IETF Logo Mail Archive

Re: [TLS] Unifying tickets and sessions

Viktor Dukhovni <ietf-dane@dukhovni.org> Wed, 22 October 2014 15:16 UTC

Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1D2B61ACD4A for <tls@ietfa.amsl.com>; Wed, 22 Oct 2014 08:16:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fIFRVtU_e15f for <tls@ietfa.amsl.com>; Wed, 22 Oct 2014 08:16:25 -0700 (PDT)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) (using TLSv1.1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8794F1ACD43 for <tls@ietf.org>; Wed, 22 Oct 2014 08:16:25 -0700 (PDT)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id 8D0912AB24B; Wed, 22 Oct 2014 15:16:23 +0000 (UTC)
Date: Wed, 22 Oct 2014 15:16:23 +0000
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: tls@ietf.org
Message-ID: <20141022151623.GA19158@mournblade.imrryr.org>
References: <2A0EFB9C05D0164E98F19BB0AF3708C71D3A8C48AF@USMBX1.msg.corp.akamai.com> <544606E5.2070807@fussenegger.info> <CAA7UWsVmxAmBtdCvpE_+c2e7brJNkPrQ5_69FDXzy2csg6EsyA@mail.gmail.com> <1659862.HPNNz8lRhl@pintsize.usersys.redhat.com> <CAA7UWsUbxDyh_yxn2t+tghHhLOhuBH+SqiLELJRFq9g=w=OAXw@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <CAA7UWsUbxDyh_yxn2t+tghHhLOhuBH+SqiLELJRFq9g=w=OAXw@mail.gmail.com>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/WIJJ-wIk1DWWa0ffyx5hfuYgfcs
Subject: Re: [TLS] Unifying tickets and sessions
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: tls@ietf.org
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Oct 2014 15:16:29 -0000

On Wed, Oct 22, 2014 at 10:27:32AM -0400, David Leon Gil wrote:

> There are, obviously, two things a server should be able to use for a
> unified session id/ticket:
> 
>  - An opaque identifier
>  - Encrypted session state using a construction like RFC 5077's.
> 
> Right now, RFC 5077 recommends: AES-128 with a 128-bit key and
> HMAC-SHA256 with a 256-bit key.
> 
> Or, uselessly high 256-bit security against active attackers, and
> uselessly low 128-bit security strength against global passive
> adversaries.
> 
> There should be a recommended session ticket construction at a 256 bit
> security strength for privacy to replace RFC 5077 s.4's.

The same construction works just fine with AES-256-CBC, so it is
merely a matter of updating the draft to recommend AES-256-CBC for
the encryption.  (I've updated the Postfix default ticket cipher
to AES-256-CBC as planned for the next release).

Mind you, I would not call AES-128-CBC "uselessly low".  Assume
classical attacks, and suppose circuitry running at 1W power-draw
with 2^16 parallel AES units, each of which does 2^32 AES-128
encryptions per second.  The total energy requirement for an AES-128
brute force attack is then:

	(2^128 / 2^16 / 2^32) J = 2^80 J

If this is powered by a sizeable ~4 GW (2^32 W) power plant, it
will take 2^48 seconds to generate the requisite energy.  With
somewhat less than 2^25 seconds per year, we're looking at ~2^23
or ~8 million years of output from such a plant.

If we assume attacks that reduce AES from 128 to 120 bits, that
number comes down to a "mere" 2^15 or 32K years of 4GW power.  The
energy cost is prohibitive, and we've not taken into account the
costs of storage if this is to be a pre-computation for a space-time
trade-off to attack multiple encrypted payloads.

And all this ignores the fact that AES is rarely used in ECB mode
with the same fixed plaintext encrypted by all parties under varying
keys.  The use of random IVs or similar "whitening" makes
pre-computation substantially less effective.

-- 
	Viktor.

v2.23.0 | Report a Bug | By Email