Re: [TLS] Data volume limits

Brian Smith <brian@briansmith.org> Wed, 16 December 2015 00:00 UTC

Return-Path: <brian@briansmith.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 018E51A87C9 for <tls@ietfa.amsl.com>; Tue, 15 Dec 2015 16:00:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.278
X-Spam-Level:
X-Spam-Status: No, score=-1.278 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xcMfniNoY-kn for <tls@ietfa.amsl.com>; Tue, 15 Dec 2015 16:00:45 -0800 (PST)
Received: from mail-oi0-x234.google.com (mail-oi0-x234.google.com [IPv6:2607:f8b0:4003:c06::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A02961A6F3B for <tls@ietf.org>; Tue, 15 Dec 2015 16:00:45 -0800 (PST)
Received: by mail-oi0-x234.google.com with SMTP id i186so15394964oia.2 for <tls@ietf.org>; Tue, 15 Dec 2015 16:00:45 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=briansmith-org.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=4GGYIGkg3brKQvMjXPEcx0S5KfiCNajTwdliNq8FHVY=; b=n0bO6TAseW/x9AaJHr6ZfgSJcl23TNVEZgMgFmSs3QcROT/YNUrhNGVFlQN5biM0lN dy2jL0FDlu/mYLizfTGCLdu6Frz3RivgRF9ZA4MFItzv9LBDA/IBLDt2tYk+i7RDOuq/ WKPPir+1E8UAcDDiT4xpkHk8yoHAlPUPtmYdDCTRu31qnw6CABu5Zm+TqfaqaesMTOf2 g0vrO2s1XKyYxoOQK2bUOSSu1ZpCHagb5np5nDHxbL8w58uIKx7LtffBTbaV+Lxm/8NR rWbmQuuA6qjIqV4M+KbMX+17JN49GDn3d9K/7H/lUdt8bCPYgYbaCLbMkPV83LOwLU1M iBBg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=4GGYIGkg3brKQvMjXPEcx0S5KfiCNajTwdliNq8FHVY=; b=KfqADL/urtmCfi1feCcDjymuHladPtGYTCcMyVSfMIuQrIB0GytRBLx/KNWM2ZHV+k btZdEjG1q/sxKqKhMLYNTgWvVnRPtNjcyEBjQOtaPNowUhaRgLrVHeKN1YLlxL+gOgHZ b67oTF8/YlYtG8N/EZeDaFuVxHUEssDEGMJ2pO5mGGIPYhd4M7d4zygWuFqw9vPA1eWz Xx3eEaAhv+ZE/k/t08w6L/eNIT/DtiZfunR0isySDL+K4mjZXNwDIXE4E61Afj+ZNX1k /XUtukL5JiDLhR6d9cd/x9nac1dfS2iZP5/zGaob7JpFcULc1WUr/b7gAgkzW6711Yut SyTw==
X-Gm-Message-State: ALoCoQkYMl1kMmGDNAylMJ5YPXEjE4W8qUQ8GM19JZvicl2t0bsDUMlSPP+Kqc3OsgOZ87NThxzFzkuK3cfIAX9XTvZczi/ZsQ==
MIME-Version: 1.0
X-Received: by 10.202.189.7 with SMTP id n7mr25557508oif.55.1450224044974; Tue, 15 Dec 2015 16:00:44 -0800 (PST)
Received: by 10.76.105.169 with HTTP; Tue, 15 Dec 2015 16:00:44 -0800 (PST)
In-Reply-To: <CACsn0ckSo-affRmsTZaodCJZsFisPygnhk9=OZuV0_9SVMbUxQ@mail.gmail.com>
References: <CABcZeBNR76DqPo0Mukf5L2G-WBSC+RCZKhVGqBZq=tJYfEHLUg@mail.gmail.com> <e007baa2f53249d49917e6023e578bc0@XCH-RTP-006.cisco.com> <CACsn0ckSo-affRmsTZaodCJZsFisPygnhk9=OZuV0_9SVMbUxQ@mail.gmail.com>
Date: Tue, 15 Dec 2015 14:00:44 -1000
Message-ID: <CAFewVt6RBJVSyJwODu78OL5HykuKt4AUhhx1XZ+qeWajd_-KxA@mail.gmail.com>
From: Brian Smith <brian@briansmith.org>
To: Watson Ladd <watsonbladd@gmail.com>
Content-Type: multipart/alternative; boundary=001a113d70320bbbc10526f89995
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/_hoVaGFjIViRjx-HxBOhrlfGS4c>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Data volume limits
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Dec 2015 00:00:47 -0000

Watson Ladd <watsonbladd@gmail.com> wrote:

> The issue is the bounds in Iwata-Ohashai-Minematsu's paper, which show
> a quadratic confidentiality loss after a total volume sent. This is an
> exploitable issue.
>

Please explain in more detail how you got "2^36 bytes" for a nonce size of
96 bits from the Iwata-Ohashai-Minematsu paper [1].

[1] https://eprint.iacr.org/2012/438.pdf

Also, the Niwa-Ohashi-Minematsu-Iwata follow-up paper [2] change things in
any way? In particular, note that it concludes "The new security bounds
improve the security bounds in [11] by a factor of 2^17, and they show that
the security of GCM is actually close to what was originally claimed in
[17,18]."

A factor of 2^17 difference is pretty significant as far as this is
concerned, AFAICT.

[2] https://eprint.iacr.org/2015/214.pdf

Cheers,
Brian
--
https://briansmith.org/