Re: [TLS] AAED ciphers: AES-GCM vs AES-EAX/AES-CCM: a meta-analysis

Ilari Liusvaara <ilari.liusvaara@elisanet.fi> Thu, 25 December 2014 04:12 UTC

Return-Path: <ilari.liusvaara@elisanet.fi>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E4BE21A8029 for <tls@ietfa.amsl.com>; Wed, 24 Dec 2014 20:12:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Y3Uw2TLRnuF4 for <tls@ietfa.amsl.com>; Wed, 24 Dec 2014 20:12:48 -0800 (PST)
Received: from emh06.mail.saunalahti.fi (emh06.mail.saunalahti.fi [62.142.5.116]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7328F1A6FF0 for <tls@ietf.org>; Wed, 24 Dec 2014 20:12:47 -0800 (PST)
Received: from LK-Perkele-VII (a88-112-44-140.elisa-laajakaista.fi [88.112.44.140]) by emh06.mail.saunalahti.fi (Postfix) with ESMTP id 67FD769976; Thu, 25 Dec 2014 06:12:44 +0200 (EET)
Date: Thu, 25 Dec 2014 06:12:44 +0200
From: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
To: Michael Clark <michael@metaparadigm.com>
Message-ID: <20141225041244.GA16354@LK-Perkele-VII>
References: <9A043F3CF02CD34C8E74AC1594475C73AAF49636@uxcn10-tdc05.UoA.auckland.ac.nz> <549B61E4.8080301@metaparadigm.com> <CACsn0c=O55tU7zpo_hZ6m958H7W=3K3PgTO6G0n=a-5FofkQTg@mail.gmail.com> <549B7890.9000304@metaparadigm.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
In-Reply-To: <549B7890.9000304@metaparadigm.com>
User-Agent: Mutt/1.5.23 (2014-03-12)
Sender: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/AZdsRPXyxyzHKKQ1NC1UBd1aTuo
Cc: "<tls@ietf.org>" <tls@ietf.org>
Subject: Re: [TLS] AAED ciphers: AES-GCM vs AES-EAX/AES-CCM: a meta-analysis
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Dec 2014 04:12:51 -0000

On Thu, Dec 25, 2014 at 10:38:08AM +0800, Michael Clark wrote:
> On 25/12/14 9:57 am, Watson Ladd wrote:
> 
> Sorry I don't have numbers, however if you are attacking a target where
> you know the message length of a oft repeated transaction and have a
> 128-bit GCM auth tag (theoretically ~64-bits strength if you have
> captured texts) then there is a possibility you could forge auth tags.
> DHTs are fast and disks are cheap. There may be some facilities that
> have 100 million threads and more drives (if you knew Intel's order
> book). I say dictionary lookup would be feasible within the next few
> years which has to be the time domain that is considered. sha1 is being
> deprecated elsewhere. Sure people have more time to attack CA certs.

Without side-channel leakage, nonce reuse or breaking AES, you simply
don't have enough information to tell the correct answer from wrong ones
(128 bits remain arbitrary). So you can't bruteforce the keyspace
offline.

(The similar goes for Chacha20-Poly1305 (modulo Chacha20)).

-Ilari