Re: [TLS] Data volume limits

Henrick Hellström <henrick@streamsec.se> Wed, 16 December 2015 00:59 UTC

Return-Path: <henrick@streamsec.se>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 83F321A011D for <tls@ietfa.amsl.com>; Tue, 15 Dec 2015 16:59:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.95
X-Spam-Level:
X-Spam-Status: No, score=-1.95 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_SE=0.35, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QbXhy2wQkxa7 for <tls@ietfa.amsl.com>; Tue, 15 Dec 2015 16:59:40 -0800 (PST)
Received: from vsp2.ballou.se (vsp2.ballou.se [91.189.40.83]) by ietfa.amsl.com (Postfix) with SMTP id 8072B1A014F for <tls@ietf.org>; Tue, 15 Dec 2015 16:59:38 -0800 (PST)
X-Halon-ID: 470ae048-a390-11e5-976f-0050569222ec
X-Halon-Scanned: 7f4a955dd6f4c149d51110a345668da22aa82d04
Received: from nmail1.ballou.se (unknown [10.0.0.116]) by vsp2.ballou.se (Halon Mail Gateway) with ESMTP; Wed, 16 Dec 2015 01:59:36 +0100 (CET)
Received: from [192.168.0.190] (c-1ec0e555.06-134-73746f39.cust.bredbandsbolaget.se [85.229.192.30]) (Authenticated sender: henrick@streamsec.se) by nmail1.ballou.se (Postfix) with ESMTPSA id E4ABEC9378; Wed, 16 Dec 2015 01:59:35 +0100 (CET)
References: <CABcZeBNR76DqPo0Mukf5L2G-WBSC+RCZKhVGqBZq=tJYfEHLUg@mail.gmail.com> <e007baa2f53249d49917e6023e578bc0@XCH-RTP-006.cisco.com> <CACsn0ckSo-affRmsTZaodCJZsFisPygnhk9=OZuV0_9SVMbUxQ@mail.gmail.com> <6674a4ec51fe4e158929bf429260d6ea@XCH-RTP-006.cisco.com> <CABcZeBNSHGGwM41c9QS0G-pnsEkuyA-q6FMhMgv2NQBDmwWwqA@mail.gmail.com> <5670AB96.9000602@streamsec.se> <CACsn0c=FyAn+EqmLTpQj=4U4RckCZFokhc8FLQhvJ1YDVs+aVQ@mail.gmail.com>
To: Watson Ladd <watsonbladd@gmail.com>
From: =?UTF-8?Q?Henrick_Hellstr=c3=b6m?= <henrick@streamsec.se>
Message-ID: <5670B774.5050605@streamsec.se>
Date: Wed, 16 Dec 2015 01:59:32 +0100
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.4.0
MIME-Version: 1.0
In-Reply-To: <CACsn0c=FyAn+EqmLTpQj=4U4RckCZFokhc8FLQhvJ1YDVs+aVQ@mail.gmail.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/_yMssat99-0xe70qSkJW3vn1cb4>
Cc: tls@ietf.org
Subject: Re: [TLS] Data volume limits
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: henrick@streamsec.se
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Dec 2015 00:59:42 -0000

On 2015-12-16 01:31, Watson Ladd wrote:
> You don't understand the issue. The issue is PRP not colliding, whereas
> PRF can.

Oh, but I concur. This means that if you observe two same valued cipher 
text blocks, you know that the corresponding key stream blocks can't be 
identical, and deduce that the corresponding plain text blocks have to 
be different. Such observations consequently leak information about the 
plain text, in the rare and unlikely event they actually occur.

However, calling it an exploitable weakness is a bit of a stretch. 
AES-CBC is likely to loose confidentiality slightly faster, for typical 
plain texts.