Re: [TLS] Data volume limits
Eric Rescorla <ekr@rtfm.com> Wed, 16 December 2015 11:18 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 057571A8AA8 for <tls@ietfa.amsl.com>; Wed, 16 Dec 2015 03:18:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.277
X-Spam-Level:
X-Spam-Status: No, score=-1.277 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DfKiXdV28PJI for <tls@ietfa.amsl.com>; Wed, 16 Dec 2015 03:18:37 -0800 (PST)
Received: from mail-qk0-x22b.google.com (mail-qk0-x22b.google.com [IPv6:2607:f8b0:400d:c09::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E9E371A8A54 for <tls@ietf.org>; Wed, 16 Dec 2015 03:18:36 -0800 (PST)
Received: by mail-qk0-x22b.google.com with SMTP id k189so58070255qkc.0 for <tls@ietf.org>; Wed, 16 Dec 2015 03:18:36 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=4YG03gU0ZRJ6QL99ZRJIvBzFkeqE35J4RARqeAWO3xY=; b=kOdM9M3/uQTh8Cr89LIRzDcWEGR53YKfMQX/VnTgUP4oby1iZGbgZ2nCC4IOz86aMM 0WrPu3VYTa7M0M3v7q1t/B+qzhctrIVR4VNbV3YSqF2gr91/hNhgY6w34tiy+hUidkmu qVX1WWRJUO3sIqwpa9HoYcK2Ztl7LwkyDroVLS2E6CNLwrPK5LaakoseX1RvILTkBIjl LNOweKWfk9+4r4624dPGk3Sy4VWA0f/ssrxqexenYxSekdFkN0zlUo71/LsQXmox7NkL Cnleb6FatGFYc2P+JATUjAcNIvLV2eQo5vwxjrNl4j9ixky/lE0B72faQfbje5hy2u3R SzwA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=4YG03gU0ZRJ6QL99ZRJIvBzFkeqE35J4RARqeAWO3xY=; b=hCEjKDq6KrG61rdKxBUO0kQa1Yd5aetBsRZvD68GDYCiv7VC2nRbPLRh/LBtrTYWpC DQiXNa1dmpVOPXW8KANoJBTd4cWzAsDn8l6k0yIFRJEvVrSHUEw62SBIF7er57eDwppU bSCi32Ms4Q9gN9Nuteq4C8bzigDUYPhoOgSqFUa9HFFusuAVjzG2HwQtK5EvCYDh8P53 7viwXvNHc0wy+TFg10P4KWLEyX0L+53F5Gzy1qXA+yDyu+4MCA04qxtxsLBSBMZ/91K1 /uS3pBrY8Sy2P67w3628Y549svBTPXGnArQdhFpyQqceruTakZLum5BQ2BCSJ8uwjeb0 ENKA==
X-Gm-Message-State: ALoCoQn/QPHpLCKlcu8kgTXt0RfqpO3+Q9bM/fgIXutD/HgHxokYBACKB9ipws941wo+4lzCaV7JqlX6oXnaCMjsIv8LFZgZUg==
X-Received: by 10.13.193.4 with SMTP id c4mr11958925ywd.192.1450264716089; Wed, 16 Dec 2015 03:18:36 -0800 (PST)
MIME-Version: 1.0
Received: by 10.13.249.197 with HTTP; Wed, 16 Dec 2015 03:17:56 -0800 (PST)
In-Reply-To: <87twnibx5p.fsf@latte.josefsson.org>
References: <CABcZeBNR76DqPo0Mukf5L2G-WBSC+RCZKhVGqBZq=tJYfEHLUg@mail.gmail.com> <87twnibx5p.fsf@latte.josefsson.org>
From: Eric Rescorla <ekr@rtfm.com>
Date: Wed, 16 Dec 2015 03:17:56 -0800
Message-ID: <CABcZeBO=MQTu2t+EGBn4m2LZt_DKtY3RggF-GcM0S=jAwXeSRw@mail.gmail.com>
To: Simon Josefsson <simon@josefsson.org>
Content-Type: multipart/alternative; boundary="001a114caa9e3bcecf05270211dd"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/YkgPy1SfAUee5PHi54Uk391myCk>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Data volume limits
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Dec 2015 11:18:39 -0000
On Wed, Dec 16, 2015 at 12:44 AM, Simon Josefsson <simon@josefsson.org> wrote: > Eric Rescorla <ekr@rtfm.com> writes: > > > Watson kindly prepared some text that described the limits on what's safe > > for AES-GCM and restricting all algorithms with TLS 1.3 to that lower > > limit (2^{36} bytes), even though ChaCha doesn't have the same > > restriction. > > Can we see a brief writeup explaining the 2^36 number? > I believe Watson provided one a while back at: https://www.ietf.org/mail-archive/web/tls/current/msg18240.html > I don't like re-keying. It is usually a sign that your primitives are > too weak and you are attempting to hide that fact. To me, it is similar > to discard the first X byte of RC4 output. > To be clear: I would prefer not to rekey either, but the consensus at IETF Yokohama was that we were close enough to the limit that we probably had to. Would be happy to learn that we didn't. -Ekr If AES-GCM cannot provide confidentiality beyond 64GB (which would > surprise me somewhat), I believe we ought to be careful about > recommending it. > > Of course, the devil is in the details: if the risk is that the secret > key is leaked, that's fatal; if the risk is that the attacker can tell > whether two particular plaintext 128 byte blocks are the same or not in > the entire file, that can be a risk we can live with (similar to the > discard X bytes of RC4 fix). > > I believe 64GB is within the range that people download in a web browser > these days. More data intensive longer-running protocols often transfer > significantly more. > > /Simon >
- Re: [TLS] Data volume limits Watson Ladd
- [TLS] Data volume limits Eric Rescorla
- Re: [TLS] Data volume limits Eric Rescorla
- Re: [TLS] Data volume limits Watson Ladd
- Re: [TLS] Data volume limits Eric Rescorla
- Re: [TLS] Data volume limits Dave Garrett
- Re: [TLS] Data volume limits Benjamin Beurdouche
- Re: [TLS] Data volume limits Scott Fluhrer (sfluhrer)
- Re: [TLS] Data volume limits Eric Rescorla
- Re: [TLS] Data volume limits Russ Housley
- Re: [TLS] Data volume limits Watson Ladd
- Re: [TLS] Data volume limits Hanno Böck
- Re: [TLS] Data volume limits Scott Fluhrer (sfluhrer)
- Re: [TLS] Data volume limits Watson Ladd
- Re: [TLS] Data volume limits Eric Rescorla
- Re: [TLS] Data volume limits Brian Smith
- Re: [TLS] Data volume limits Henrick Hellström
- Re: [TLS] Data volume limits Watson Ladd
- Re: [TLS] Data volume limits Andrey Jivsov
- Re: [TLS] Data volume limits Scott Fluhrer (sfluhrer)
- Re: [TLS] Data volume limits Henrick Hellström
- Re: [TLS] Data volume limits Brian Smith
- Re: [TLS] Data volume limits Martin Thomson
- Re: [TLS] Data volume limits Martin Thomson
- Re: [TLS] Data volume limits Eric Rescorla
- Re: [TLS] Data volume limits Watson Ladd
- Re: [TLS] Data volume limits Dave Garrett
- Re: [TLS] Data volume limits Stephen Farrell
- Re: [TLS] Data volume limits Dave Garrett
- Re: [TLS] Data volume limits Martin Thomson
- Re: [TLS] Data volume limits Bill Frantz
- Re: [TLS] Data volume limits Eric Rescorla
- Re: [TLS] Data volume limits Martin Thomson
- Re: [TLS] Data volume limits Dave Garrett
- Re: [TLS] Data volume limits Andrey Jivsov
- Re: [TLS] Data volume limits Ryan Carboni
- Re: [TLS] Data volume limits Paterson, Kenny
- Re: [TLS] Data volume limits Simon Josefsson
- Re: [TLS] Data volume limits Eric Rescorla
- Re: [TLS] Data volume limits Henrick Hellström
- Re: [TLS] Data volume limits Watson Ladd
- Re: [TLS] Data volume limits Watson Ladd
- Re: [TLS] Data volume limits Dang, Quynh
- Re: [TLS] Data volume limits Blumenthal, Uri - 0553 - MITLL
- Re: [TLS] Data volume limits Watson Ladd
- Re: [TLS] Data volume limits Blumenthal, Uri - 0553 - MITLL
- Re: [TLS] Data volume limits Watson Ladd
- Re: [TLS] Data volume limits Blumenthal, Uri - 0553 - MITLL
- Re: [TLS] Data volume limits Watson Ladd
- Re: [TLS] Data volume limits Brian Smith
- Re: [TLS] Data volume limits Watson Ladd
- Re: [TLS] Data volume limits Brian Smith
- Re: [TLS] Data volume limits Watson Ladd
- Re: [TLS] Data volume limits Nikos Mavrogiannopoulos
- Re: [TLS] Data volume limits Yoav Nir
- Re: [TLS] Data volume limits Dang, Quynh
- Re: [TLS] Data volume limits Hubert Kario
- Re: [TLS] Data volume limits Eric Rescorla
- Re: [TLS] Data volume limits Florian Weimer
- Re: [TLS] Data volume limits Eric Rescorla
- Re: [TLS] Data volume limits Florian Weimer
- Re: [TLS] Data volume limits Eric Rescorla
- Re: [TLS] Data volume limits Blumenthal, Uri - 0553 - MITLL
- Re: [TLS] Data volume limits Eric Rescorla
- Re: [TLS] Data volume limits Blumenthal, Uri - 0553 - MITLL
- Re: [TLS] Data volume limits Ilari Liusvaara
- Re: [TLS] Data volume limits Salz, Rich
- Re: [TLS] Data volume limits Blumenthal, Uri - 0553 - MITLL
- Re: [TLS] Data volume limits Dang, Quynh
- Re: [TLS] Data volume limits Brian Smith
- Re: [TLS] Data volume limits Eric Rescorla
- Re: [TLS] Data volume limits Dave Garrett
- Re: [TLS] Data volume limits Eric Rescorla
- Re: [TLS] Data volume limits Blumenthal, Uri - 0553 - MITLL
- Re: [TLS] Data volume limits Aaron Zauner
- Re: [TLS] Data volume limits Aaron Zauner
- Re: [TLS] Data volume limits Ilari Liusvaara
- Re: [TLS] Data volume limits Samuel Neves
- Re: [TLS] Data volume limits Henrick Wibell Hellström
- Re: [TLS] Data volume limits Ilari Liusvaara
- Re: [TLS] Data volume limits Aaron Zauner
- Re: [TLS] Data volume limits sneves
- Re: [TLS] Data volume limits Aaron Zauner
- Re: [TLS] Data volume limits James Cloos
- Re: [TLS] Data volume limits Samuel Neves
- Re: [TLS] Data volume limits Eric Rescorla
- Re: [TLS] Data volume limits Ilari Liusvaara
- Re: [TLS] Data volume limits James Cloos
- Re: [TLS] Data volume limits Watson Ladd
- Re: [TLS] Data volume limits Eric Rescorla
- Re: [TLS] Data volume limits James Cloos
- Re: [TLS] Data volume limits Hubert Kario
- Re: [TLS] Data volume limits Florian Weimer
- Re: [TLS] Data volume limits Florian Weimer
- Re: [TLS] Data volume limits Hubert Kario
- Re: [TLS] Data volume limits Florian Weimer
- Re: [TLS] Data volume limits Benjamin Kaduk
- Re: [TLS] Data volume limits Florian Weimer