Re: [TLS] A closer look at ROBOT, BB Attacks, timing attacks in general, and what we can do in TLS

Colm MacCárthaigh <colm@allcosts.net> Fri, 15 December 2017 01:05 UTC

Return-Path: <colm@allcosts.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D6B5A126DFF for <tls@ietfa.amsl.com>; Thu, 14 Dec 2017 17:05:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=allcosts-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XL19qLKKS2Vk for <tls@ietfa.amsl.com>; Thu, 14 Dec 2017 17:05:39 -0800 (PST)
Received: from mail-yb0-x231.google.com (mail-yb0-x231.google.com [IPv6:2607:f8b0:4002:c09::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2AFEB1200F3 for <tls@ietf.org>; Thu, 14 Dec 2017 17:05:39 -0800 (PST)
Received: by mail-yb0-x231.google.com with SMTP id 69so4954453ybc.6 for <tls@ietf.org>; Thu, 14 Dec 2017 17:05:39 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=allcosts-net.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=IjJcDs/Zgf0s4/2c0yX19oldStZzb0QLdHgwOc/sZOA=; b=WQldgwI6I3BBG1knr+C9yb6H7rKj9AgnIOjbvN8d2yTyKTqhPhW4MXwL3eoV2ATf9P TK96ROlzRaiFnyn6SbVqxr6LLd0mmRwnuFAmSFJW+rS2stqKWAcUiZ2EvSOmf0vVrY9k wfUmz8cmmMI8Oiu+O01isrklTb7eY1mp2bWM3wPxW2ktaTnW66+xagk8ZC1RMsxBewEL JxJV3Iz/6cqV4leEi7cIzFksACIh8fJNqJjjjAiEv7ja9+McA5Ot4SniYgpvsmtEwuRY IbPiMc+IZuILb8DcFr5OdrVaz3FyyIMQ7HnP3TQHqfVvkAkx3fDR3yvQ0n+S1kzGQSZd vljA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=IjJcDs/Zgf0s4/2c0yX19oldStZzb0QLdHgwOc/sZOA=; b=Nh6KQMDYV4zXtEAP0gYt6UuMxp60A/pVT5N+oJvgl3Na6mSGt3RR2xPQHumsHrymR3 rKPfDFt3bsosTKg0HNholfbjyNBgi4MTP0PLV77kYRge+mkCmDB1E349FvbyaxolRUot MJgH80B7ZhpGbfHgo18A1upKYwv2dr53NTqmjEij+XJqpDOFtWUqPH7bTDfnbbak+Hk2 zzSl+ITl8qlzv60qyfmpN7APBMnozxqsO6q5ERk9t+HzVb1kUcVROH/qDCWDa1BrA2CV e7um057j41dwhOHCp+2NxndYuXUyAy+1TcTNEXZlI2vR4Thjwtt3KP1LMQvbhVxrwjfs LFhg==
X-Gm-Message-State: AKGB3mIt5u6RMjYCcTkhBR0xIGVtepdojbASA7NfcxgkrCq/T5aoWrFf e9QypSmqtON5kpVz5Mf8dGGlbd7CU3CbGEl77dw50w==
X-Google-Smtp-Source: ACJfBosRGLwZvwmgt7Zc2pqSCbZzQRLLN+iM82R9gdCjxog1rx25j0Ar/Rgg4vUG9i5MJfYGJddNeScax61wYvnuTIY=
X-Received: by 10.129.138.67 with SMTP id a64mr5853862ywg.35.1513299938369; Thu, 14 Dec 2017 17:05:38 -0800 (PST)
MIME-Version: 1.0
Received: by 10.129.50.70 with HTTP; Thu, 14 Dec 2017 17:05:37 -0800 (PST)
In-Reply-To: <20171215020116.04f9ae15@pc1>
References: <CAAF6GDeeo2xjv1Xu7SFXVZ_zM=XUVJHT=eqH4_-G3+4UHsfvgg@mail.gmail.com> <CACsn0cmMbbT1iAfmxnXHe00dNiqBMyoNkk7e2CyTKWrcdRTtcQ@mail.gmail.com> <CAAF6GDf+GxToBAN83O3NtLO4zJ-8Qax8KjMCGhXv_EhY+NDsKg@mail.gmail.com> <20171215020116.04f9ae15@pc1>
From: =?UTF-8?Q?Colm_MacC=C3=A1rthaigh?= <colm@allcosts.net>
Date: Thu, 14 Dec 2017 17:05:37 -0800
Message-ID: <CAAF6GDe79w9XH1GrGvvR-+=uEKfi6GczacUX3Jhy0dL_zW67-Q@mail.gmail.com>
To: =?UTF-8?Q?Hanno_B=C3=B6ck?= <hanno@hboeck.de>
Cc: "tls@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="001a1148a7a643fa3005605699c4"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/iJEfoAwny0Fq9eo048HWg7m2CU4>
Subject: Re: [TLS] A closer look at ROBOT, BB Attacks, timing attacks in general, and what we can do in TLS
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 15 Dec 2017 01:05:41 -0000

On Thu, Dec 14, 2017 at 5:01 PM, Hanno Böck <hanno@hboeck.de>; wrote:

> On Thu, 14 Dec 2017 16:45:57 -0800
> Colm MacCárthaigh <colm@allcosts.net>; wrote:
>
> > But what would that look like? What would we do now, in advance, to
> > make it easy to turn off AES? For example.
>
> I think this is the wrong way to look at it.
>
> From what I'm aware nobody is really concerned about the security of
> AES. I don't think that there's any need to prepare for turning off AES.
>

Well, DJB is a notable concerned critic of AES and its safety in some
respects ... but I was using AES as kind of a worst-case scenario since so
many things do depend on it and it's especially hard to leave. I'm not
aware of some ground-breaking cryptanalysis :) But I do think the question
is worth having an answer for. I think we *do* need to prepare for turning
off AES, there's always a chance we might have to.

-- 
Colm