Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt

"Dang, Quynh (Fed)" <quynh.dang@nist.gov> Wed, 13 July 2016 11:09 UTC

Return-Path: <quynh.dang@nist.gov>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2B87112DD97 for <tls@ietfa.amsl.com>; Wed, 13 Jul 2016 04:09:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nistgov.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id K5w3kLVGdlI9 for <tls@ietfa.amsl.com>; Wed, 13 Jul 2016 04:09:39 -0700 (PDT)
Received: from gcc01-CY1-obe.outbound.protection.outlook.com (mail-cy1gcc01on0116.outbound.protection.outlook.com [23.103.200.116]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E28C612DD99 for <tls@ietf.org>; Wed, 13 Jul 2016 04:09:38 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nistgov.onmicrosoft.com; s=selector1-nist-gov; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=OTXAMH3u6ljJ9o70zExPKCGxutHW5PFHL+o8yhDRrv0=; b=dwgpEuFEbPefCBNmtMx0/0BxP9hRUdr0yykGoE6qLzPo9sabWvApClZiNKaV18tBXP97+dhTkcTrFyJrvwqXLF9RvWuEPeFjy9Mk0r1/xMoMJ3VVlQohlxqyZ3+CypTBnkk3ERqb7yZWyJFYJOPJeXBcgGFT4WYAzQZH/Ytn9mg=
Received: from BN1PR09MB0171.namprd09.prod.outlook.com (10.255.192.149) by BN1PR09MB0172.namprd09.prod.outlook.com (10.255.192.150) with Microsoft SMTP Server (TLS) id 15.1.534.14; Wed, 13 Jul 2016 11:09:37 +0000
Received: from BN1PR09MB0171.namprd09.prod.outlook.com ([10.255.192.149]) by BN1PR09MB0171.namprd09.prod.outlook.com ([10.255.192.149]) with mapi id 15.01.0534.023; Wed, 13 Jul 2016 11:09:37 +0000
From: "Dang, Quynh (Fed)" <quynh.dang@nist.gov>
To: "Paterson, Kenny" <Kenny.Paterson@rhul.ac.uk>, "Dang, Quynh (Fed)" <quynh.dang@nist.gov>
Thread-Topic: [TLS] New draft: draft-ietf-tls-tls13-14.txt
Thread-Index: AQHR26erSXFdspEwbEKLZA1rqxpGgqAUgWIAgABTxYD//9AKAIAAYosA//+/CYCAAEqKAP//wbAAAAq3xoAAGV7SgA==
Date: Wed, 13 Jul 2016 11:09:36 +0000
Message-ID: <D3AB96B4.27C6F%qdang@nist.gov>
References: <CABcZeBMiLmwBeuLt=v4qdcJwe5rdsK_9R4-2TUXYC=sttmwH-g@mail.gmail.com> <D3AA5BD6.27AC0%qdang@nist.gov> <D3AAB674.709EA%kenny.paterson@rhul.ac.uk> <D3AA7549.27B09%qdang@nist.gov> <D3AADB49.70A35%kenny.paterson@rhul.ac.uk> <D3AA9C1C.27BA8%qdang@nist.gov> <D3AAE570.70A92%kenny.paterson@rhul.ac.uk> <D3AAA584.27BFA%qdang@nist.gov> <60BA093E-2B35-4F88-B6E1-81113CC27AA8@rhul.ac.uk>
In-Reply-To: <60BA093E-2B35-4F88-B6E1-81113CC27AA8@rhul.ac.uk>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.6.3.160329
authentication-results: spf=none (sender IP is ) smtp.mailfrom=quynh.dang@nist.gov;
x-ms-exchange-messagesentrepresentingtype: 1
x-originating-ip: [129.6.105.150]
x-ms-office365-filtering-correlation-id: 1f2fcc9d-bf5d-4e77-0abb-08d3ab0e2d91
x-microsoft-exchange-diagnostics: 1; BN1PR09MB0172; 6:fmTCRVWo9dG7e8cGe7sMakdch8BonZCvXNG4iKmj62+oxhFHjo+Yw1rBrM6MkoYKJy33GCoQvYCRbDhfB58NHZDGC6R5AIanoYB3/FddrIK+Sy9bFWPYV+S39kVh05w7M+3n4yH22AQEgjPKsPLX1u9Bh4frtC8U5ivvkP2/DmwPh2epdMvJPjQxScTLrTapKiCfdOmAlNCD2Mqe/ZQmBFnL1TMFjBukpiTVT5WkdvXSRrvatBcUBeYM5bnDx9VEo3Dklrusn4xfCUTXZQtGENr8IWhYfymCxOmyeOuzi/Ykm+XOYc7LR+3dNJf05XagWEkgEW6VjfQlhrS6feh6/A==; 5:eWOv6WRrOAXOynElk2FtOkFx+zp3ycEGnmT5wHhltShu2vMTvKxL2D0vcJH8FARlnLrqDvIR9p5CFWiIbmm1i/bc7NrYtPcGOMsFFfJYpcxH5EeqPk4NXMjth3/S12U5Alegv1KDjlkaNW8FRR5FoA==; 24:WKhluecOcO/F7FF9TDaAJE7jIQHcPHkjfjy76kl8s4xSyEuPsDRxmhxn2Yt/UQiJSit1bTdh01MTS63OzXl4Gi0ye+68FhqRmrq6c3s+vBg=; 7:7+3oP54IPhq4qD4X107bknf/fmO4jGtdyIp+++4PBDjw2uDHYOtpHiuruU1RN1MqcwJAEc178KDLr4VfHDZ+tPCuaS4Wdy5hXfFuNOwyvHoe3ZtEvO/MurXSkQkww5eIM/GrS6OQZgQzaFtXBchf0dc6nqWtc8XC2e7XkffKEPChu/bxKHD2AErGy46b/2rNsiwfz6gsI1Ssi7w2Zwf016Vr/00P3FgMVEUb+HYA++2e1MEnO6btDC8FJn94Twwv
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BN1PR09MB0172;
x-microsoft-antispam-prvs: <BN1PR09MB0172325A45C9DBD46685D114F3310@BN1PR09MB0172.namprd09.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(65766998875637)(192374486261705);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(601004)(2401047)(8121501046)(5005006)(10201501046)(3002001)(6055026); SRVR:BN1PR09MB0172; BCL:0; PCL:0; RULEID:; SRVR:BN1PR09MB0172;
x-forefront-prvs: 000227DA0C
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(7916002)(24454002)(199003)(377454003)(189002)(83506001)(7736002)(7846002)(305945005)(11100500001)(5001770100001)(66066001)(36756003)(2950100001)(105586002)(68736007)(5002640100001)(50986999)(97736004)(101416001)(106356001)(4001350100001)(77096005)(122556002)(92566002)(8666005)(76176999)(189998001)(54356999)(8676002)(99286002)(3846002)(87936001)(586003)(6116002)(102836003)(81166006)(10400500002)(2900100001)(4326007)(86362001)(93886004)(4001450100002)(106116001)(19580395003)(19580405001)(81156014)(2906002)(3280700002)(230783001)(3660700001)(8936002)(7059030); DIR:OUT; SFP:1102; SCL:1; SRVR:BN1PR09MB0172; H:BN1PR09MB0171.namprd09.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
received-spf: None (protection.outlook.com: nist.gov does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="euc-kr"
Content-ID: <7311BCBCF532BE44BA46BA3572101010@namprd09.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: nist.gov
X-MS-Exchange-CrossTenant-originalarrivaltime: 13 Jul 2016 11:09:36.3861 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 2ab5d82f-d8fa-4797-a93e-054655c61dec
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN1PR09MB0172
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/RpPvUBHU_3XYF-sZcLOiDykPLUo>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Jul 2016 11:09:41 -0000

Hi Kenny, 

On 7/12/16, 3:03 PM, "Paterson, Kenny" <Kenny.Paterson@rhul.ac.uk> wrote:

>Hi,
>
>> On 12 Jul 2016, at 18:56, Dang, Quynh (Fed) <quynh.dang@nist.gov> wrote:
>> 
>> Hi Kenny, 
>> 
>>> On 7/12/16, 1:39 PM, "Paterson, Kenny" <Kenny.Paterson@rhul.ac.uk>
>>>wrote:
>>> 
>>> Hi
>>> 
>>>> On 12/07/2016 18:12, "Dang, Quynh (Fed)" <quynh.dang@nist.gov> wrote:
>>>> 
>>>> Hi Kenny, 
>>>> 
>>>>> On 7/12/16, 1:05 PM, "Paterson, Kenny" <Kenny.Paterson@rhul.ac.uk>
>>>>>wrote:
>>>>> 
>>>>> Hi
>>>>> 
>>>>>> On 12/07/2016 16:12, "Dang, Quynh (Fed)" <quynh.dang@nist.gov>
>>>>>>wrote:
>>>>>> 
>>>>>> Hi Kenny,
>>>>>> 
>>>>>> I support the strongest indistinguishability notion mentioned in (*)
>>>>>> above, but in my opinion we should provide good description to the
>>>>>> users.
>>>>> 
>>>>> OK, I think now we are at the heart of your argument. You support our
>>>>> choice of security definition and method of analysis after all.
>>>>> 
>>>>> And we can agree that good descriptions can only help.
>>>>> 
>>>>>> That is why I support the limit around 2^38 records.
>>>>> 
>>>>> I don't see how changing 2^24.5 (which is in the current draft) to
>>>>>2^38
>>>>> provides a better description to users.
>>>>> 
>>>>> Are you worried they won't know what a decimal in the exponent means?
>>>>> 
>>>>> Or, more seriously, are you saying that 2^{-32} for single key
>>>>>attacks
>>>>> is
>>>>> a big enough security margin? If so, can you say what that's based
>>>>>on?
>>>> 
>>>> It would not make sense to ask people to rekey unnecessarily. 1 in
>>>>2^32
>>>> is
>>>> 1 in 4,294,967,296 for the indistinguishability attack.
>>> 
>>> I would agree that it does not make sense to ask TLS peers to rekey
>>> unnecessarily. I also agree that 1 in 2^32 is
>>> 1 in 4,294,967,296. Sure looks like a big, scary number, don't it?
>>> 
>>> Are you then arguing that 2^{-32} for single key attacks is a big
>>>enough
>>> security margin because we want to avoid rekeying?
>> 
>> Because it is safe therefore there are no needs to rekey.
>
>Could you define "safe", please? Safe for what? For whom?
>
>Again, why are you choosing 2^-32 for your security bound? Why not 2^-40
>or even 2^-24? What's your rationale? Is it just finger in the air, or do
>you have a threat analysis, or ...?
>
>> I don¹t
>> recommend to run another function/protocol when there are no needs for
>>it.
>> I don¹t see any particular reasons for mentioning single key in the
>> indistinguishability attack here.
>> 
>
>Then please read a little further into the note that presents the
>analysis: a conservative but generic approach dictates that, when the
>attacker has multiple keys to attack, we should multiply the security
>bounds by the number of target keys.

I don’t think multiple target keys help the data complexity in the context
of TLS here for the distinguishing attack. Let’s look at two situations in
multiple keys in TLS.

1) Different data sets with different keys and their respective bound such
as 2^38 records: (k1, dataset1, 2^38),…..(k10, dataset10, 2^38).

The attacker has 10 times more chances of success with 10 times more data
complexity.

2) The same data set with different keys: (k1, dataset, 2^38),…., (k10,
dataset, 2^38).

Even though, the same data set is used with different keys, the data
complexity is 10 times more in order for the attacker to have 10 times
more likely to succeed.

Regards,
Quynh. 



>