IETF Logo Mail Archive

Re: [TLS] [Cfrg] Closing out tls1.3 "Limits on key usage" PRs (#765/#769)

Rene Struik <rstruik.ext@gmail.com> Fri, 10 February 2017 15:51 UTC

Return-Path: <rstruik.ext@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BE68E1299F9 for <tls@ietfa.amsl.com>; Fri, 10 Feb 2017 07:51:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id w041itkntLLr for <tls@ietfa.amsl.com>; Fri, 10 Feb 2017 07:51:45 -0800 (PST)
Received: from mail-io0-x232.google.com (mail-io0-x232.google.com [IPv6:2607:f8b0:4001:c06::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9988B1299D0 for <tls@ietf.org>; Fri, 10 Feb 2017 07:51:45 -0800 (PST)
Received: by mail-io0-x232.google.com with SMTP id v96so53510407ioi.0 for <tls@ietf.org>; Fri, 10 Feb 2017 07:51:45 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:references:cc:from:message-id:date:user-agent :mime-version:in-reply-to; bh=y4aQbk4tvRIWe00fHBCRnkJ0HlLhsiKKAlMnvRRl63Y=; b=XPcXuB1iZWatzlaMyfATf2inUYKE9S/QLvLWARGRuDfvY5flgKlz2+OgLqXbqZSniZ z9ID57H8e5dYi8LWxlLA6rIqsXf7a8zGJIxrxePN31i7hxiRrN9mounL2IS6Atlg4i4y iAa+J+ACOqvOIdK+gZgWvGgADJLLhUMbyCvp/XUcd/gDn9xp9PqtOiiCxY27buffT1Aj pbSbj1w5PDVJx074WVssWmPuGXBLC6ocAnx7YBIdN+eMoIXwik3nSn4FHKgF+AVSCKA0 r7+3Pxmv+k0TUvk4j64x9QguWSPY7K4/3zASuGpnHLS8XlNCcgjOf3Yey44a+cRGRv6d P3Rg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:cc:from:message-id:date :user-agent:mime-version:in-reply-to; bh=y4aQbk4tvRIWe00fHBCRnkJ0HlLhsiKKAlMnvRRl63Y=; b=QHdATtYg0pLEqXp7E3WCc8xoYV82orFd/KrjKSh49zlufPQ5ulVmDPT7pkY++SdN2s zZaw1NWhmflHTft7hVr9XxSLkL1ieUa9maUQdCzXoxAyA5eE2mUGFkjDyQVJSlOBawo2 SptPIxFZE3dNDt59fsizSlCDYzG0/CfrYD5/Et9MECQOzIcJQa4BVP/bUqpw8hLlOi1T 1EwyLBrnNkBPFLZMtJpm3BgTLyOJba7dj9dyXXduLvVagAQoHfq8RLu2nq7puqeCH8U5 5W9gxPN0BbVzYX1vH/3UyC6nyIEmQC4V+hNxVX11FYAMLPuKbZjo8I4ocBuEgQuvmdWP N1Fg==
X-Gm-Message-State: AMke39nS/qTM1YJrurYuZXTBR0pSLR8ShsPu3j6m40gX5oHAZjvFeu8xujTu6gep4AZIHg==
X-Received: by 10.107.20.13 with SMTP id 13mr9054953iou.0.1486741904935; Fri, 10 Feb 2017 07:51:44 -0800 (PST)
Received: from [192.168.0.14] (CPE7cb21b2cb904-CM7cb21b2cb901.cpe.net.cable.rogers.com. [174.112.186.144]) by smtp.gmail.com with ESMTPSA id h15sm508251ita.20.2017.02.10.07.51.43 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 10 Feb 2017 07:51:44 -0800 (PST)
To: Sean Turner <sean@sn3rd.com>, "<tls@ietf.org>" <tls@ietf.org>
References: <352D31A3-5A8B-4790-9473-195C256DEEC8@sn3rd.com>
From: Rene Struik <rstruik.ext@gmail.com>
Message-ID: <eeef0b36-2fdd-8de0-3bd7-7f0c5b68e9e9@gmail.com>
Date: Fri, 10 Feb 2017 10:51:39 -0500
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.7.1
MIME-Version: 1.0
In-Reply-To: <352D31A3-5A8B-4790-9473-195C256DEEC8@sn3rd.com>
Content-Type: multipart/alternative; boundary="------------6F183E4431F40EF448049DCE"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/FR90rm95gfkpiz1osGpiNoT6lss>
Cc: IRTF CFRG <cfrg@irtf.org>
Subject: Re: [TLS] [Cfrg] Closing out tls1.3 "Limits on key usage" PRs (#765/#769)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Feb 2017 15:51:48 -0000

Dear colleagues:

I would suggest adding the following paragraph at the end of Section 5.5:

[current text of Section 5.5]

There are cryptographic limits on the amount of plaintext which can be 
safely encrypted under a given set of keys.[AEAD-LIMITS] 
<https://tlswg.github.io/tls13-spec/#AEAD-LIMITS>provides an analysis of 
these limits under the assumption that the underlying primitive (AES or 
ChaCha20) has no weaknesses. Implementations SHOULD do a key 
updateSection 4.6.3 
<https://tlswg.github.io/tls13-spec/#key-update>prior to reaching these 
limits.

For AES-GCM, up to 2^24.5 full-size records (about 24 million) may be 
encrypted on a given connection while keeping a safety margin of 
approximately 2^-57 for Authenticated Encryption (AE) security. For 
ChaCha20/Poly1305, the record sequence number would wrap before the 
safety limit is reached.

[suggested additional text]

The above upper limits do not take into account potential side channel 
attacks, which - in some implementations - have been shown to be 
successful at recovering keying material with a relatively small number 
of messages encrypted using the same key. While results are highly 
implementation-specific, thereby making it hard to provide precise 
guidance, prudence suggests that implementations should not reuse keys 
ad infinitum. Implementations SHALL therefore always implement the key 
update mechanism of Section 4.6.3.

{editorial note: perhaps, one should impose the limit 2^20, just to make 
sure people do not "forget" to implement key updates?}


See also my email of August 29, 2016:
https://mailarchive.ietf.org/arch/msg/cfrg/SUuLDg0wTvjR7H46oNyEtyGVdno

On 2/10/2017 12:07 AM, Sean Turner wrote:
> All,
>
> We’ve got two outstanding PRs that propose changes to draft-ietf-tls-tls13 Section 5.5 “Limits on Key Usage”.  As it relates to rekeying, these limits have been discussed a couple of times and we need to resolve once and for all whether the TLS WG wants to:
>
> a) Close these two PRs and go with the existing text [0]
> b) Adopt PR#765 [1]
> c) Adopt PR#769 [2]
>
> Please indicate you preference to the TLS mailing list before Feb 17.  Note that unless there’s clear consensus to change the text will remain as is (i.e., option a).
>
> J&S
>
> [0] https://tlswg.github.io/tls13-spec/#rfc.section.5.5
> [1] https://github.com/tlswg/tls13-spec/pull/765
> [2] https://github.com/tlswg/tls13-spec/pull/769
> _______________________________________________
> Cfrg mailing list
> Cfrg@irtf.org
> https://www.irtf.org/mailman/listinfo/cfrg


-- 
email: rstruik.ext@gmail.com | Skype: rstruik
cell: +1 (647) 867-5658 | US: +1 (415) 690-7363

v2.23.0 | Report a Bug | By Email