Re: [TLS] [Cfrg] Data limit to achieve Indifferentiability for ciphertext with TLS 1.3 GCM, and the 2nd paragraph of Section 5.5
"Dang, Quynh (Fed)" <quynh.dang@nist.gov> Mon, 14 November 2016 02:54 UTC
Return-Path: <quynh.dang@nist.gov>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 489AB1296B1; Sun, 13 Nov 2016 18:54:29 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nistgov.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id S4ITqqnb1IiH; Sun, 13 Nov 2016 18:54:27 -0800 (PST)
Received: from gcc01-dm2-obe.outbound.protection.outlook.com (mail-dm2gcc01on0090.outbound.protection.outlook.com [23.103.201.90]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D1D3C1295F0; Sun, 13 Nov 2016 18:54:26 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nistgov.onmicrosoft.com; s=selector1-nist-gov; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=xf9nFAzTZyLt08Blf+25f4TBUcIVT4/pRSGQYmC8+qQ=; b=QrznycJ1nPCNxZk/oXK0Kr6ajQFQ/Fkes/DH29087k9phV4ryUCOHFR/t0/sjQfQ3ZTi0BNqT7HunLy79Iy+cMFSqzoT94pMw4bHZhNGXeq8daaeMHFTEF//5KXQhuATijGAd90F3w4xquBeqxY7nPOMfXyjXgAfkSNAdBjzeNU=
Received: from DM5PR09MB1467.namprd09.prod.outlook.com (10.173.171.21) by DM5PR09MB1467.namprd09.prod.outlook.com (10.173.171.21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.721.10; Mon, 14 Nov 2016 02:54:24 +0000
Received: from DM5PR09MB1467.namprd09.prod.outlook.com ([10.173.171.21]) by DM5PR09MB1467.namprd09.prod.outlook.com ([10.173.171.21]) with mapi id 15.01.0721.015; Mon, 14 Nov 2016 02:54:24 +0000
From: "Dang, Quynh (Fed)" <quynh.dang@nist.gov>
To: Martin Thomson <martin.thomson@gmail.com>, "tls@ietf.org" <tls@ietf.org>
Thread-Topic: [Cfrg] Data limit to achieve Indifferentiability for ciphertext with TLS 1.3 GCM, and the 2nd paragraph of Section 5.5
Thread-Index: AQHSPe67hB6sb8v2EES9vmvjfbAsXqDXlqSAgAAv0JU=
Date: Mon, 14 Nov 2016 02:54:23 +0000
Message-ID: <DM5PR09MB14673CCBCDC107D5912F8669F3BC0@DM5PR09MB1467.namprd09.prod.outlook.com>
References: <DM5PR09MB1467742B07519F09EE8FA0B2F3BD0@DM5PR09MB1467.namprd09.prod.outlook.com>, <CABkgnnVS5rTnoGHs1fxAy2eBrCKerZbQmLNzzrhKBm4eiHhceQ@mail.gmail.com>
In-Reply-To: <CABkgnnVS5rTnoGHs1fxAy2eBrCKerZbQmLNzzrhKBm4eiHhceQ@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=quynh.dang@nist.gov;
x-ms-exchange-messagesentrepresentingtype: 1
x-originating-ip: [2001:67c:370:128:65c1:ac62:aa5c:bc5b]
x-microsoft-exchange-diagnostics: 1; DM5PR09MB1467; 7:R+9LPTJF77aW0idylmwUdjNml//Q91DwGrU8+HtwOI6H0s81NCaZSt6Ek7/z5+bV0Z2bYAgfnkqIAhHtX0ucJAxTdAtsLtxym7BwZ71PKEotQCrwMFLdGeJ0fHiQ6jYVmMpE5wghun1c8ULrLdVRIxfghTzJp8hTyepjaIA9XD2OwUo+4Yo3T07HbWTlW7JHRkMHOymgdL7TBqRfJmAQbfugBe8WFyutuWeG9bafoFphFW34jxmNPlSQC3Ts1Cmmm5KhcK2bbdT91SA/9QIRKMKpB28ILlnl+vHuoMQoP0oMxCHgS7PBnMH+ESm1xpIvU8iBJiTDrgD+sX99HOsn+A0fgTWdnatDM0MTECv0x6s=
x-ms-office365-filtering-correlation-id: 1489a721-5f84-42a0-96fe-08d40c398a7b
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:(22001);SRVR:DM5PR09MB1467;
x-microsoft-antispam-prvs: <DM5PR09MB1467B72F40FC423987DA0900F3BC0@DM5PR09MB1467.namprd09.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(65766998875637)(192374486261705);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6060314)(601004)(2401047)(8121501046)(5005006)(10201501046)(3002001)(6055026)(6061309); SRVR:DM5PR09MB1467; BCL:0; PCL:0; RULEID:; SRVR:DM5PR09MB1467;
x-forefront-prvs: 0126A32F74
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(7916002)(336003)(199003)(24454002)(377454003)(189002)(76576001)(6606003)(87936001)(586003)(102836003)(2900100001)(81156014)(68736007)(81166006)(33656002)(6116002)(92566002)(54356999)(5660300001)(9686002)(76176999)(101416001)(77096005)(7696004)(50986999)(8936002)(4326007)(229853002)(2906002)(122556002)(2950100002)(106356001)(99286002)(106116001)(105586002)(3900700001)(19627405001)(8676002)(2501003)(3280700002)(74316002)(7846002)(189998001)(7906003)(7736002)(86362001)(3660700001)(5001770100001)(97736004); DIR:OUT; SFP:1102; SCL:1; SRVR:DM5PR09MB1467; H:DM5PR09MB1467.namprd09.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
received-spf: None (protection.outlook.com: nist.gov does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_DM5PR09MB14673CCBCDC107D5912F8669F3BC0DM5PR09MB1467namp_"
MIME-Version: 1.0
X-OriginatorOrg: nist.gov
X-MS-Exchange-CrossTenant-originalarrivaltime: 14 Nov 2016 02:54:23.9955 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 2ab5d82f-d8fa-4797-a93e-054655c61dec
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR09MB1467
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/gHbaf0hVP-elncAb1RbotyoSQGA>
Cc: "cfrg@ietf.org" <cfrg@ietf.org>
Subject: Re: [TLS] [Cfrg] Data limit to achieve Indifferentiability for ciphertext with TLS 1.3 GCM, and the 2nd paragraph of Section 5.5
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 14 Nov 2016 02:54:29 -0000
Hi Martin, "very conservative" ? No. 1/2^32 and 1/2^57 are practically the same; they are both practically zero. By your argument, if somebody wants to be more "conservative" and uses the margin of 1/2^75 instead, then he/she would need to stop using GCM then. Rekeying too often than needed would just create more room for issues for the connection/session without gaining any additional practical security at all. Quynh. ________________________________ From: Martin Thomson <martin.thomson@gmail.com> Sent: Sunday, November 13, 2016 6:54 PM To: Dang, Quynh (Fed) Cc: ekr@rtfm.com; tls@ietf.org; cfrg@ietf.org Subject: Re: [Cfrg] Data limit to achieve Indifferentiability for ciphertext with TLS 1.3 GCM, and the 2nd paragraph of Section 5.5 These are intentionally very conservative. Having implemented this, I find it OK. The text cites its sources. Reading those sources corrects any misapprehension. The key point here is that we want to ensure that the initial - maybe uninformed - inferences need to be for the safe thing. We don't want to have the situation where we have looser text and that leads to mistakes. For instance, someone could deploy code that assumes a certain "average" record size based on a particular deployment and hence a larger limit. If the deployment characteristics change without the code changing we potentially have an issue. You really need to demonstrate that there is harm with the current text. if rekeying happens on that timescale (which is still very large), that's not harmful. I'm concerned that we aren't going to rekey often enough. I don't agree that it will create any negative perception of GCM. On 14 November 2016 at 05:48, Dang, Quynh (Fed) <quynh.dang@nist.gov> wrote: > Hi Eric and all, > > > Regardless of the actual record size, each 128-bit block encryption is > performed with a unique 128-bit counter which is formed by the 96-bit IV and > the 32-bit counter_block value called CB in NIST SP 800-38D under a given > key as long as the number of encrypted records is not more than 2^64. > > Assuming a user would like to limit the probability of a collision among > 128-bit ciphertext-blocks under 1/2^32, the data limit of the ciphertext ( > or plaintext) is 2^(96/2) (= 2^48) 128-bit blocks which is 2^64 bytes. > > Reading the 2nd paragraph of section 5.5, a user might feel that he/she > needs to rekey a lot more quicker than he/she needs. Putting an > unnecessarily low data limit of 2^24.5 full-size records (2^38.5 bytes) also > creates an incorrect negative impression (in my opinion) about GCM. > > I would like to request the working group to consider to revise the text. > > Regards, > Quynh. > > > _______________________________________________ > Cfrg mailing list > Cfrg@irtf.org > https://www.irtf.org/mailman/listinfo/cfrg >
- [TLS] Data limit to achieve Indifferentiability f… Dang, Quynh (Fed)
- Re: [TLS] [Cfrg] Data limit to achieve Indifferen… Martin Thomson
- Re: [TLS] [Cfrg] Data limit to achieve Indifferen… Dang, Quynh (Fed)
- Re: [TLS] [Cfrg] Data limit to achieve Indifferen… Ilari Liusvaara
- Re: [TLS] [Cfrg] Data limit to achieve Indifferen… Dang, Quynh (Fed)