Re: [TLS] [Cfrg] 3DES diediedie

"David McGrew (mcgrew)" <> Sat, 27 August 2016 12:53 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id A4A2612D51A for <>; Sat, 27 Aug 2016 05:53:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -15.069
X-Spam-Status: No, score=-15.069 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-0.548, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id xzdmBRXdklQq for <>; Sat, 27 Aug 2016 05:53:11 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id E3F2412D113 for <>; Sat, 27 Aug 2016 05:53:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;;; l=3346; q=dns/txt; s=iport; t=1472302390; x=1473511990; h=from:to:subject:date:message-id:references:in-reply-to: content-id:content-transfer-encoding:mime-version; bh=zs1FoM5LXE4cGj5OranKFgCbO6DyASmtAess9LBV8zI=; b=JbLcZO08QLpY3usK0vg4JlQ/jfxTOrPou9iC31FwUsSmLQ32ha9tuJPE EakAz0cElRuVU95JmzHAwCFHulvJJwOlwi4M2QR5gKFRE99UkWzmJn9xI EvNF3EbqP/Ivn3kG4oVg5vxAffLqJ3as3DHqvQd5jMtXTcSrHFIED13zr o=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0DbAQChjMFX/5hdJa1dDgwBAQEBAgEBA?= =?us-ascii?q?QGDKQEBAQEBHld8B4NAiWiqeYIBIIV9AhyBJjgUAQIBAQEBAQEBXieEYgEBAgI?= =?us-ascii?q?jEVUCAQgODAImAgICMBUQAgQBEhuIJQ6wSo8zAQEBAQEBAQEBAQEBAQEBAQEBA?= =?us-ascii?q?QEBFwWBA4cjglWCEIITAQEbgwIrgi8FhhKTPQGGH4I9gz6DEI9VkDwBHjaCNBy?= =?us-ascii?q?BETtwAYQsgSB/AQEB?=
X-IronPort-AV: E=Sophos;i="5.28,586,1464652800"; d="scan'208";a="314578619"
Received: from ([]) by with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 27 Aug 2016 12:53:09 +0000
Received: from ( []) by (8.14.5/8.14.5) with ESMTP id u7RCr9ZO013092 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Sat, 27 Aug 2016 12:53:09 GMT
Received: from ( by ( with Microsoft SMTP Server (TLS) id 15.0.1210.3; Sat, 27 Aug 2016 07:53:09 -0500
Received: from ([]) by ([]) with mapi id 15.00.1210.000; Sat, 27 Aug 2016 07:53:08 -0500
From: "David McGrew (mcgrew)" <>
To: Peter Gutmann <>, Tony Arcieri <>, "<>" <>, "" <>
Thread-Topic: [Cfrg] 3DES diediedie
Thread-Index: AQHR/nWfoW+SS6smqUOyCtdxrLUgKaBbmdgAgAF4CoD//8XhAA==
Date: Sat, 27 Aug 2016 12:53:08 +0000
Message-ID: <>
References: <> <> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
user-agent: Microsoft-MacOutlook/f.15.1.160411
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: []
Content-Type: text/plain; charset="utf-8"
Content-ID: <>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <>
Subject: Re: [TLS] [Cfrg] 3DES diediedie
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sat, 27 Aug 2016 12:53:12 -0000

Hi Peter,

On 8/27/16, 8:21 AM, "Peter Gutmann" <> wrote:

>David McGrew (mcgrew) <> writes:
>>Most of the lightweight “designed for IoT” block ciphers have a 64 bit block
>>size (and sometimes even smaller); see for instance Table 1.1 of
>> So perhaps what the Internet needs here
>>is sound guidance on how to use 64-bit block ciphers.   Best practices here
>>include both mandatory rekeying well below the birthday bound and/or the use
>>of secure beyond the birthday bound modes of operation such as Iwata’s CENC.
>IoT devices are, pretty much by default, insecure.  And I mean, really, really
>insecure, I've heard phrases like "hack like it's 199x" a number of times
>during talks on all the holes people have found in these things.  In addition,
>the reason why devs are using lightweight ciphers in IoT devices is because
>they know that their device can't use anything more powerful, in the same way
>they they know that a strcpy() into a ten-byte fixed-size buffer is a good way
>to decode network packets.
>Looking at it from the other side, your typical IoT device will be sending,
>for example, a 12-byte message every 15 minutes, meaning it'll take, if my
>calculations are right, just under two million years to collect the 785GB of
>data required to perform the attack.
>So you've got something where the devices aren't vulnerable to the problem
>(and nor, in any practical case, is anything else), for which the devs
>involved won't even know that any guidance on the situation exists, and for
>which, if anyone really wants to attack them, they can use any of the dozens
>of insecure-by-design holes that are present in the device to own the whole
>thing, at which point what you do with your crypto becomes meaningless.

I don’t think you understood my point.  IoT is about small devices connecting to the Internet, and IETF standards should expect designed-for-IoT crypto to be increasingly in scope.  It is important to not forget about these devices, amidst the current attention being paid to misuses of 64-bit block ciphers, which was the ultimate cause of this mail thread.

>So what you're proposing is essentially a non-solution to a non-problem...
>still, if you feel like writing the memo for it, don't let me stand in your

Gee, thanks.