Re: [TLS] Data volume limits
Andrey Jivsov <crypto@brainhub.org> Wed, 16 December 2015 06:39 UTC
Return-Path: <crypto@brainhub.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D09AD1A87D4 for <tls@ietfa.amsl.com>; Tue, 15 Dec 2015 22:39:14 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BVEki5Rx4BIr for <tls@ietfa.amsl.com>; Tue, 15 Dec 2015 22:39:12 -0800 (PST)
Received: from resqmta-po-08v.sys.comcast.net (resqmta-po-08v.sys.comcast.net [IPv6:2001:558:fe16:19:96:114:154:167]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EB27F1A87D1 for <tls@ietf.org>; Tue, 15 Dec 2015 22:39:11 -0800 (PST)
Received: from resomta-po-12v.sys.comcast.net ([96.114.154.236]) by resqmta-po-08v.sys.comcast.net with comcast id u6fB1r00356HXL0016fB4n; Wed, 16 Dec 2015 06:39:11 +0000
Received: from [192.168.1.2] ([73.170.34.26]) by resomta-po-12v.sys.comcast.net with comcast id u6fA1r0020ZpzqZ016fAk8; Wed, 16 Dec 2015 06:39:10 +0000
Message-ID: <5671070E.7010800@brainhub.org>
Date: Tue, 15 Dec 2015 22:39:10 -0800
From: Andrey Jivsov <crypto@brainhub.org>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.7.0
MIME-Version: 1.0
To: tls@ietf.org
References: <CABcZeBNR76DqPo0Mukf5L2G-WBSC+RCZKhVGqBZq=tJYfEHLUg@mail.gmail.com> <e007baa2f53249d49917e6023e578bc0@XCH-RTP-006.cisco.com> <CACsn0ckSo-affRmsTZaodCJZsFisPygnhk9=OZuV0_9SVMbUxQ@mail.gmail.com> <6674a4ec51fe4e158929bf429260d6ea@XCH-RTP-006.cisco.com> <CACsn0cn4FdS9CRWu0iLo9CfZoyun3EAMJr8DTLV+H1E27VBD+w@mail.gmail.com>
In-Reply-To: <CACsn0cn4FdS9CRWu0iLo9CfZoyun3EAMJr8DTLV+H1E27VBD+w@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------000503050503080103040503"
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=comcast.net; s=q20140121; t=1450247951; bh=Zl00faB4fOYN2a1wp/bYW+rUaLpRAf4+FdUC2GFgL1o=; h=Received:Received:Message-ID:Date:From:MIME-Version:To:Subject: Content-Type; b=wDYJgMmXP61eeGNUcqQhbzCNzSZlZRJncWPGAsPagtan5tZePdGTALHvYXSVExEVE PbRWyiFL9xS56ZtJusVHdm4Jtjx3GBvCqDWnVyKeY5ns+g2a918RM9fp000C96Tn2m /8via/+gVlt2W6tTBj0Rh2GONYPGJenUijYHBacT8uV/rzkYsMUK6+5+ryTy0SV2kY sYQP3VYyEM5OEPl0jegJG8XJpCYlpM1HDrNzZGSFVtn/R488mhrivqf3kNvGsoiOFD GeMoYSjqIj/ARWcDRbiswZNKXfMiX7hsf+ysbQjoBoHMOocRw7xVKpuP8L2LqZCvWO +0vtRiWcrx6fg==
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/StHk1zDT51kMP_pJ1R3af3gt8ig>
Subject: Re: [TLS] Data volume limits
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Dec 2015 06:39:15 -0000
On 12/15/2015 03:47 PM, Watson Ladd wrote: > > > On Dec 15, 2015 6:08 PM, "Scott Fluhrer (sfluhrer)" > <sfluhrer@cisco.com <mailto:sfluhrer@cisco.com>> wrote: > > > > > > > > > -----Original Message----- > > > From: Watson Ladd [mailto:watsonbladd@gmail.com > <mailto:watsonbladd@gmail.com>] > > > Sent: Tuesday, December 15, 2015 5:38 PM > > > To: Scott Fluhrer (sfluhrer) > > > Cc: Eric Rescorla; tls@ietf.org <mailto:tls@ietf.org> > > > Subject: Re: [TLS] Data volume limits > > > > > > On Tue, Dec 15, 2015 at 5:01 PM, Scott Fluhrer (sfluhrer) > > > <sfluhrer@cisco.com <mailto:sfluhrer@cisco.com>> wrote: > > > > Might I enquire about the cryptographical reason behind such a > limit? > > > > > > > > > > > > > > > > Is this the limit on the size of a single record? GCM does have a > > > > limit approximately there on the size of a single plaintext it can > > > > encrypt. For TLS, it encrypts a record as a single plaintext, > and so > > > > this would apply to extremely huge records. > > > > > > The issue is the bounds in Iwata-Ohashai-Minematsu's paper, which > show a > > > quadratic confidentiality loss after a total volume sent. This is > an exploitable > > > issue. > > > > Actually, the main result of that paper was that GCM with nonces > other than 96 bits were less secure than previous thought (or, rather, > that the previous proofs were wrong, and what they can prove is > considerably worse; whether their proof is tight is an open > question). They address 96 bit nonces as well, however the results > they get are effectively unchanged from the original GCM paper. I had > thought that TLS used 96 bit nonces (constructed from 32 bit salt and > a 64 bit counter); were the security guarantees from the original > paper too weak? If not, what has changed? > > > > The quadratic behavior in the security proofs are there for just > about any block cipher mode, and is the reason why you want to stay > well below the birthday bound. However, that's as true for (say) CBC > mode as it is for GCM > > That's correct. And when we crunch the numbers assuming 2^60 is > negligible out comes 2^36 bytes. This doesn't hold for ChaCha20. > If 2^36 above is about confidentiality, I am getting q<2^34, assuming probability of a collision lower than p=2^-60. 2^34*(2^34-1) < (2^(128-60))/0.316 (that's the formula with 'e', not C(q,2)). q=2^34 blocks is 2^38 bytes (256 GiB). Close enough, although p=2^-60 could have been higher for higher total bytes before rekey. > > > > > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls
- Re: [TLS] Data volume limits Watson Ladd
- [TLS] Data volume limits Eric Rescorla
- Re: [TLS] Data volume limits Eric Rescorla
- Re: [TLS] Data volume limits Watson Ladd
- Re: [TLS] Data volume limits Eric Rescorla
- Re: [TLS] Data volume limits Dave Garrett
- Re: [TLS] Data volume limits Benjamin Beurdouche
- Re: [TLS] Data volume limits Scott Fluhrer (sfluhrer)
- Re: [TLS] Data volume limits Eric Rescorla
- Re: [TLS] Data volume limits Russ Housley
- Re: [TLS] Data volume limits Watson Ladd
- Re: [TLS] Data volume limits Hanno Böck
- Re: [TLS] Data volume limits Scott Fluhrer (sfluhrer)
- Re: [TLS] Data volume limits Watson Ladd
- Re: [TLS] Data volume limits Eric Rescorla
- Re: [TLS] Data volume limits Brian Smith
- Re: [TLS] Data volume limits Henrick Hellström
- Re: [TLS] Data volume limits Watson Ladd
- Re: [TLS] Data volume limits Andrey Jivsov
- Re: [TLS] Data volume limits Scott Fluhrer (sfluhrer)
- Re: [TLS] Data volume limits Henrick Hellström
- Re: [TLS] Data volume limits Brian Smith
- Re: [TLS] Data volume limits Martin Thomson
- Re: [TLS] Data volume limits Martin Thomson
- Re: [TLS] Data volume limits Eric Rescorla
- Re: [TLS] Data volume limits Watson Ladd
- Re: [TLS] Data volume limits Dave Garrett
- Re: [TLS] Data volume limits Stephen Farrell
- Re: [TLS] Data volume limits Dave Garrett
- Re: [TLS] Data volume limits Martin Thomson
- Re: [TLS] Data volume limits Bill Frantz
- Re: [TLS] Data volume limits Eric Rescorla
- Re: [TLS] Data volume limits Martin Thomson
- Re: [TLS] Data volume limits Dave Garrett
- Re: [TLS] Data volume limits Andrey Jivsov
- Re: [TLS] Data volume limits Ryan Carboni
- Re: [TLS] Data volume limits Paterson, Kenny
- Re: [TLS] Data volume limits Simon Josefsson
- Re: [TLS] Data volume limits Eric Rescorla
- Re: [TLS] Data volume limits Henrick Hellström
- Re: [TLS] Data volume limits Watson Ladd
- Re: [TLS] Data volume limits Watson Ladd
- Re: [TLS] Data volume limits Dang, Quynh
- Re: [TLS] Data volume limits Blumenthal, Uri - 0553 - MITLL
- Re: [TLS] Data volume limits Watson Ladd
- Re: [TLS] Data volume limits Blumenthal, Uri - 0553 - MITLL
- Re: [TLS] Data volume limits Watson Ladd
- Re: [TLS] Data volume limits Blumenthal, Uri - 0553 - MITLL
- Re: [TLS] Data volume limits Watson Ladd
- Re: [TLS] Data volume limits Brian Smith
- Re: [TLS] Data volume limits Watson Ladd
- Re: [TLS] Data volume limits Brian Smith
- Re: [TLS] Data volume limits Watson Ladd
- Re: [TLS] Data volume limits Nikos Mavrogiannopoulos
- Re: [TLS] Data volume limits Yoav Nir
- Re: [TLS] Data volume limits Dang, Quynh
- Re: [TLS] Data volume limits Hubert Kario
- Re: [TLS] Data volume limits Eric Rescorla
- Re: [TLS] Data volume limits Florian Weimer
- Re: [TLS] Data volume limits Eric Rescorla
- Re: [TLS] Data volume limits Florian Weimer
- Re: [TLS] Data volume limits Eric Rescorla
- Re: [TLS] Data volume limits Blumenthal, Uri - 0553 - MITLL
- Re: [TLS] Data volume limits Eric Rescorla
- Re: [TLS] Data volume limits Blumenthal, Uri - 0553 - MITLL
- Re: [TLS] Data volume limits Ilari Liusvaara
- Re: [TLS] Data volume limits Salz, Rich
- Re: [TLS] Data volume limits Blumenthal, Uri - 0553 - MITLL
- Re: [TLS] Data volume limits Dang, Quynh
- Re: [TLS] Data volume limits Brian Smith
- Re: [TLS] Data volume limits Eric Rescorla
- Re: [TLS] Data volume limits Dave Garrett
- Re: [TLS] Data volume limits Eric Rescorla
- Re: [TLS] Data volume limits Blumenthal, Uri - 0553 - MITLL
- Re: [TLS] Data volume limits Aaron Zauner
- Re: [TLS] Data volume limits Aaron Zauner
- Re: [TLS] Data volume limits Ilari Liusvaara
- Re: [TLS] Data volume limits Samuel Neves
- Re: [TLS] Data volume limits Henrick Wibell Hellström
- Re: [TLS] Data volume limits Ilari Liusvaara
- Re: [TLS] Data volume limits Aaron Zauner
- Re: [TLS] Data volume limits sneves
- Re: [TLS] Data volume limits Aaron Zauner
- Re: [TLS] Data volume limits James Cloos
- Re: [TLS] Data volume limits Samuel Neves
- Re: [TLS] Data volume limits Eric Rescorla
- Re: [TLS] Data volume limits Ilari Liusvaara
- Re: [TLS] Data volume limits James Cloos
- Re: [TLS] Data volume limits Watson Ladd
- Re: [TLS] Data volume limits Eric Rescorla
- Re: [TLS] Data volume limits James Cloos
- Re: [TLS] Data volume limits Hubert Kario
- Re: [TLS] Data volume limits Florian Weimer
- Re: [TLS] Data volume limits Florian Weimer
- Re: [TLS] Data volume limits Hubert Kario
- Re: [TLS] Data volume limits Florian Weimer
- Re: [TLS] Data volume limits Benjamin Kaduk
- Re: [TLS] Data volume limits Florian Weimer