Re: [TLS] Data volume limits

"Scott Fluhrer (sfluhrer)" <sfluhrer@cisco.com> Wed, 16 December 2015 00:46 UTC

Return-Path: <sfluhrer@cisco.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 556111A00EE for <tls@ietfa.amsl.com>; Tue, 15 Dec 2015 16:46:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.51
X-Spam-Level:
X-Spam-Status: No, score=-14.51 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, T_RP_MATCHES_RCVD=-0.01, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 16w3v4bKKAXB for <tls@ietfa.amsl.com>; Tue, 15 Dec 2015 16:46:55 -0800 (PST)
Received: from rcdn-iport-9.cisco.com (rcdn-iport-9.cisco.com [173.37.86.80]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C91CC1A00D0 for <tls@ietf.org>; Tue, 15 Dec 2015 16:46:54 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=2316; q=dns/txt; s=iport; t=1450226814; x=1451436414; h=from:to:subject:date:message-id:references:in-reply-to: content-transfer-encoding:mime-version; bh=JLNhT0Fow/rQyWINd+tiJFHBb82mbqfTs0K/4hiqQC0=; b=a5oRZii6x1Fmq19eYbLp9Z5Agkb6hGEUQk3CEJaWxAe3MPaMQop7wCpN B98JctQf5lKcSYJTN8nFXFI2TymBGyI/oxd09cFfQDPGDtslMaBxe3anp X0juN2jx+Pb8f/vIitqc5jxPePqlzxJ8FZtOeVedEaGDv2zRIKAA4LcKG Q=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0ASAgBctHBW/51dJa1egzqBPwa9UwENg?= =?us-ascii?q?WOGDQKBQTgUAQEBAQEBAYEKhDQBAQEEbAoPBAIBCBEEAQEBJwcyFAkIAgQBEgi?= =?us-ascii?q?IJ71dAQEBAQEBAQEBAQEBAQEBAQEBAQEBGIZWhH2JQAWNb4kNAY1AnSABHwEBQ?= =?us-ascii?q?oQEcoNsgQgBAQE?=
X-IronPort-AV: E=Sophos;i="5.20,434,1444694400"; d="scan'208";a="53740744"
Received: from rcdn-core-6.cisco.com ([173.37.93.157]) by rcdn-iport-9.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 16 Dec 2015 00:46:47 +0000
Received: from XCH-RTP-008.cisco.com (xch-rtp-008.cisco.com [64.101.220.148]) by rcdn-core-6.cisco.com (8.14.5/8.14.5) with ESMTP id tBG0klA6013516 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Wed, 16 Dec 2015 00:46:47 GMT
Received: from xch-rtp-006.cisco.com (64.101.220.146) by XCH-RTP-008.cisco.com (64.101.220.148) with Microsoft SMTP Server (TLS) id 15.0.1104.5; Tue, 15 Dec 2015 19:46:46 -0500
Received: from xch-rtp-006.cisco.com ([64.101.220.146]) by XCH-RTP-006.cisco.com ([64.101.220.146]) with mapi id 15.00.1104.009; Tue, 15 Dec 2015 19:46:46 -0500
From: "Scott Fluhrer (sfluhrer)" <sfluhrer@cisco.com>
To: "henrick@streamsec.se" <henrick@streamsec.se>, "tls@ietf.org" <tls@ietf.org>
Thread-Topic: [TLS] Data volume limits
Thread-Index: AQHRN321+GNchELNkkOmU2Gwkrt9SJ7MlZaAgABh3ID//7FHcIAAYjgAgAAFywD//7Rf8A==
Date: Wed, 16 Dec 2015 00:46:46 +0000
Message-ID: <adf3fd80d5b44a288a9ab87219c7e013@XCH-RTP-006.cisco.com>
References: <CABcZeBNR76DqPo0Mukf5L2G-WBSC+RCZKhVGqBZq=tJYfEHLUg@mail.gmail.com> <e007baa2f53249d49917e6023e578bc0@XCH-RTP-006.cisco.com> <CACsn0ckSo-affRmsTZaodCJZsFisPygnhk9=OZuV0_9SVMbUxQ@mail.gmail.com> <6674a4ec51fe4e158929bf429260d6ea@XCH-RTP-006.cisco.com> <CABcZeBNSHGGwM41c9QS0G-pnsEkuyA-q6FMhMgv2NQBDmwWwqA@mail.gmail.com> <5670AB96.9000602@streamsec.se>
In-Reply-To: <5670AB96.9000602@streamsec.se>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.98.2.55]
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/KOuP03KFon5ucjIghGoGN_omFhs>
Subject: Re: [TLS] Data volume limits
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Dec 2015 00:46:56 -0000

> -----Original Message-----
> From: TLS [mailto:tls-bounces@ietf.org] On Behalf Of Henrick Hellström
> Sent: Tuesday, December 15, 2015 7:09 PM
> To: tls@ietf.org
> Subject: Re: [TLS] Data volume limits
> 
> On 2015-12-16 00:48, Eric Rescorla wrote:
> >
> >
> > On Tue, Dec 15, 2015 at 3:08 PM, Scott Fluhrer (sfluhrer)
> > <sfluhrer@cisco.com <mailto:sfluhrer@cisco.com>> wrote:
> >     The quadratic behavior in the security proofs are there for just
> >     about any block cipher mode, and is the reason why you want to stay
> >     well below the birthday bound.
> >
> >
> > The birthday bound here is 2^{64}, right?
> >
> > -Ekr
> >
> >        However, that's as true for (say) CBC mode as it is for GCM
> 
> Actually, no.
> 
> Using the sequence number as part of the effective nonce, means that it
> won't collide. There is no relevant bound for collisions in the nonces or in the
> CTR state, because they simply won't happen (unless there is an
> implementation flaw). There won't be any potentially exploitable collisions.
> 
> However, theoretically, the GHASH state might collide with a 2^{64} birthday
> bound. This possibility doesn't seem entirely relevant, though.

That is a good point, and deserves to be examined more.

With CBC mode, there's a probability that two different ciphertext blocks will happen to be identical; when that unlikely event happens, the attacker can determine the bitwise difference between the corresponding plaintext blocks (and thereby leak a small amount of plaintext)

This doesn't happen with GCM.  Instead, the distinguisher is of this form: the attacker with a potential plaintext can compute the internal CTR values for GCM; if he sees a duplicate value, he can deduce that that potential plaintext wasn't the real one (because the internal CTR values never repeat).

Assuming that they cannot distinguish AES with a random key from a random permutation, that's the only thing they can learn.

That is, when they prove that there is no distinguisher with better than 2^{-64} advantage, what they are referring to (in practice) is that the attacker could eliminate a tiny fraction (1 out of 2^{64}) of the possible plaintexts; they gain no more information than that.