Re: [TLS] A closer look at ROBOT, BB Attacks, timing attacks in general, and what we can do in TLS

Colm MacCárthaigh <> Fri, 15 December 2017 01:05 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id D6B5A126DFF for <>; Thu, 14 Dec 2017 17:05:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id XL19qLKKS2Vk for <>; Thu, 14 Dec 2017 17:05:39 -0800 (PST)
Received: from ( [IPv6:2607:f8b0:4002:c09::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 2AFEB1200F3 for <>; Thu, 14 Dec 2017 17:05:39 -0800 (PST)
Received: by with SMTP id 69so4954453ybc.6 for <>; Thu, 14 Dec 2017 17:05:39 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=IjJcDs/Zgf0s4/2c0yX19oldStZzb0QLdHgwOc/sZOA=; b=WQldgwI6I3BBG1knr+C9yb6H7rKj9AgnIOjbvN8d2yTyKTqhPhW4MXwL3eoV2ATf9P TK96ROlzRaiFnyn6SbVqxr6LLd0mmRwnuFAmSFJW+rS2stqKWAcUiZ2EvSOmf0vVrY9k wfUmz8cmmMI8Oiu+O01isrklTb7eY1mp2bWM3wPxW2ktaTnW66+xagk8ZC1RMsxBewEL JxJV3Iz/6cqV4leEi7cIzFksACIh8fJNqJjjjAiEv7ja9+McA5Ot4SniYgpvsmtEwuRY IbPiMc+IZuILb8DcFr5OdrVaz3FyyIMQ7HnP3TQHqfVvkAkx3fDR3yvQ0n+S1kzGQSZd vljA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=IjJcDs/Zgf0s4/2c0yX19oldStZzb0QLdHgwOc/sZOA=; b=Nh6KQMDYV4zXtEAP0gYt6UuMxp60A/pVT5N+oJvgl3Na6mSGt3RR2xPQHumsHrymR3 rKPfDFt3bsosTKg0HNholfbjyNBgi4MTP0PLV77kYRge+mkCmDB1E349FvbyaxolRUot MJgH80B7ZhpGbfHgo18A1upKYwv2dr53NTqmjEij+XJqpDOFtWUqPH7bTDfnbbak+Hk2 zzSl+ITl8qlzv60qyfmpN7APBMnozxqsO6q5ERk9t+HzVb1kUcVROH/qDCWDa1BrA2CV e7um057j41dwhOHCp+2NxndYuXUyAy+1TcTNEXZlI2vR4Thjwtt3KP1LMQvbhVxrwjfs LFhg==
X-Gm-Message-State: AKGB3mIt5u6RMjYCcTkhBR0xIGVtepdojbASA7NfcxgkrCq/T5aoWrFf e9QypSmqtON5kpVz5Mf8dGGlbd7CU3CbGEl77dw50w==
X-Google-Smtp-Source: ACJfBosRGLwZvwmgt7Zc2pqSCbZzQRLLN+iM82R9gdCjxog1rx25j0Ar/Rgg4vUG9i5MJfYGJddNeScax61wYvnuTIY=
X-Received: by with SMTP id a64mr5853862ywg.35.1513299938369; Thu, 14 Dec 2017 17:05:38 -0800 (PST)
MIME-Version: 1.0
Received: by with HTTP; Thu, 14 Dec 2017 17:05:37 -0800 (PST)
In-Reply-To: <20171215020116.04f9ae15@pc1>
References: <> <> <> <20171215020116.04f9ae15@pc1>
From: =?UTF-8?Q?Colm_MacC=C3=A1rthaigh?= <>
Date: Thu, 14 Dec 2017 17:05:37 -0800
Message-ID: <>
To: =?UTF-8?Q?Hanno_B=C3=B6ck?= <>
Cc: "" <>
Content-Type: multipart/alternative; boundary="001a1148a7a643fa3005605699c4"
Archived-At: <>
Subject: Re: [TLS] A closer look at ROBOT, BB Attacks, timing attacks in general, and what we can do in TLS
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 15 Dec 2017 01:05:41 -0000

On Thu, Dec 14, 2017 at 5:01 PM, Hanno Böck <> wrote:

> On Thu, 14 Dec 2017 16:45:57 -0800
> Colm MacCárthaigh <> wrote:
> > But what would that look like? What would we do now, in advance, to
> > make it easy to turn off AES? For example.
> I think this is the wrong way to look at it.
> From what I'm aware nobody is really concerned about the security of
> AES. I don't think that there's any need to prepare for turning off AES.

Well, DJB is a notable concerned critic of AES and its safety in some
respects ... but I was using AES as kind of a worst-case scenario since so
many things do depend on it and it's especially hard to leave. I'm not
aware of some ground-breaking cryptanalysis :) But I do think the question
is worth having an answer for. I think we *do* need to prepare for turning
off AES, there's always a chance we might have to.