Re: [TLS] 3DES diediedie

Tony Arcieri <bascule@gmail.com> Thu, 25 August 2016 03:38 UTC

Return-Path: <bascule@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3836512D5C5 for <tls@ietfa.amsl.com>; Wed, 24 Aug 2016 20:38:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oVxAReEeJ6vz for <tls@ietfa.amsl.com>; Wed, 24 Aug 2016 20:38:09 -0700 (PDT)
Received: from mail-ua0-x235.google.com (mail-ua0-x235.google.com [IPv6:2607:f8b0:400c:c08::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0F71C12D0B0 for <tls@ietf.org>; Wed, 24 Aug 2016 20:38:09 -0700 (PDT)
Received: by mail-ua0-x235.google.com with SMTP id k90so63328875uak.1 for <tls@ietf.org>; Wed, 24 Aug 2016 20:38:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=L0/J7IBG4p1Okp7VDG2HErfRhXz/SMdjWyO88gYSHXU=; b=DibTq7wnU3Tp2mGz6/qO7m/od4DmwBc5b9TrNWj0IAZ4g2RSnHqsjYZrRtkpalCiIN OBzdMXN+7YeLZ0gMIyzNoA4/tTJkOqe2QDpVn/IzzGwJoJs6myYHiqbd4PWz/1G3/Wfl RxSqGavK+Us1XAg1v0JufpWBCfislViWlUf0svZS5Q6K9JPafpC7sVA8xJ9gUwOa/Bp9 iH90tcOCL/jSxXi6jUTW7Z+i9Atpcl+lBiHca1Nk+1UnCqmf3FPHGnjq3tkm9ARTMhWE Nlr4e0z/Yp04hglERjRmdcFzwtJKoZZlEbtOqScjIEUgiPWh83U7ed7kCgwYZ5yQ66zc jCdg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=L0/J7IBG4p1Okp7VDG2HErfRhXz/SMdjWyO88gYSHXU=; b=advUs9EGaHKYh9yzi+v00BlWq8PPBY7j+mBWU27PN5Woc0uBvaX5NEOskusmvBJn6B 9/iIkKQTJWQt8c+DF7TAf2fIFTa3+zhAB62NfQU6HCBW1TBzkuCkvpwl/pskEiESQ4MA Yx+2s3QDLGPv3m+/teFkne3doapP8SjUupUSPxxeZa8iO5QHNgiA3grtuGxG5ArHeAKi 8VP8a38Z8GEVVOWvhYVAyYBhmDpCd4g3iyYWY1ZmItqoY/QV2Oxf6iXq+Q/LWcEn/SH2 lrX74kordooDV9wNOcXwQeZ7BkYOkzwY0PJpBF07LkIiCWyMLOO9Pobhm9g/P6kmB/31 mdLw==
X-Gm-Message-State: AEkooutqjjaUc/jqHlwvtPWlCl/Yeaw6RbOs03HcX0o20pYhFRYHM3RkOWrUiBAkO+6iaTWDp6avWhDWJq2sjw==
X-Received: by 10.31.110.135 with SMTP id j129mr3700537vkc.81.1472096288166; Wed, 24 Aug 2016 20:38:08 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.103.82.27 with HTTP; Wed, 24 Aug 2016 20:37:47 -0700 (PDT)
In-Reply-To: <9A043F3CF02CD34C8E74AC1594475C73F4D01F6E@uxcn10-5.UoA.auckland.ac.nz>
References: <CAHOTMV+r5PVxqnSozYyqJqq_YocMKV06aAa-43t+5Huzh7Lo=A@mail.gmail.com> <9A043F3CF02CD34C8E74AC1594475C73F4D01F6E@uxcn10-5.UoA.auckland.ac.nz>
From: Tony Arcieri <bascule@gmail.com>
Date: Wed, 24 Aug 2016 20:37:47 -0700
Message-ID: <CAHOTMVKyub+J0Vx+UryDEAHdJRYRTmZ1wvLmEBkSor7pOrXy_w@mail.gmail.com>
To: Peter Gutmann <pgut001@cs.auckland.ac.nz>
Content-Type: multipart/alternative; boundary=94eb2c14acf2551280053add208e
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/QjCvO12Xr9tWQ4iI1j6UPfQWFZ0>
Cc: "cfrg@irtf.org" <cfrg@irtf.org>, "<tls@ietf.org>" <tls@ietf.org>
Subject: Re: [TLS] 3DES diediedie
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Aug 2016 03:38:10 -0000

On Wed, Aug 24, 2016 at 8:28 PM, Peter Gutmann <pgut001@cs.auckland.ac.nz>
wrote:

> Only if there's an actualy issue.  3DES is still very widely supported
> (particularly in financial systems and embedded)


As someone who works professionally in the payments industry alongside
people who are directly implementing EMV protocols, let me note: those are
not IETF protocols and should not have bearing on IETF/IRTF decisions
regarding deprecations of protocols in TLS or other IETF protocols. But I'm
mainly concerned with TLS...

and provides a useful backup to AES.


So does ChaCha20.


>   An attack that recovers cookie if you can record 785GB of traffic isn't
> anything I'm losing any sleep over.


..but is not a terribly dissimilar traffic volume to recover plaintexts
from similar attacks against RC4, which received "diediedie" in RFC7465.

Perhaps notable is the RC4 attacks work across multiple session keys,
whereas SWEET32 requires the same key, but I think the practical
consequences regarding data volume limits are similar.

-- 
Tony Arcieri