Re: [TLS] Data volume limits

Simon Josefsson <> Wed, 16 December 2015 08:44 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 020961A7025 for <>; Wed, 16 Dec 2015 00:44:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.551
X-Spam-Status: No, score=-1.551 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_SE=0.35, SPF_PASS=-0.001] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id QymABl3KNJ2S for <>; Wed, 16 Dec 2015 00:44:51 -0800 (PST)
Received: from ( [IPv6:2001:9b0:1:1702::100]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 4A9361A8A65 for <>; Wed, 16 Dec 2015 00:44:49 -0800 (PST)
Received: from ([]) (authenticated bits=0) by (8.14.4/8.14.4/Debian-4) with ESMTP id tBG8iJGP015700 (version=TLSv1/SSLv3 cipher=AES128-GCM-SHA256 bits=128 verify=NOT); Wed, 16 Dec 2015 09:44:20 +0100
From: Simon Josefsson <>
To: Eric Rescorla <>
References: <>
OpenPGP: id=54265E8C; url=
Date: Wed, 16 Dec 2015 09:44:18 +0100
In-Reply-To: <> (Eric Rescorla's message of "Tue, 15 Dec 2015 13:14:30 -0800")
Message-ID: <>
User-Agent: Gnus/5.130014 (Ma Gnus v0.14) Emacs/24.4 (gnu/linux)
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha256; protocol="application/pgp-signature"
X-Virus-Scanned: clamav-milter 0.98.7 at
X-Virus-Status: Clean
Archived-At: <>
Cc: "" <>
Subject: Re: [TLS] Data volume limits
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 16 Dec 2015 08:44:53 -0000

Eric Rescorla <> writes:

> Watson kindly prepared some text that described the limits on what's safe
> for AES-GCM and restricting all algorithms with TLS 1.3 to that lower
> limit (2^{36} bytes), even though ChaCha doesn't have the same
> restriction.

Can we see a brief writeup explaining the 2^36 number?

I don't like re-keying.  It is usually a sign that your primitives are
too weak and you are attempting to hide that fact.  To me, it is similar
to discard the first X byte of RC4 output.

If AES-GCM cannot provide confidentiality beyond 64GB (which would
surprise me somewhat), I believe we ought to be careful about
recommending it.

Of course, the devil is in the details: if the risk is that the secret
key is leaked, that's fatal; if the risk is that the attacker can tell
whether two particular plaintext 128 byte blocks are the same or not in
the entire file, that can be a risk we can live with (similar to the
discard X bytes of RC4 fix).

I believe 64GB is within the range that people download in a web browser
these days.  More data intensive longer-running protocols often transfer
significantly more.