Re: [TLS] [Cfrg] 3DES diediedie

"David McGrew (mcgrew)" <mcgrew@cisco.com> Sat, 27 August 2016 12:53 UTC

Return-Path: <mcgrew@cisco.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A4A2612D51A for <tls@ietfa.amsl.com>; Sat, 27 Aug 2016 05:53:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -15.069
X-Spam-Level:
X-Spam-Status: No, score=-15.069 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-0.548, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xzdmBRXdklQq for <tls@ietfa.amsl.com>; Sat, 27 Aug 2016 05:53:11 -0700 (PDT)
Received: from alln-iport-2.cisco.com (alln-iport-2.cisco.com [173.37.142.89]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E3F2412D113 for <tls@ietf.org>; Sat, 27 Aug 2016 05:53:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=3346; q=dns/txt; s=iport; t=1472302390; x=1473511990; h=from:to:subject:date:message-id:references:in-reply-to: content-id:content-transfer-encoding:mime-version; bh=zs1FoM5LXE4cGj5OranKFgCbO6DyASmtAess9LBV8zI=; b=JbLcZO08QLpY3usK0vg4JlQ/jfxTOrPou9iC31FwUsSmLQ32ha9tuJPE EakAz0cElRuVU95JmzHAwCFHulvJJwOlwi4M2QR5gKFRE99UkWzmJn9xI EvNF3EbqP/Ivn3kG4oVg5vxAffLqJ3as3DHqvQd5jMtXTcSrHFIED13zr o=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0DbAQChjMFX/5hdJa1dDgwBAQEBAgEBA?= =?us-ascii?q?QGDKQEBAQEBHld8B4NAiWiqeYIBIIV9AhyBJjgUAQIBAQEBAQEBXieEYgEBAgI?= =?us-ascii?q?jEVUCAQgODAImAgICMBUQAgQBEhuIJQ6wSo8zAQEBAQEBAQEBAQEBAQEBAQEBA?= =?us-ascii?q?QEBFwWBA4cjglWCEIITAQEbgwIrgi8FhhKTPQGGH4I9gz6DEI9VkDwBHjaCNBy?= =?us-ascii?q?BETtwAYQsgSB/AQEB?=
X-IronPort-AV: E=Sophos;i="5.28,586,1464652800"; d="scan'208";a="314578619"
Received: from rcdn-core-1.cisco.com ([173.37.93.152]) by alln-iport-2.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 27 Aug 2016 12:53:09 +0000
Received: from XCH-RCD-003.cisco.com (xch-rcd-003.cisco.com [173.37.102.13]) by rcdn-core-1.cisco.com (8.14.5/8.14.5) with ESMTP id u7RCr9ZO013092 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Sat, 27 Aug 2016 12:53:09 GMT
Received: from xch-aln-004.cisco.com (173.36.7.14) by XCH-RCD-003.cisco.com (173.37.102.13) with Microsoft SMTP Server (TLS) id 15.0.1210.3; Sat, 27 Aug 2016 07:53:09 -0500
Received: from xch-aln-004.cisco.com ([173.36.7.14]) by XCH-ALN-004.cisco.com ([173.36.7.14]) with mapi id 15.00.1210.000; Sat, 27 Aug 2016 07:53:08 -0500
From: "David McGrew (mcgrew)" <mcgrew@cisco.com>
To: Peter Gutmann <pgut001@cs.auckland.ac.nz>, Tony Arcieri <bascule@gmail.com>, "<tls@ietf.org>" <tls@ietf.org>, "cfrg@irtf.org" <cfrg@irtf.org>
Thread-Topic: [Cfrg] 3DES diediedie
Thread-Index: AQHR/nWfoW+SS6smqUOyCtdxrLUgKaBbmdgAgAF4CoD//8XhAA==
Date: Sat, 27 Aug 2016 12:53:08 +0000
Message-ID: <B749662D-B518-46E0-A51D-4AD1D30A8ED2@cisco.com>
References: <CAHOTMV+r5PVxqnSozYyqJqq_YocMKV06aAa-43t+5Huzh7Lo=A@mail.gmail.com> <F42128A0-9682-4042-8C7E-E3686743B314@cisco.com> <9A043F3CF02CD34C8E74AC1594475C73F4D0473F@uxcn10-5.UoA.auckland.ac.nz>
In-Reply-To: <9A043F3CF02CD34C8E74AC1594475C73F4D0473F@uxcn10-5.UoA.auckland.ac.nz>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/f.15.1.160411
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.117.10.228]
Content-Type: text/plain; charset="utf-8"
Content-ID: <2092DCF482106A4B8AA88B2A25DAE0D2@emea.cisco.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/MY-gkGZJx9pfkGNTuCHuEMCdky8>
Subject: Re: [TLS] [Cfrg] 3DES diediedie
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 27 Aug 2016 12:53:12 -0000

Hi Peter,




On 8/27/16, 8:21 AM, "Peter Gutmann" <pgut001@cs.auckland.ac.nz> wrote:

>David McGrew (mcgrew) <mcgrew@cisco.com> writes:
>
>>Most of the lightweight “designed for IoT” block ciphers have a 64 bit block
>>size (and sometimes even smaller); see for instance Table 1.1 of
>>https://eprint.iacr.org/2013/404.pdf So perhaps what the Internet needs here
>>is sound guidance on how to use 64-bit block ciphers.   Best practices here
>>include both mandatory rekeying well below the birthday bound and/or the use
>>of secure beyond the birthday bound modes of operation such as Iwata’s CENC.
>
>IoT devices are, pretty much by default, insecure.  And I mean, really, really
>insecure, I've heard phrases like "hack like it's 199x" a number of times
>during talks on all the holes people have found in these things.  In addition,
>the reason why devs are using lightweight ciphers in IoT devices is because
>they know that their device can't use anything more powerful, in the same way
>they they know that a strcpy() into a ten-byte fixed-size buffer is a good way
>to decode network packets.
>
>Looking at it from the other side, your typical IoT device will be sending,
>for example, a 12-byte message every 15 minutes, meaning it'll take, if my
>calculations are right, just under two million years to collect the 785GB of
>data required to perform the attack.
>
>So you've got something where the devices aren't vulnerable to the problem
>(and nor, in any practical case, is anything else), for which the devs
>involved won't even know that any guidance on the situation exists, and for
>which, if anyone really wants to attack them, they can use any of the dozens
>of insecure-by-design holes that are present in the device to own the whole
>thing, at which point what you do with your crypto becomes meaningless.

I don’t think you understood my point.  IoT is about small devices connecting to the Internet, and IETF standards should expect designed-for-IoT crypto to be increasingly in scope.  It is important to not forget about these devices, amidst the current attention being paid to misuses of 64-bit block ciphers, which was the ultimate cause of this mail thread.



>
>So what you're proposing is essentially a non-solution to a non-problem...
>still, if you feel like writing the memo for it, don't let me stand in your
>way.

Gee, thanks.  

David

>
>Peter.