046); SRVR:BN1PR09MB123; BCL:0; PCL:0; RULEID:; SRVR:BN1PR09MB123;
x-forefront-prvs: 0805EC9467
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(189002)(31014005)(53754006)(377454003)(377424004)(199003)(24454002)(101416001)(4001150100001)(189998001)(92566002)(106356001)(5004730100002)(5002640100001)(74316001)(102836003)(2501003)(586003)(76176999)(5008740100001)(107886002)(99286002)(2900100001)(5001960100002)(3846002)(6116002)(1730700002)(1096002)(97736004)(110136002)(81156007)(11100500001)(1220700001)(2950100001)(5003600100002)(54356999)(122556002)(86362001)(87936001)(15975445007)(40100003)(19580405001)(50986999)(77096005)(106116001)(33656002)(450100001)(93886004)(19580395003)(105586002)(66066001)(76576001)(2351001)(10400500002); DIR:OUT; SFP:1102; SCL:1; SRVR:BN1PR09MB123;; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
received-spf: None ( does not designate permitted sender hosts)
spamdiagnosticoutput: 1:23
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-originalarrivaltime: 29 Dec 2015 12:00:49.4275 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 2ab5d82f-d8fa-4797-a93e-054655c61dec
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN1PR09MB123
Archived-At: <>
Subject: Re: [TLS] Data volume limits
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 29 Dec 2015 12:00:54 -0000

Hi all,

Rekeying too often unnecessarily does not increase any cryptographic security. In addition, it could create other cryptographic issues for the system. The first issue is key collision risk when AES-128 is used and the second issue could be multi-target (multi-key) risk theoretically. 

Therefore, I would suggest not to rekey (as currently specified) too often unnecessarily. 

I think providing a data limit guidance sub-section under the Security Consideration section is one good option to be considered. Users just follow the guidance to set their own data limit(s). 


From: TLS <> on behalf of Dang, Quynh <>
Sent: Friday, December 18, 2015 10:49 AM
Subject: Re: [TLS] Data volume limits

The collision probability of ciphertext blocks also depends on the size of the plaintext (record size  in a TLS implementation) in each call of the GCM encryption function.  Let's call each plaintext  to be 2^x 128-bit blocks.

TLS 1.3 uses 96-bit IV.

If someone wants the collision probability below 1/2^y such as 1/2^24 or 1/2^32 (2^32 = 4,294,967,296 and 2^24 = 16,777,216 ), the total number of plaintext blocks under a given key must be 2^((96 + x - y)/2) or lower.

So, 2^((96 + x - y)/2) 128-bit blocks are the limit to achieve  IND-* with GCM.

If someone does not need IND-* property, the above restriction is not needed.


From: TLS <> on behalf of Yoav Nir <>
Sent: Thursday, December 17, 2015 6:07 AM
To: Nikos Mavrogiannopoulos
Cc:; Simon Josefsson
Subject: Re: [TLS] Data volume limits

> On 17 Dec 2015, at 10:19 AM, Nikos Mavrogiannopoulos <> wrote:
> On Wed, 2015-12-16 at 09:57 -1000, Brian Smith wrote:
>> Therefore, I think we shouldn't add the rekeying mechanism as it is
>> unnecessary and it adds too much complexity.
> Any arbitrary limit for a TLS connection is almost guaranteed to cause
> problems in the future. We cannot predict whether 2^x should be
> sufficient for everyone, and I'm pretty sure this will prove to be a
> terrible mistake. TLS is already being used for VPNs and transferring
> larger amounts of data in long lived connections is a reality even
> today. The rekey today happens using the reauthentication mechanism,
> which has very complex semantics. Converting these to a simpler and
> predictable rekey mechanism would be an improvement.

Agreed. The alternative to having a rekey mechanism is to push the complexity to the application protocol, requiring it to be able to use more than one connection to transfer all the data, which may require some sort of session layer to maintain state between connections.

So unless we can guarantee or require that every algorithm we are going to use is good for some ridiculous amount of data (2^64 bytes may be enough), we need rekeying.


TLS mailing list
TLS mailing list