Re: [TLS] Data volume limits

Eric Rescorla <ekr@rtfm.com> Wed, 16 December 2015 11:18 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 057571A8AA8 for <tls@ietfa.amsl.com>; Wed, 16 Dec 2015 03:18:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.277
X-Spam-Level:
X-Spam-Status: No, score=-1.277 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DfKiXdV28PJI for <tls@ietfa.amsl.com>; Wed, 16 Dec 2015 03:18:37 -0800 (PST)
Received: from mail-qk0-x22b.google.com (mail-qk0-x22b.google.com [IPv6:2607:f8b0:400d:c09::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E9E371A8A54 for <tls@ietf.org>; Wed, 16 Dec 2015 03:18:36 -0800 (PST)
Received: by mail-qk0-x22b.google.com with SMTP id k189so58070255qkc.0 for <tls@ietf.org>; Wed, 16 Dec 2015 03:18:36 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=4YG03gU0ZRJ6QL99ZRJIvBzFkeqE35J4RARqeAWO3xY=; b=kOdM9M3/uQTh8Cr89LIRzDcWEGR53YKfMQX/VnTgUP4oby1iZGbgZ2nCC4IOz86aMM 0WrPu3VYTa7M0M3v7q1t/B+qzhctrIVR4VNbV3YSqF2gr91/hNhgY6w34tiy+hUidkmu qVX1WWRJUO3sIqwpa9HoYcK2Ztl7LwkyDroVLS2E6CNLwrPK5LaakoseX1RvILTkBIjl LNOweKWfk9+4r4624dPGk3Sy4VWA0f/ssrxqexenYxSekdFkN0zlUo71/LsQXmox7NkL Cnleb6FatGFYc2P+JATUjAcNIvLV2eQo5vwxjrNl4j9ixky/lE0B72faQfbje5hy2u3R SzwA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=4YG03gU0ZRJ6QL99ZRJIvBzFkeqE35J4RARqeAWO3xY=; b=hCEjKDq6KrG61rdKxBUO0kQa1Yd5aetBsRZvD68GDYCiv7VC2nRbPLRh/LBtrTYWpC DQiXNa1dmpVOPXW8KANoJBTd4cWzAsDn8l6k0yIFRJEvVrSHUEw62SBIF7er57eDwppU bSCi32Ms4Q9gN9Nuteq4C8bzigDUYPhoOgSqFUa9HFFusuAVjzG2HwQtK5EvCYDh8P53 7viwXvNHc0wy+TFg10P4KWLEyX0L+53F5Gzy1qXA+yDyu+4MCA04qxtxsLBSBMZ/91K1 /uS3pBrY8Sy2P67w3628Y549svBTPXGnArQdhFpyQqceruTakZLum5BQ2BCSJ8uwjeb0 ENKA==
X-Gm-Message-State: ALoCoQn/QPHpLCKlcu8kgTXt0RfqpO3+Q9bM/fgIXutD/HgHxokYBACKB9ipws941wo+4lzCaV7JqlX6oXnaCMjsIv8LFZgZUg==
X-Received: by 10.13.193.4 with SMTP id c4mr11958925ywd.192.1450264716089; Wed, 16 Dec 2015 03:18:36 -0800 (PST)
MIME-Version: 1.0
Received: by 10.13.249.197 with HTTP; Wed, 16 Dec 2015 03:17:56 -0800 (PST)
In-Reply-To: <87twnibx5p.fsf@latte.josefsson.org>
References: <CABcZeBNR76DqPo0Mukf5L2G-WBSC+RCZKhVGqBZq=tJYfEHLUg@mail.gmail.com> <87twnibx5p.fsf@latte.josefsson.org>
From: Eric Rescorla <ekr@rtfm.com>
Date: Wed, 16 Dec 2015 03:17:56 -0800
Message-ID: <CABcZeBO=MQTu2t+EGBn4m2LZt_DKtY3RggF-GcM0S=jAwXeSRw@mail.gmail.com>
To: Simon Josefsson <simon@josefsson.org>
Content-Type: multipart/alternative; boundary=001a114caa9e3bcecf05270211dd
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/YkgPy1SfAUee5PHi54Uk391myCk>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Data volume limits
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Dec 2015 11:18:39 -0000

On Wed, Dec 16, 2015 at 12:44 AM, Simon Josefsson <simon@josefsson.org>
wrote:

> Eric Rescorla <ekr@rtfm.com> writes:
>
> > Watson kindly prepared some text that described the limits on what's safe
> > for AES-GCM and restricting all algorithms with TLS 1.3 to that lower
> > limit (2^{36} bytes), even though ChaCha doesn't have the same
> > restriction.
>
> Can we see a brief writeup explaining the 2^36 number?
>

I believe Watson provided one a while back at:
https://www.ietf.org/mail-archive/web/tls/current/msg18240.html


> I don't like re-keying.  It is usually a sign that your primitives are
> too weak and you are attempting to hide that fact.  To me, it is similar
> to discard the first X byte of RC4 output.
>

To be clear: I would prefer not to rekey either, but the consensus at IETF
Yokohama
was that we were close enough to the limit that we probably had to. Would be
happy to learn that we didn't.

-Ekr



If AES-GCM cannot provide confidentiality beyond 64GB (which would
> surprise me somewhat), I believe we ought to be careful about
> recommending it.
>
> Of course, the devil is in the details: if the risk is that the secret
> key is leaked, that's fatal; if the risk is that the attacker can tell
> whether two particular plaintext 128 byte blocks are the same or not in
> the entire file, that can be a risk we can live with (similar to the
> discard X bytes of RC4 fix).
>
> I believe 64GB is within the range that people download in a web browser
> these days.  More data intensive longer-running protocols often transfer
> significantly more.
>
> /Simon
>