Re: [TLS] Data limit for GCM under a given key.
Watson Ladd <watsonbladd@gmail.com> Sat, 07 November 2015 00:27 UTC
Return-Path: <watsonbladd@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 62BB81B3136 for <tls@ietfa.amsl.com>; Fri, 6 Nov 2015 16:27:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wgBo8pnI7ec8 for <tls@ietfa.amsl.com>; Fri, 6 Nov 2015 16:27:54 -0800 (PST)
Received: from mail-wm0-x22a.google.com (mail-wm0-x22a.google.com [IPv6:2a00:1450:400c:c09::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E5C4E1B3135 for <tls@ietf.org>; Fri, 6 Nov 2015 16:27:53 -0800 (PST)
Received: by wmnn186 with SMTP id n186so54851891wmn.1 for <tls@ietf.org>; Fri, 06 Nov 2015 16:27:52 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=ZIF1uSNAJKa7A0aC67pC29wWwyaTFbCHmP4UiNJOPI0=; b=gsCTW0+G/flyBGKP1SV6rOlDBYOV7WvBmnCIRzb+nj/S7ZqKPYEDgR9lpeQA24GaB5 Uhw5MshYwF2dmffQQXBDay3euiVDOTt5ppubJL7RutxHwcP7zrZLB8tCuftKBK+koco+ C3KcLLp9R0O8y6rDyZyVe1UwScUxa3dU1iSHXpXRiBs6gTwcEAiL2LHnUxkbsoc83xgf TWN6eVxmrsFsg63M7XPEnn+D9KHzvwkJGgYHnX5KtWJhHHL5CRVvRjZ+sNDVgtrKfNVO C/Bg2G3U81FMU4GaYpFKUnuY0CraqD0tJaRngpb0nLA6sKPM3EN/Dk3UJzgv/hcRuzfv XuxA==
MIME-Version: 1.0
X-Received: by 10.28.129.131 with SMTP id c125mr9451276wmd.21.1446856072560; Fri, 06 Nov 2015 16:27:52 -0800 (PST)
Received: by 10.28.101.212 with HTTP; Fri, 6 Nov 2015 16:27:52 -0800 (PST)
In-Reply-To: <BN1PR09MB124DAC88D9D7F09FFD1B964F32A0@BN1PR09MB124.namprd09.prod.outlook.com>
References: <CABcZeBODjk8rapgbNTST8bmFFVzKqB4tJyrvje-CTgk1=gfqFw@mail.gmail.com> <CABkgnnV+QrjcXJdZwwAGW-SpX0Z0_JroEVT-kMJgUAVe7DDQUw@mail.gmail.com> <CABcZeBOrL=TosONYfM_QPPYfT5N4VH7yR4hFw3Qt8W4V0uznkw@mail.gmail.com> <CABkgnnXis0mwqcsd1D0S61kqL6kvq9=ZU0BRbwbLH7Jesj0Y-w@mail.gmail.com> <CABcZeBNpV3uqOF4YohiCrtq03hR7LPnPGdny6yWB+zysVufiqA@mail.gmail.com> <CABkgnnWVJeeBuMitweCj=nOSB5cA-R-6btdQeWp0Bdnomd2XtQ@mail.gmail.com> <CAMfhd9V4WVxKbJh6KkNdVFGBGKh=tG5kC_7sPthOwhrrUi5eoQ@mail.gmail.com> <CABcZeBOc_9i83j4rjxve8PuBPWdd8eCVN2wQth3G0=T_xz1UKg@mail.gmail.com> <811734cd29d64adc98c5388870611575@XCH-ALN-004.cisco.com> <CABcZeBNZJkrVsA9UEN-ywpzUOZy4wJ=2=QDg-KhjNUCvMKi=HA@mail.gmail.com> <CABcZeBNOJNwL9Akbhnpd2fg8rk80BNYRkODRpqDb9nk2K_m1mg@mail.gmail.com> <BN1PR09MB124321AF53FE4EB4F47AFE9F32C0@BN1PR09MB124.namprd09.prod.outlook.com> <CACsn0ckVoXHvLWMwC4ksv3Rr305uL-_7UDNFT+0RnbkjDs2Vxw@mail.gmail.com> <BN1PR09MB124B270CE55528F10656DECF32C0@BN1PR09MB124.namprd09.prod.outlook.com> <BN1PR09MB124A4974829B07CC2E8CC68F32A0@BN1PR09MB124.namprd09.prod.outlook.com> <CACsn0ckKjzXsOEWzbY-rQ6gYW8ze_hB2f=gzie2pjfM9wPuQWg@mail.gmail.com> <BN1PR09MB124DAC88D9D7F09FFD1B964F32A0@BN1PR09MB124.namprd09.prod.outlook.com>
Date: Fri, 06 Nov 2015 19:27:52 -0500
Message-ID: <CACsn0cksvHSbd+MfjurHKLM0_imO5TRcK0PS6UXojLtRBBE_EQ@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: "Dang, Quynh" <quynh.dang@nist.gov>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/BrbpGOIwk6-k8EjMajGVmjsyBPk>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Data limit for GCM under a given key.
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 07 Nov 2015 00:27:56 -0000
On Wed, Nov 4, 2015 at 3:43 PM, Dang, Quynh <quynh.dang@nist.gov> wrote: > I did not talk under indistinguishability framework. My discussion was about confidentiality protection and authentication. What is the definition of "confidentiality protection" being used here? > > Quynh. > ________________________________________ > From: Watson Ladd <watsonbladd@gmail.com> > Sent: Wednesday, November 4, 2015 3:17:00 PM > To: Dang, Quynh > Cc: Eric Rescorla; tls@ietf.org > Subject: Re: [TLS] Data limit for GCM under a given key. > > On Wed, Nov 4, 2015 at 2:29 PM, Dang, Quynh <quynh.dang@nist.gov> wrote: >> Hi Eric and all, >> >> >> The limit of 2^48 packets under a given key for GCM you mentioned today is >> the limit for SRTP >> (https://tools.ietf.org/html/draft-ietf-avtcore-srtp-aes-gcm-17#section-6). >> The nonce space of the IV construction is only 48 bits and that is why it >> has the limit of 2^48. The limit here should be 2^48 blocks, not records as >> stated in the document. >> >> >> As I explained before, GCM is counter mode for encryption. For a given key, >> the nonce never repeats globally, then confidentiality of the encrypted data >> is preserved. When the nonce space is 2^n values, then 2^n message blocks >> can have secure confidentiality protection. > > This is completely untrue. If you actually understood the definitions, > and thought about the matter for 15 minutes, you would realize that > permutations are distinguishable from functions after 2^(n/2) queries > with high probabilities, and this breaks IND-$. This is an elementary > result found on page 134 of Boneh-Shoup. > >> >> >> Regarding to authentication, as I explained before, if the tag size is n, >> then you have collision issue among the tags when the number of tags goes >> around 2^(n/2) which is not a good thing, but strictly speaking, this does >> not break your authentication. > > Carter-Wegman security results are weaker than for PRF-based MACs. >> >> >> However, rekeying often is a good thing which could help prevent disaster to >> keep go on if there is something wrong with the IV or the key. >> >> >> Quynh. >> >> >> >> >> ________________________________ >> From: Dang, Quynh >> Sent: Monday, November 2, 2015 3:00 PM >> To: Watson Ladd >> Cc: tls@ietf.org; cfrg@ietf.org; Eric Rescorla >> Subject: Re: [Cfrg] Collision issue in ciphertexts. >> >> >> Now, you talked about a MAC function (with AES). I previously talked about >> encryption. >> >> >> If I , the only person, uses the MAC key, when I generate more than 2^64 MAC >> values (Let's say each MAC value is 96 bits), I have many collided MAC >> pairs. But, I am the only one (beside the person(s) verifying my MACs) who >> knows the MAC key in order to generate those verified MAC values. >> >> >> If the MAC length is k bits, an attacker is allowed to send 2^n failed >> verifications, his or her chance of success is approximately 2^n / 2^k. >> Let's imagine n is 64 and k is 96, the success chance is 1/2^36 which is >> practically ZERO! >> >> >> If I am an attacker, I would choose a message that I want to be verified, >> and I keep changing the MAC key to generate different MAC values with >> different keys and hope one of them will get verified. Let's assume the MAC >> key to be 96 bits ( 96 bits of random bits, the other 32 bits are known). In >> theory, when I get close to 2^96 attempts, I would expect some chance of >> success. To deal with this attacker, one would change the MAC key when the >> number of failed attempts gets close to a number that you don't want. For >> example, if you don't want a success chance of an attack to be above 1 / >> 2^36, then you need to change your MAC key when the number of failed >> verifications reaches 2^64 when your MAC length is 96 bits. >> >> >> After you change the MAC key, I ( the attacker) will have to start >> everything again because all of the failed MACs I generated before are >> useless now. >> >> >> ________________________________ >> From: Watson Ladd <watsonbladd@gmail.com> >> Sent: Monday, November 2, 2015 5:07 AM >> To: Dang, Quynh >> Cc: tls@ietf.org; cfrg@ietf.org; Eric Rescorla >> Subject: Re: [Cfrg] Collision issue in ciphertexts. >> >> >> >> On Nov 2, 2015 2:14 AM, "Dang, Quynh" <quynh.dang@nist.gov> wrote: >>> >>> Hi Eric, >>> >>> >>> As you asked the question about how many ciphertext blocks should be safe >>> under a single key, I think it is safe to have 2^96 blocks under a given key >>> if the IV (counter) is 96 bits. >> >> This is wrong for PRP, right for PRF. It's not that hard to find the right >> result. >> >>> >>> >>> When there is a collision between two ciphertext blocks when two different >>> counter values are used , the chance of the same plaintext was used twice is >>> 1^128. Collisions start to happen a lot when the number of ciphertext >>> blocks are above 2^64. However, each collision just reveals that the >>> corresponding plaintext blocks are probably different ones. >> >> Which breaks IND-$. Let's not be clever, but stick to ensuring proven >> definitions are true. >> >>> >>> >>> >>> Quynh. >>> >>> >>> _______________________________________________ >>> Cfrg mailing list >>> Cfrg@irtf.org >>> https://www.irtf.org/mailman/listinfo/cfrg >>> >> >> >> _______________________________________________ >> TLS mailing list >> TLS@ietf.org >> https://www.ietf.org/mailman/listinfo/tls >> > > > > -- > "Man is born free, but everywhere he is in chains". > --Rousseau. -- "Man is born free, but everywhere he is in chains". --Rousseau.
- [TLS] Version in record MAC Eric Rescorla
- Re: [TLS] Version in record MAC Colm MacCárthaigh
- Re: [TLS] Version in record MAC David Benjamin
- Re: [TLS] Version in record MAC Martin Thomson
- Re: [TLS] Version in record MAC Eric Rescorla
- Re: [TLS] Version in record MAC Martin Thomson
- Re: [TLS] Version in record MAC Eric Rescorla
- Re: [TLS] Version in record MAC Martin Thomson
- Re: [TLS] Version in record MAC Russ Housley
- Re: [TLS] Version in record MAC Adam Langley
- Re: [TLS] Version in record MAC Eric Rescorla
- Re: [TLS] Version in record MAC David McGrew (mcgrew)
- Re: [TLS] Version in record MAC Eric Rescorla
- Re: [TLS] Version in record MAC Eric Rescorla
- Re: [TLS] Version in record MAC Ilari Liusvaara
- Re: [TLS] Version in record MAC Eric Rescorla
- Re: [TLS] Version in record MAC Adam Langley
- Re: [TLS] Version in record MAC Eric Rescorla
- Re: [TLS] Version in record MAC Eric Rescorla
- [TLS] Collision issue in ciphertexts. Dang, Quynh
- Re: [TLS] [Cfrg] Collision issue in ciphertexts. Watson Ladd
- Re: [TLS] [Cfrg] Collision issue in ciphertexts. Dang, Quynh
- [TLS] Data limit for GCM under a given key. Dang, Quynh
- Re: [TLS] Data limit for GCM under a given key. Watson Ladd
- Re: [TLS] Data limit for GCM under a given key. Dang, Quynh
- Re: [TLS] Data limit for GCM under a given key. Watson Ladd
- Re: [TLS] Data limit for GCM under a given key. Tony Arcieri
- Re: [TLS] Data limit for GCM under a given key. Eric Rescorla
- Re: [TLS] Data limit for GCM under a given key. Yoav Nir
- Re: [TLS] Data limit for GCM under a given key. Dave Garrett
- Re: [TLS] Data limit for GCM under a given key. Eric Rescorla
- Re: [TLS] Data limit for GCM under a given key. Eric Rescorla
- Re: [TLS] Data limit for GCM under a given key. Eric Rescorla
- Re: [TLS] Data limit for GCM under a given key. Dave Garrett
- Re: [TLS] Data limit for GCM under a given key. Dang, Quynh
- Re: [TLS] Data limit for GCM under a given key. Quynh Dang
- Re: [TLS] Data limit for GCM under a given key. Yoav Nir