Re: [TLS] Data volume limits

Henrick Wibell Hellström <henrick@streamsec.se> Fri, 01 January 2016 12:52 UTC

Return-Path: <henrick@streamsec.se>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DBC741A8746 for <tls@ietfa.amsl.com>; Fri, 1 Jan 2016 04:52:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.05
X-Spam-Level:
X-Spam-Status: No, score=-0.05 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, HELO_EQ_SE=0.35, HTML_MESSAGE=0.001, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qM2lzPkipqzA for <tls@ietfa.amsl.com>; Fri, 1 Jan 2016 04:52:45 -0800 (PST)
Received: from vsp6.ballou.se (vsp6.ballou.se [91.189.40.85]) by ietfa.amsl.com (Postfix) with SMTP id C531C1A8745 for <tls@ietf.org>; Fri, 1 Jan 2016 04:52:44 -0800 (PST)
X-Halon-ID: 8b2c91d2-b086-11e5-a7a4-00505692585a
X-Halon-Scanned: 7f4a955dd6f4c149d51110a345668da22aa82d04
Received: from nmail1.ballou.se (unknown [10.0.0.116]) by vsp6.ballou.se (Halon Mail Gateway) with ESMTP for <tls@ietf.org>; Fri, 1 Jan 2016 13:52:41 +0100 (CET)
Received: from [192.168.0.187] (unknown [92.39.33.245]) (Authenticated sender: henrick@streamsec.se) by nmail1.ballou.se (Postfix) with ESMTPSA id 98E49C9378 for <tls@ietf.org>; Fri, 1 Jan 2016 13:52:40 +0100 (CET)
To: tls@ietf.org
References: <r422Ps-10112i-A7598D6B042F444AA21AABEA3552ADF5@Williams-MacBook-Pro.local> <1575673.4lLVr77Sve@pintsize.usersys.redhat.com> <CABcZeBP4NJDAp_jJgQ0R4-zRgNYBYno4GWkwnJz61fO7T1YX2w@mail.gmail.com>
From: =?UTF-8?Q?Henrick_Wibell_Hellstr=c3=b6m?= <henrick@streamsec.se>
Message-ID: <568676E8.6090802@streamsec.se>
Date: Fri, 1 Jan 2016 13:54:00 +0100
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.5.0
MIME-Version: 1.0
In-Reply-To: <CABcZeBP4NJDAp_jJgQ0R4-zRgNYBYno4GWkwnJz61fO7T1YX2w@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------020503050403080703060407"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/bG2mCFmOfh_0Ax7on9-ym_tpiyM>
Subject: Re: [TLS] Data volume limits
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 01 Jan 2016 12:52:48 -0000

I think it is a good idea to rekey AES-GCM after approximately 2^32 
records, give or take a few magnitudes.

The question for me isn't whether AES-GCM requires frequent rekeying (it 
does), but exactly how much complexity the rekeying mechanism would add, 
to the protocol and to implementations.



On 2015-12-28 20:54, Eric Rescorla wrote:
> Scott, Henrick,
>
> Are you persuaded by Watson's analysis?
>
> Thanks,
> -Ekr
>
>
>
>
> On Mon, Dec 21, 2015 at 7:41 AM, Hubert Kario <hkario@redhat.com 
> <mailto:hkario@redhat.com>> wrote:
>
>     On Tuesday 15 December 2015 20:01:58 Bill Frantz wrote:
>     > So we have to trade off the risks of too much data vs. the risks
>     > of a complex rekey protocol vs. the risks having the big data
>     > applications build new connections every 2**36 or so bytes.
>     >
>     > If we don't have rekeying, then the big data applications are
>     > the only ones at risk. If we do, it may be a wedge which can
>     > compromise all users.
>
>     if the rekey doesn't allow the application to change authentication
>     tokens (as it now stands), then rekey is much more secure than
>     renegotiation was in TLS <= 1.2
>
>     so if we include rekeying in TLS, I'd suggest to set its limit to
>     something fairly low for dig data transfers, that is gigabytes, not
>     terabytes, otherwise we'll be introducing code that is simply not
>     tested
>     for interoperability
>
>     (with AES-NI you can easily transfer gigabytes in just few minutes)
>     --
>     Regards,
>     Hubert Kario
>     Senior Quality Engineer, QE BaseOS Security team
>     Web: www.cz.redhat.com <http://www.cz.redhat.com>
>     Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic
>     _______________________________________________
>     TLS mailing list
>     TLS@ietf.org <mailto:TLS@ietf.org>
>     https://www.ietf.org/mailman/listinfo/tls
>
>
>
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls