IETF Logo Mail Archive

Re: [TLS] Data volume limits

Andrey Jivsov <crypto@brainhub.org> Wed, 16 December 2015 06:39 UTC

Return-Path: <crypto@brainhub.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D09AD1A87D4 for <tls@ietfa.amsl.com>; Tue, 15 Dec 2015 22:39:14 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BVEki5Rx4BIr for <tls@ietfa.amsl.com>; Tue, 15 Dec 2015 22:39:12 -0800 (PST)
Received: from resqmta-po-08v.sys.comcast.net (resqmta-po-08v.sys.comcast.net [IPv6:2001:558:fe16:19:96:114:154:167]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EB27F1A87D1 for <tls@ietf.org>; Tue, 15 Dec 2015 22:39:11 -0800 (PST)
Received: from resomta-po-12v.sys.comcast.net ([96.114.154.236]) by resqmta-po-08v.sys.comcast.net with comcast id u6fB1r00356HXL0016fB4n; Wed, 16 Dec 2015 06:39:11 +0000
Received: from [192.168.1.2] ([73.170.34.26]) by resomta-po-12v.sys.comcast.net with comcast id u6fA1r0020ZpzqZ016fAk8; Wed, 16 Dec 2015 06:39:10 +0000
Message-ID: <5671070E.7010800@brainhub.org>
Date: Tue, 15 Dec 2015 22:39:10 -0800
From: Andrey Jivsov <crypto@brainhub.org>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.7.0
MIME-Version: 1.0
To: tls@ietf.org
References: <CABcZeBNR76DqPo0Mukf5L2G-WBSC+RCZKhVGqBZq=tJYfEHLUg@mail.gmail.com> <e007baa2f53249d49917e6023e578bc0@XCH-RTP-006.cisco.com> <CACsn0ckSo-affRmsTZaodCJZsFisPygnhk9=OZuV0_9SVMbUxQ@mail.gmail.com> <6674a4ec51fe4e158929bf429260d6ea@XCH-RTP-006.cisco.com> <CACsn0cn4FdS9CRWu0iLo9CfZoyun3EAMJr8DTLV+H1E27VBD+w@mail.gmail.com>
In-Reply-To: <CACsn0cn4FdS9CRWu0iLo9CfZoyun3EAMJr8DTLV+H1E27VBD+w@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------000503050503080103040503"
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=comcast.net; s=q20140121; t=1450247951; bh=Zl00faB4fOYN2a1wp/bYW+rUaLpRAf4+FdUC2GFgL1o=; h=Received:Received:Message-ID:Date:From:MIME-Version:To:Subject: Content-Type; b=wDYJgMmXP61eeGNUcqQhbzCNzSZlZRJncWPGAsPagtan5tZePdGTALHvYXSVExEVE PbRWyiFL9xS56ZtJusVHdm4Jtjx3GBvCqDWnVyKeY5ns+g2a918RM9fp000C96Tn2m /8via/+gVlt2W6tTBj0Rh2GONYPGJenUijYHBacT8uV/rzkYsMUK6+5+ryTy0SV2kY sYQP3VYyEM5OEPl0jegJG8XJpCYlpM1HDrNzZGSFVtn/R488mhrivqf3kNvGsoiOFD GeMoYSjqIj/ARWcDRbiswZNKXfMiX7hsf+ysbQjoBoHMOocRw7xVKpuP8L2LqZCvWO +0vtRiWcrx6fg==
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/StHk1zDT51kMP_pJ1R3af3gt8ig>
Subject: Re: [TLS] Data volume limits
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Dec 2015 06:39:15 -0000

On 12/15/2015 03:47 PM, Watson Ladd wrote:
>
>
> On Dec 15, 2015 6:08 PM, "Scott Fluhrer (sfluhrer)" 
> <sfluhrer@cisco.com <mailto:sfluhrer@cisco.com>> wrote:
> >
> >
> >
> > > -----Original Message-----
> > > From: Watson Ladd [mailto:watsonbladd@gmail.com 
> <mailto:watsonbladd@gmail.com>]
> > > Sent: Tuesday, December 15, 2015 5:38 PM
> > > To: Scott Fluhrer (sfluhrer)
> > > Cc: Eric Rescorla; tls@ietf.org <mailto:tls@ietf.org>
> > > Subject: Re: [TLS] Data volume limits
> > >
> > > On Tue, Dec 15, 2015 at 5:01 PM, Scott Fluhrer (sfluhrer)
> > > <sfluhrer@cisco.com <mailto:sfluhrer@cisco.com>> wrote:
> > > > Might I enquire about the cryptographical reason behind such a 
> limit?
> > > >
> > > >
> > > >
> > > > Is this the limit on the size of a single record?  GCM does have a
> > > > limit approximately there on the size of a single plaintext it can
> > > > encrypt.  For TLS, it encrypts a record as a single plaintext, 
> and so
> > > > this would apply to extremely huge records.
> > >
> > > The issue is the bounds in Iwata-Ohashai-Minematsu's paper, which 
> show a
> > > quadratic confidentiality loss after a total volume sent. This is 
> an exploitable
> > > issue.
> >
> > Actually, the main result of that paper was that GCM with nonces 
> other than 96 bits were less secure than previous thought (or, rather, 
> that the previous proofs were wrong, and what they can prove is 
> considerably worse; whether their proof is tight is an open 
> question).  They address 96 bit nonces as well, however the results 
> they get are effectively unchanged from the original GCM paper.  I had 
> thought that TLS used 96 bit nonces (constructed from 32 bit salt and 
> a 64 bit counter); were the security guarantees from the original 
> paper too weak?  If not, what has changed?
> >
> > The quadratic behavior in the security proofs are there for just 
> about any block cipher mode, and is the reason why you want to stay 
> well below the birthday bound.  However, that's as true for (say) CBC 
> mode as it is for GCM
>
> That's correct. And when we crunch the numbers assuming 2^60 is 
> negligible out comes 2^36 bytes. This doesn't hold for ChaCha20.
>

If 2^36 above is about confidentiality, I am getting q<2^34, assuming 
probability of a collision lower than p=2^-60.

2^34*(2^34-1) <  (2^(128-60))/0.316 (that's the formula with 'e', not 
C(q,2)).

q=2^34 blocks is 2^38 bytes (256 GiB). Close enough, although p=2^-60 
could have been higher for higher total bytes before rekey.


> >
>
>
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls

v2.23.0 | Report a Bug | By Email