IETF Logo Mail Archive

Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt

"Dang, Quynh (Fed)" <quynh.dang@nist.gov> Tue, 12 July 2016 17:04 UTC

Return-Path: <quynh.dang@nist.gov>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5A6C712D56F for <tls@ietfa.amsl.com>; Tue, 12 Jul 2016 10:04:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nistgov.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Soyao5Ux6lME for <tls@ietfa.amsl.com>; Tue, 12 Jul 2016 10:04:55 -0700 (PDT)
Received: from gcc01-dm2-obe.outbound.protection.outlook.com (mail-dm2gcc01on0100.outbound.protection.outlook.com [23.103.201.100]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9EAB212D1B7 for <tls@ietf.org>; Tue, 12 Jul 2016 10:04:55 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nistgov.onmicrosoft.com; s=selector1-nist-gov; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=xuEfVOQtr0oOEHhqvRU0DTw9GszWRI+6QURiFJr4GKk=; b=Yq7mu8qy0Xk6uKb2NL+SJbPv8C14gStS+COnXbIuYiOzb9borxS+lpZRr8WhmnzM30ZibjHb4FGgzRFeYs5RGFijTZJh0SX/GbwKDl2RKbQzrM7G0A+zzjJdwtclmbopHTQkc+3MLw0m3AEQ1XBi3BLUS4aVwPd7CYz4VoBRpNs=
Received: from BN1PR09MB0171.namprd09.prod.outlook.com (10.255.192.149) by BN1PR09MB0171.namprd09.prod.outlook.com (10.255.192.149) with Microsoft SMTP Server (TLS) id 15.1.534.14; Tue, 12 Jul 2016 17:04:53 +0000
Received: from BN1PR09MB0171.namprd09.prod.outlook.com ([10.255.192.149]) by BN1PR09MB0171.namprd09.prod.outlook.com ([10.255.192.149]) with mapi id 15.01.0534.023; Tue, 12 Jul 2016 17:04:52 +0000
From: "Dang, Quynh (Fed)" <quynh.dang@nist.gov>
To: "Paterson, Kenny" <Kenny.Paterson@rhul.ac.uk>, "Scott Fluhrer (sfluhrer)" <sfluhrer@cisco.com>, "Dang, Quynh (Fed)" <quynh.dang@nist.gov>, Eric Rescorla <ekr@rtfm.com>, "tls@ietf.org" <tls@ietf.org>
Thread-Topic: [TLS] New draft: draft-ietf-tls-tls13-14.txt
Thread-Index: AQHR26erSXFdspEwbEKLZA1rqxpGgqAUgWIAgABTxYD//9AKAIAATFUAgAANRgD//8XVgA==
Date: Tue, 12 Jul 2016 17:04:52 +0000
Message-ID: <D3AA9B01.27B9F%qdang@nist.gov>
References: <CABcZeBMiLmwBeuLt=v4qdcJwe5rdsK_9R4-2TUXYC=sttmwH-g@mail.gmail.com> <D3AA5BD6.27AC0%qdang@nist.gov> <D3AAB674.709EA%kenny.paterson@rhul.ac.uk> <D3AA7549.27B09%qdang@nist.gov> <d1f35d74e93b4067bf17f587b904ebff@XCH-RTP-006.cisco.com> <D3AAD721.70A11%kenny.paterson@rhul.ac.uk>
In-Reply-To: <D3AAD721.70A11%kenny.paterson@rhul.ac.uk>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.6.3.160329
authentication-results: spf=none (sender IP is ) smtp.mailfrom=quynh.dang@nist.gov;
x-ms-exchange-messagesentrepresentingtype: 1
x-originating-ip: [129.6.105.150]
x-ms-office365-filtering-correlation-id: ea7e8c3f-7c27-4947-10d7-08d3aa76a454
x-microsoft-exchange-diagnostics: 1; BN1PR09MB0171; 6:PTi6UXt25cjtS1lZoO+dgSMv41Ujq8n4C5t4oOxIOemduCeqolL6GGCSZt1jWIEKvHQEWNK36ANe8oVzhaJKba6ZO2KVHiWaEWHi9MMdaQTW4mvOpoJKg5cwXY3eZS16yR6IvQNeraVBgBVrYr5e2MXBgSDGIp72ubkoSJD0ppznNm7TjJ+fc8OMS7YfcRbclGNaoT3WSgudEke4dbOuyNYCHHoSOQUiI98v2Lac+GHsE6RtxBpfXtAXO4v6BdV/4OhDJlrfEPyDVjlihKKMsbbE2m/zwDMA3wdYAVvOIg0xPxU2lUSD+UM6MpjTTe+4lzQRk/kj2Rjsu5Vvi46+Fw==; 5:yKpNxWPwg00b3NS4wAYNLgLgfP5LeLsVcnL9+kFhMhCBAPvDjMHEZ/wPeBVl3c4wXqsf0YfyP6KwCXhFe1YUSuChSH6oSZGEG/p7idlFrDKBZvZ8pcltmdoTV7ZishcQEFRM/oGiq7i4fVJbsBhHyg==; 24:f7R7OMx662n++ztXRuKIa9W+Wdf7KW8OCqijs5hGzsJZI07zP4FYyvD6RPbS6qKWy4wVugXX/PNEbGsKzPrDPFg/dyFgOqhIudDVj/5mCzA=; 7:B3oz9ik0VPsh8kQ8Yw8Yxl6b89oKh5XsRByj16fU3O0XhfhU723ll9/ue9YiBLJ9jEv1yI/q+3WaCofEYogjHkZn2cQ819ohHuyWimB2cqVZi4QhPbVPdOTkdad31qBpmqhSon4DzFEjq0s/5hZWxBy0eN+QFRDu1moDXI8oUELTp+isXpHpZ4Y4yHd4o/hsBTY44Rl3K5Rq383Gr8iPAr1vgBJggmS8Ia5HbyHu6qRJPbKYTKG0vuzkEYySMkMx
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BN1PR09MB0171;
x-microsoft-antispam-prvs: <BN1PR09MB01717DA87D57F6E250A56C93F3300@BN1PR09MB0171.namprd09.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(65766998875637)(192374486261705)(788757137089)(95692535739014);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(601004)(2401047)(5005006)(8121501046)(10201501046)(3002001)(6055026); SRVR:BN1PR09MB0171; BCL:0; PCL:0; RULEID:; SRVR:BN1PR09MB0171;
x-forefront-prvs: 0001227049
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(7916002)(13464003)(199003)(377454003)(189002)(24454002)(55674003)(8936002)(3280700002)(36756003)(87936001)(10400500002)(97736004)(83506001)(230783001)(66066001)(3660700001)(8676002)(19580405001)(2906002)(86362001)(81166006)(81156014)(105586002)(99286002)(106116001)(106356001)(7846002)(2950100001)(68736007)(2900100001)(107886002)(305945005)(7736002)(19580395003)(189998001)(50986999)(54356999)(76176999)(2501003)(101416001)(586003)(92566002)(5001770100001)(102836003)(122556002)(3846002)(5002640100001)(93886004)(6116002)(77096005)(15975445007)(4001350100001)(8666005)(7059030); DIR:OUT; SFP:1102; SCL:1; SRVR:BN1PR09MB0171; H:BN1PR09MB0171.namprd09.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
received-spf: None (protection.outlook.com: nist.gov does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="euc-kr"
Content-ID: <61A52039933E6D4EA1F402FDE4EF707F@namprd09.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: nist.gov
X-MS-Exchange-CrossTenant-originalarrivaltime: 12 Jul 2016 17:04:52.4986 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 2ab5d82f-d8fa-4797-a93e-054655c61dec
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN1PR09MB0171
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/ghUvyKSCSzp9ZrbO7qNj9ThuCV8>
Subject: Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Jul 2016 17:04:58 -0000

Hi Kenny, 

On 7/12/16, 12:33 PM, "Paterson, Kenny" <Kenny.Paterson@rhul.ac.uk> wrote:

>Unfortunately, that's not quite the right interpretation. The bounds one
>obtains depend on both the total amount of data encrypted AND the number
>of encryption queries the adversary is allowed to make to AES-GCM under
>the (single) target key.
>
>We assumed each record was 2^14 bytes in size to simplify the ensuing
>analysis, and to enable us to focus on how the security bounds then depend
>on the number of records encrypted. See equation (5) and Table 2 in the
>note at 
>
>	http://www.isg.rhul.ac.uk/~kp/TLS-AEbounds.pdf.
>
>In short, the security bound does not necessarily hold for ANY 2^52
>encrypted data bytes. For example, if the attacker encrypted 2^52 records
>of size 1 (!) then equation (5) would tell us almost nothing useful at all
>about security.
>
>Finally, you write "to come to the 2^38 record limit, they assume that
>each record is the maximum 2^14 bytes". For clarity, we did not recommend
>a limit of 2^38 records. That's Quynh's preferred number, and is
>unsupported by our analysis.

What is problem with my suggestion even with the record size being the
maximum value?


>
>Cheers,
>
>Kenny

Regards,
Quynh. 
> 
>
>
>On 12/07/2016 16:45, "Scott Fluhrer (sfluhrer)" <sfluhrer@cisco.com>
>wrote:
>
>>Actually, a more correct way of viewing the limit would be 2^52 encrypted
>>data bytes. To come to the 2^38 record limit, they assume that each
>>record is the maximum 2^14 bytes.  Of course, at a 1Gbps rate, it'd take
>>over a year to encrypt that much data...
>>
>>> -----Original Message-----
>>> From: TLS [mailto:tls-bounces@ietf.org] On Behalf Of Dang, Quynh (Fed)
>>> Sent: Tuesday, July 12, 2016 11:12 AM
>>> To: Paterson, Kenny; Dang, Quynh (Fed); Eric Rescorla; tls@ietf.org
>>> Subject: Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt
>>> 
>>> Hi Kenny,
>>> 
>>> The indistinguishability-based security notion in the paper is a
>>>stronger
>>> security notion than the (old) traditional confidentiality notion.
>>> 
>>> 
>>> (*) Indistinguishability notion (framework) guarantees no other attacks
>>>can
>>> be better than the indistinguishability bound. Intuitively, you can¹t
>>>attack if
>>> you can¹t even tell two things are different or not. So, being able to
>>>say two
>>> things are different or not is the minimal condition to lead to any
>>>attack.
>>> 
>>> The traditional confidentiality definition is that knowing only the
>>>ciphertexts,
>>> the attacker can¹t know any content of the corresponding plaintexts
>>>with a
>>> greater probability than some value and this value depends on the
>>>particular
>>> cipher. Of course, the maximum amount of data must not be more than
>>> some limit under a given key which also depends on the cipher.
>>> 
>>> For example, with counter mode AES_128, Let¹s say encrypting 2^70 input
>>> blocks with a single key. With the 2^70 ciphertext blocks alone (each
>>>block is
>>> 128 bits), I don¹t think one can find out any content of any of the
>>>plaintexts.
>>> The chance for knowing any block of the plaintexts is
>>> 1/(2^128) in this case.
>>> 
>>> I support the strongest indistinguishability notion mentioned in (*)
>>>above,
>>> but in my opinion we should provide good description to the users.
>>> That is why I support the limit around 2^38 records.
>>> 
>>> Regards,
>>> Quynh.
>>> 
>>> On 7/12/16, 10:03 AM, "Paterson, Kenny" <Kenny.Paterson@rhul.ac.uk>
>>> wrote:
>>> 
>>> >Hi Quynh,
>>> >
>>> >This indistinguishability-based security notion is the confidentiality
>>> >notion that is by now generally accepted in the crypto community.
>>> >Meeting it is sufficient to guarantee security against many other
>>>forms
>>> >of attack on confidentiality, which is one of the main reasons we use
>>>it.
>>> >
>>> >You say that an attack in the sense implied by breaking this notion
>>> >does not break confidentiality. Can you explain what you mean by
>>> >"confidentiality", in a precise way? I can then try to tell you
>>>whether
>>> >this notion will imply yours.
>>> >
>>> >Regards
>>> >
>>> >Kenny
>>> >
>>> >On 12/07/2016 14:04, "TLS on behalf of Dang, Quynh (Fed)"
>>> ><tls-bounces@ietf.org on behalf of quynh.dang@nist.gov> wrote:
>>> >
>>> >>Hi Eric and all,
>>> >>
>>> >>
>>> >>In my opinion, we should give better information about data limit for
>>> >>AES_GCM in TLS 1.3 instead of what is current in the draft 14.
>>> >>
>>> >>
>>> >>In this paper: http://www.isg.rhul.ac.uk/~kp/TLS-AEbounds.pdf,  what
>>> >>is called confidentiality attack is the known plaintext
>>> >>differentiality attack where  the attacker has/chooses two
>>>plaintexts,
>>> >>send them to the AES-encryption oracle.  The oracle encrypts one of
>>> >>them, then sends the ciphertext to the attacker.  After seeing the
>>> >>ciphertext, the attacker has some success probability of telling
>>>which
>>> >>plaintext  was encrypted and this success probability is in the
>>>column
>>> >>called ³Attack Success Probability² in Table 1.  This attack does not
>>> >>break confidentiality.
>>> >>
>>> >>
>>> >>If the attack above breaks one of security goal(s) of your individual
>>> >>system, then making success probability of that attack at 2^(-32) max
>>> >>is enough. In that case, the Max number of records is around 2^38.
>>> >>
>>> >>
>>> >>
>>> >>
>>> >>Regards,
>>> >>Quynh.
>>> >>
>>> >>
>>> >>
>>> >>
>>> >>
>>> >>
>>> >>Date: Monday, July 11, 2016 at 3:08 PM
>>> >>To: "tls@ietf.org" <tls@ietf.org>
>>> >>Subject: [TLS] New draft: draft-ietf-tls-tls13-14.txt
>>> >>
>>> >>
>>> >>
>>> >>Folks,
>>> >>
>>> >>
>>> >>I've just submitted draft-ietf-tls-tls13-14.txt and it should show up
>>> >>on the draft repository shortly. In the meantime you can find the
>>> >>editor's copy in the usual location at:
>>> >>
>>> >>
>>> >>  http://tlswg.github.io/tls13-spec/
>>> >>
>>> >>
>>> >>The major changes in this document are:
>>> >>
>>> >>
>>> >>* A big restructure to make it read better. I moved the Overview
>>> >>  to the beginning and then put the document in a more logical
>>> >>  order starting with the handshake and then the record and
>>> >>  alerts.
>>> >>
>>> >>
>>> >>* Totally rewrote the section which used to be called "Security
>>> >>  Analysis" and is now called "Overview of Security Properties".
>>> >>  This section is still kind of a hard hat area, so PRs welcome.
>>> >>  In particular, I know I need to beef up the citations for the
>>> >>  record layer section.
>>> >>
>>> >>
>>> >>* Removed the 0-RTT EncryptedExtensions and moved ticket_age
>>> >>  into the ClientHello. This quasi-reverts a change in -13 that
>>> >>  made implementation of 0-RTT kind of a pain.
>>> >>
>>> >>
>>> >>As usual, comments welcome.
>>> >>-Ekr
>>> >>
>>> >>
>>> >>
>>> >>
>>> >>
>>> >>
>>> >>* Allow cookies to be longer (*)
>>> >>
>>> >>
>>> >>* Remove the "context" from EarlyDataIndication as it was undefined
>>> >>  and nobody used it (*)
>>> >>
>>> >>
>>> >>* Remove 0-RTT EncryptedExtensions and replace the ticket_age
>>> >>extension
>>> >>  with an obfuscated version. Also necessitates a change to
>>> >>  NewSessionTicket (*).
>>> >>
>>> >>
>>> >>* Move the downgrade sentinel to the end of ServerHello.Random
>>> >>  to accomodate tlsdate (*).
>>> >>
>>> >>
>>> >>* Define ecdsa_sha1 (*).
>>> >>
>>> >>
>>> >>* Allow resumption even after fatal alerts. This matches current
>>> >>  practice.
>>> >>
>>> >>
>>> >>* Remove non-closure warning alerts. Require treating unknown alerts
>>> >>as
>>> >>  fatal.
>>> >>
>>> >>
>>> >>* Make the rules for accepting 0-RTT less restrictive.
>>> >>
>>> >>
>>> >>* Clarify 0-RTT backward-compatibility rules.
>>> >>
>>> >>
>>> >>* Clarify how 0-RTT and PSK identities interact.
>>> >>
>>> >>
>>> >>* Add a section describing the data limits for each cipher.
>>> >>
>>> >>
>>> >>* Major editorial restructuring.
>>> >>
>>> >>
>>> >>* Replace the Security Analysis section with a WIP draft.
>>> >>
>>> >>
>>> >>(*) indicates changes to the wire protocol which may require
>>> >>implementations
>>> >>    to update.
>>> >>
>>> >>
>>> >>
>>> >>
>>> >>
>>> >
>>> 
>>> _______________________________________________
>>> TLS mailing list
>>> TLS@ietf.org
>>> https://www.ietf.org/mailman/listinfo/tls
>

v2.23.0 | Report a Bug | By Email