Re: [TLS] Data volume limits

Brian Smith <brian@briansmith.org> Wed, 16 December 2015 19:57 UTC

Return-Path: <brian@briansmith.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 16C1B1A8954 for <tls@ietfa.amsl.com>; Wed, 16 Dec 2015 11:57:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.278
X-Spam-Level:
X-Spam-Status: No, score=-1.278 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XlCqQswtpjoE for <tls@ietfa.amsl.com>; Wed, 16 Dec 2015 11:57:44 -0800 (PST)
Received: from mail-ob0-x233.google.com (mail-ob0-x233.google.com [IPv6:2607:f8b0:4003:c01::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 799541A8949 for <tls@ietf.org>; Wed, 16 Dec 2015 11:57:44 -0800 (PST)
Received: by mail-ob0-x233.google.com with SMTP id sd4so41478542obb.0 for <tls@ietf.org>; Wed, 16 Dec 2015 11:57:44 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=briansmith-org.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=9q7Les3w066ZMx0FowUAr68//RD7uCWbGUL3oCYOT/0=; b=FBQHSI4I8QiN5++EsIn1LQpTbGpVkmuEnSwb1OzHn91i5bczXejg/HP+HWG++iHNOT q4fXVmF/iCKDQjC3jqCSn8LnuNET83BFpqXXtLtB06Bc4jfStz88TNVgy2l07eLeuOFt EPoQ6PE99SQd0l6as8YcF/KrTdkobw8qWDd5h9cf7dX523tSt2+c1HNSIUv7x06PmOTq dPWzY4HKsnVBYg9lxlHaDiqBFMLpRF4wadsJ0qSuJ19oVKHf80XOJuPDmWU57urZCpnt t/aPySuhrCpVeNC+M0QAuBaHwXT4bG966MiAkCPuxtMEg3V456Uwy5dd4I4HvzpGjH/p AfmQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=9q7Les3w066ZMx0FowUAr68//RD7uCWbGUL3oCYOT/0=; b=RicoZZDWdLrR/m6ncaHduiMFLS6IWPSJkDgzqQLMdtlruinSCI6h6BzVNClp/GwJ8U YsGTBBO5xdcaDBV974OcO2KvbY0yDTWX7St1eu29W3ifz2wfOPAZ+GExutmpK58Hf3LC JXi2qgXbUYtj5BnDfK5Hve+ru7DkJ+4yplY2AfYMh5Sww4apSlErhFeV9XqNEieNDcD2 BiHSrFToXow+QgsZfspRlpSZpSJeyVtw2B8rQGoyXEVG7kktZuaGJ1wvTYR9Y16S44YX tEx/VoVBT+qaVllY8A7LX02QtXAxG29NmvwmYKonLFLqeD/hmLqkbCKGiadItkIlHQm5 7T3Q==
X-Gm-Message-State: ALoCoQny2Xw48Z7YrHUljMopXVOecoGCBS2N2yA30WSiWQVmkJi3EqrKwlVVls1wWOw+yqd+QgroPaCbaG5qz+9EKI5cfXoJzQ==
MIME-Version: 1.0
X-Received: by 10.182.16.233 with SMTP id j9mr32305862obd.9.1450295863909; Wed, 16 Dec 2015 11:57:43 -0800 (PST)
Received: by 10.76.82.41 with HTTP; Wed, 16 Dec 2015 11:57:43 -0800 (PST)
In-Reply-To: <CABcZeBO=MQTu2t+EGBn4m2LZt_DKtY3RggF-GcM0S=jAwXeSRw@mail.gmail.com>
References: <CABcZeBNR76DqPo0Mukf5L2G-WBSC+RCZKhVGqBZq=tJYfEHLUg@mail.gmail.com> <87twnibx5p.fsf@latte.josefsson.org> <CABcZeBO=MQTu2t+EGBn4m2LZt_DKtY3RggF-GcM0S=jAwXeSRw@mail.gmail.com>
Date: Wed, 16 Dec 2015 09:57:43 -1000
Message-ID: <CAFewVt7wL9bY0S6Rm2nJMgYbN-FwkEo66JQMm9Fq5k0LDdP9xA@mail.gmail.com>
From: Brian Smith <brian@briansmith.org>
To: Eric Rescorla <ekr@rtfm.com>, Watson Ladd <watsonbladd@gmail.com>
Content-Type: multipart/alternative; boundary=001a11c30aa2c9b46c052709512e
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/_VWR9VvresDCwnMitjA36V2UnVo>
Cc: Simon Josefsson <simon@josefsson.org>, "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Data volume limits
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Dec 2015 19:57:46 -0000

Eric Rescorla <ekr@rtfm.com> wrote:

>
> I believe Watson provided one a while back at:
> https://www.ietf.org/mail-archive/web/tls/current/msg18240.html
>

So, if [2] is correct, then we can take Watson's 2^36 and multiply it by
2^17 to get 2^53 bytes as the limit? It seems so, since [2] claims that
they've improved the bounds by 2^17. Note that 3 out of 4 of the authors of
[2] are the same authors as [1], which is the paper that defined the
formula that the 2^36 number was calculated from.

Earlier (in another thread), we agreed that an implementation would not
send 2^48 or more records. A limit of 2^53 bytes would allow for 2^39
maximally-sized (16KB) records, which is not far off from the 2^48
theoretical maximum that the record sequence number allows. More
importantly, 2^53 == 10^15 == 1 petabyte == 1,000,000 gigabytes; I think we
can live with an upper limit of byte sent that is even much smaller than
that.

[1] https://eprint.iacr.org/2012/438.pdf
[2] https://eprint.iacr.org/2015/214.pdf

Therefore, I think we shouldn't add the rekeying mechanism as it is
unnecessary and it adds too much complexity. Also, the above limits apply
to AES-GCM but not ChaCha20-Poly1305. So, at the very least, we should
avoid the rekeying complexity for ChaCha20-Poly1305 and other AEADs that
don't need it. And, implementations that don't intend to send these giant
quantities of data, even with AES-GCM, shouldn't be required, implicitly or
explicitly, to implement the rekeying.

Cheers,
Brian
-- 
https://briansmith.org/