IETF Logo Mail Archive

Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt

"Dang, Quynh (Fed)" <quynh.dang@nist.gov> Tue, 12 July 2016 17:57 UTC

Return-Path: <quynh.dang@nist.gov>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2B7DB12D59F for <tls@ietfa.amsl.com>; Tue, 12 Jul 2016 10:57:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nistgov.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gRCuvY27FsvY for <tls@ietfa.amsl.com>; Tue, 12 Jul 2016 10:57:07 -0700 (PDT)
Received: from gcc01-CY1-obe.outbound.protection.outlook.com (mail-cy1gcc01on0127.outbound.protection.outlook.com [23.103.200.127]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0D51312D5C6 for <tls@ietf.org>; Tue, 12 Jul 2016 10:57:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nistgov.onmicrosoft.com; s=selector1-nist-gov; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=LNIp4QL8AGXveTTQKoF4t1nOerzTjdTdEATTH1ezizY=; b=BwOvC7SQqnXxo732GUQrJ7YpjYJx/l36KeaB0Ia5+QoifmQt1vVhgFCjNx8lg/Ha4hVCL9A+JKYmIhrYBIMmc3Ri/+XtYXqTehTVJxrkxrywIH7NMp8565Wq9HlT1iN8JMQmNfji9Z+5+ZecKBifp/P61Q2eBcbs1z2cTw0yzyE=
Received: from BN1PR09MB0171.namprd09.prod.outlook.com (10.255.192.149) by BN1PR09MB0170.namprd09.prod.outlook.com (10.255.192.148) with Microsoft SMTP Server (TLS) id 15.1.534.14; Tue, 12 Jul 2016 17:57:04 +0000
Received: from BN1PR09MB0171.namprd09.prod.outlook.com ([10.255.192.149]) by BN1PR09MB0171.namprd09.prod.outlook.com ([10.255.192.149]) with mapi id 15.01.0534.023; Tue, 12 Jul 2016 17:57:03 +0000
From: "Dang, Quynh (Fed)" <quynh.dang@nist.gov>
To: "Paterson, Kenny" <Kenny.Paterson@rhul.ac.uk>, "Scott Fluhrer (sfluhrer)" <sfluhrer@cisco.com>, "Dang, Quynh (Fed)" <quynh.dang@nist.gov>, Eric Rescorla <ekr@rtfm.com>, "tls@ietf.org" <tls@ietf.org>
Thread-Topic: [TLS] New draft: draft-ietf-tls-tls13-14.txt
Thread-Index: AQHR26erSXFdspEwbEKLZA1rqxpGgqAUgWIAgABTxYD//9AKAIAATFUAgAANRgD//9RqAA==
Date: Tue, 12 Jul 2016 17:57:03 +0000
Message-ID: <D3AA9E40.27BB4%qdang@nist.gov>
References: <CABcZeBMiLmwBeuLt=v4qdcJwe5rdsK_9R4-2TUXYC=sttmwH-g@mail.gmail.com> <D3AA5BD6.27AC0%qdang@nist.gov> <D3AAB674.709EA%kenny.paterson@rhul.ac.uk> <D3AA7549.27B09%qdang@nist.gov> <d1f35d74e93b4067bf17f587b904ebff@XCH-RTP-006.cisco.com> <D3AAD721.70A11%kenny.paterson@rhul.ac.uk>
In-Reply-To: <D3AAD721.70A11%kenny.paterson@rhul.ac.uk>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.6.3.160329
authentication-results: spf=none (sender IP is ) smtp.mailfrom=quynh.dang@nist.gov;
x-ms-exchange-messagesentrepresentingtype: 1
x-originating-ip: [129.6.105.150]
x-ms-office365-filtering-correlation-id: 29646bf8-ab25-4695-5c4c-08d3aa7dee73
x-microsoft-exchange-diagnostics: 1; BN1PR09MB0170; 6:UVkWlkrO5tQaWv3GlS9vxXoP5o0XotvLzjk71tgw/QhDLSz5xGw1b+bls6ilammlrghHAVVAY7HtYPNu5gwikOYuQqenrHGKD4wIE0O6/AGf4FgHN5jMwtDMEO+6hnTd3l9izZr04uBhN4/rdawdERbyRRom+/WtjPAHxtXMkyCPxP99gjrhCgrmC6ukiJCefgBlhp3XIXsj7K5/JFYSFE40WTlXRsKKbUDz5yHxGihiC8YSqEGs6OodwMiv5fOPhJwn0hVqzybTKt3n8g6ThNMqYrk6yisQKrUz38X63sVdPQ0FXANNXdSqFGs2NXLWevoCEjRvIbyVn/SvaGC1Dw==; 5:dnqpoUnlytSDpqbQsZhSSZOQGwXJb74jbKp2KkcvRE4iEZQXMfHQeipzNouv/wb5cfFUADw2Pgt6j/03Tj1QepzK56cCWJut1DaF/2/FnxT5dpE4MVXPfiXYFFRnfxvHRvDhgmydpkhlcclPzQwWNA==; 24:5qPtJZ4QwvWkAWs59cVLA3Aqbu00VaffFkWed7AiVk/2T33odvtk+v5cz/nNNgFeLO5wIJpHnEBm2SrTuXOSJsD7yQKVOXoJx4cjAq0d1gg=; 7:4tTkE80JOvcekuMmbExnBEZ1j+IeJ0RSARpd4KQo5eN5FGtR4qbcU9KL/S6NXwi2NQgKk2dUbYolWL+gxgOxlu/7ENkk6zFPR62K1gkQFT9SXuxEZ4SYQUy/VGicAxhKmhAmuRvs9eQ4UEQuq4CfuIm5GXe9zcwiDGjrOh0zfKdRF5x4P5YYbZfGW1dk6v9ZYd+OTu9R/SycgbrttlncHxa3GwcpEuvjNuX6vWYC4omu5MdbNpFEeznvsb17+goa
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BN1PR09MB0170;
x-microsoft-antispam-prvs: <BN1PR09MB017069FC355DFBD124CCAA1AF3300@BN1PR09MB0170.namprd09.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(65766998875637)(192374486261705)(788757137089)(95692535739014);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(601004)(2401047)(5005006)(8121501046)(10201501046)(3002001)(6055026); SRVR:BN1PR09MB0170; BCL:0; PCL:0; RULEID:; SRVR:BN1PR09MB0170;
x-forefront-prvs: 0001227049
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(7916002)(13464003)(24454002)(377454003)(199003)(55674003)(189002)(3660700001)(19580395003)(54356999)(19580405001)(7846002)(7736002)(93886004)(2501003)(2906002)(305945005)(50986999)(106356001)(106116001)(76176999)(586003)(81156014)(81166006)(3280700002)(2900100001)(83506001)(2950100001)(101416001)(8666005)(36756003)(5001770100001)(92566002)(8676002)(122556002)(4001350100001)(3846002)(6116002)(102836003)(97736004)(68736007)(5002640100001)(107886002)(66066001)(189998001)(230783001)(15975445007)(10400500002)(87936001)(77096005)(99286002)(8936002)(86362001)(105586002)(7059030); DIR:OUT; SFP:1102; SCL:1; SRVR:BN1PR09MB0170; H:BN1PR09MB0171.namprd09.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
received-spf: None (protection.outlook.com: nist.gov does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="euc-kr"
Content-ID: <37BEB1C71D26DB4BB337C8B04910F765@namprd09.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: nist.gov
X-MS-Exchange-CrossTenant-originalarrivaltime: 12 Jul 2016 17:57:03.5722 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 2ab5d82f-d8fa-4797-a93e-054655c61dec
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN1PR09MB0170
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/jhRHoqaPqoM5xfqqbZQ4ucBeVPA>
Subject: Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Jul 2016 17:57:10 -0000

Hi Kenny, 

On 7/12/16, 12:33 PM, "Paterson, Kenny" <Kenny.Paterson@rhul.ac.uk> wrote:

>Unfortunately, that's not quite the right interpretation. The bounds one
>obtains depend on both the total amount of data encrypted AND the number
>of encryption queries the adversary is allowed to make to AES-GCM under
>the (single) target key.

My understanding is that the total is the data complexity limit (counting
block encryptions and queries which are also block encryptions). To be
more precise, then we should count data complexity by number of block
encryptions (encrypting 1 bit is 1 block encryption). But for large data
in TLS, encryption is pretty much with full blocks of plaintexts.

If the attacker has 2^10 encrypted blocks and  is allowed to query another
2^10 encryptions, then the total data is 2^20 because the total of 2^20
block encryptions happens. In TLS, it means that 2^20 AES block
encryptions happen.

>We assumed each record was 2^14 bytes in size to simplify the ensuing
>analysis, and to enable us to focus on how the security bounds then depend
>on the number of records encrypted. See equation (5) and Table 2 in the
>note at 
>
>	http://www.isg.rhul.ac.uk/~kp/TLS-AEbounds.pdf.
>
>In short, the security bound does not necessarily hold for ANY 2^52
>encrypted data bytes. For example, if the attacker encrypted 2^52 records
>of size 1 (!) then equation (5) would tell us almost nothing useful at all
>about security.
>
>Finally, you write "to come to the 2^38 record limit, they assume that
>each record is the maximum 2^14 bytes". For clarity, we did not recommend
>a limit of 2^38 records. That's Quynh's preferred number, and is
>unsupported by our analysis.
>
>Cheers,
>
>Kenny

Regards,
Quynh. 














> 
>
>
>On 12/07/2016 16:45, "Scott Fluhrer (sfluhrer)" <sfluhrer@cisco.com>
>wrote:
>
>>Actually, a more correct way of viewing the limit would be 2^52 encrypted
>>data bytes. To come to the 2^38 record limit, they assume that each
>>record is the maximum 2^14 bytes.  Of course, at a 1Gbps rate, it'd take
>>over a year to encrypt that much data...
>>
>>> -----Original Message-----
>>> From: TLS [mailto:tls-bounces@ietf.org] On Behalf Of Dang, Quynh (Fed)
>>> Sent: Tuesday, July 12, 2016 11:12 AM
>>> To: Paterson, Kenny; Dang, Quynh (Fed); Eric Rescorla; tls@ietf.org
>>> Subject: Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt
>>> 
>>> Hi Kenny,
>>> 
>>> The indistinguishability-based security notion in the paper is a
>>>stronger
>>> security notion than the (old) traditional confidentiality notion.
>>> 
>>> 
>>> (*) Indistinguishability notion (framework) guarantees no other attacks
>>>can
>>> be better than the indistinguishability bound. Intuitively, you can¹t
>>>attack if
>>> you can¹t even tell two things are different or not. So, being able to
>>>say two
>>> things are different or not is the minimal condition to lead to any
>>>attack.
>>> 
>>> The traditional confidentiality definition is that knowing only the
>>>ciphertexts,
>>> the attacker can¹t know any content of the corresponding plaintexts
>>>with a
>>> greater probability than some value and this value depends on the
>>>particular
>>> cipher. Of course, the maximum amount of data must not be more than
>>> some limit under a given key which also depends on the cipher.
>>> 
>>> For example, with counter mode AES_128, Let¹s say encrypting 2^70 input
>>> blocks with a single key. With the 2^70 ciphertext blocks alone (each
>>>block is
>>> 128 bits), I don¹t think one can find out any content of any of the
>>>plaintexts.
>>> The chance for knowing any block of the plaintexts is
>>> 1/(2^128) in this case.
>>> 
>>> I support the strongest indistinguishability notion mentioned in (*)
>>>above,
>>> but in my opinion we should provide good description to the users.
>>> That is why I support the limit around 2^38 records.
>>> 
>>> Regards,
>>> Quynh.
>>> 
>>> On 7/12/16, 10:03 AM, "Paterson, Kenny" <Kenny.Paterson@rhul.ac.uk>
>>> wrote:
>>> 
>>> >Hi Quynh,
>>> >
>>> >This indistinguishability-based security notion is the confidentiality
>>> >notion that is by now generally accepted in the crypto community.
>>> >Meeting it is sufficient to guarantee security against many other
>>>forms
>>> >of attack on confidentiality, which is one of the main reasons we use
>>>it.
>>> >
>>> >You say that an attack in the sense implied by breaking this notion
>>> >does not break confidentiality. Can you explain what you mean by
>>> >"confidentiality", in a precise way? I can then try to tell you
>>>whether
>>> >this notion will imply yours.
>>> >
>>> >Regards
>>> >
>>> >Kenny
>>> >
>>> >On 12/07/2016 14:04, "TLS on behalf of Dang, Quynh (Fed)"
>>> ><tls-bounces@ietf.org on behalf of quynh.dang@nist.gov> wrote:
>>> >
>>> >>Hi Eric and all,
>>> >>
>>> >>
>>> >>In my opinion, we should give better information about data limit for
>>> >>AES_GCM in TLS 1.3 instead of what is current in the draft 14.
>>> >>
>>> >>
>>> >>In this paper: http://www.isg.rhul.ac.uk/~kp/TLS-AEbounds.pdf,  what
>>> >>is called confidentiality attack is the known plaintext
>>> >>differentiality attack where  the attacker has/chooses two
>>>plaintexts,
>>> >>send them to the AES-encryption oracle.  The oracle encrypts one of
>>> >>them, then sends the ciphertext to the attacker.  After seeing the
>>> >>ciphertext, the attacker has some success probability of telling
>>>which
>>> >>plaintext  was encrypted and this success probability is in the
>>>column
>>> >>called ³Attack Success Probability² in Table 1.  This attack does not
>>> >>break confidentiality.
>>> >>
>>> >>
>>> >>If the attack above breaks one of security goal(s) of your individual
>>> >>system, then making success probability of that attack at 2^(-32) max
>>> >>is enough. In that case, the Max number of records is around 2^38.
>>> >>
>>> >>
>>> >>
>>> >>
>>> >>Regards,
>>> >>Quynh.
>>> >>
>>> >>
>>> >>
>>> >>
>>> >>
>>> >>
>>> >>Date: Monday, July 11, 2016 at 3:08 PM
>>> >>To: "tls@ietf.org" <tls@ietf.org>
>>> >>Subject: [TLS] New draft: draft-ietf-tls-tls13-14.txt
>>> >>
>>> >>
>>> >>
>>> >>Folks,
>>> >>
>>> >>
>>> >>I've just submitted draft-ietf-tls-tls13-14.txt and it should show up
>>> >>on the draft repository shortly. In the meantime you can find the
>>> >>editor's copy in the usual location at:
>>> >>
>>> >>
>>> >>  http://tlswg.github.io/tls13-spec/
>>> >>
>>> >>
>>> >>The major changes in this document are:
>>> >>
>>> >>
>>> >>* A big restructure to make it read better. I moved the Overview
>>> >>  to the beginning and then put the document in a more logical
>>> >>  order starting with the handshake and then the record and
>>> >>  alerts.
>>> >>
>>> >>
>>> >>* Totally rewrote the section which used to be called "Security
>>> >>  Analysis" and is now called "Overview of Security Properties".
>>> >>  This section is still kind of a hard hat area, so PRs welcome.
>>> >>  In particular, I know I need to beef up the citations for the
>>> >>  record layer section.
>>> >>
>>> >>
>>> >>* Removed the 0-RTT EncryptedExtensions and moved ticket_age
>>> >>  into the ClientHello. This quasi-reverts a change in -13 that
>>> >>  made implementation of 0-RTT kind of a pain.
>>> >>
>>> >>
>>> >>As usual, comments welcome.
>>> >>-Ekr
>>> >>
>>> >>
>>> >>
>>> >>
>>> >>
>>> >>
>>> >>* Allow cookies to be longer (*)
>>> >>
>>> >>
>>> >>* Remove the "context" from EarlyDataIndication as it was undefined
>>> >>  and nobody used it (*)
>>> >>
>>> >>
>>> >>* Remove 0-RTT EncryptedExtensions and replace the ticket_age
>>> >>extension
>>> >>  with an obfuscated version. Also necessitates a change to
>>> >>  NewSessionTicket (*).
>>> >>
>>> >>
>>> >>* Move the downgrade sentinel to the end of ServerHello.Random
>>> >>  to accomodate tlsdate (*).
>>> >>
>>> >>
>>> >>* Define ecdsa_sha1 (*).
>>> >>
>>> >>
>>> >>* Allow resumption even after fatal alerts. This matches current
>>> >>  practice.
>>> >>
>>> >>
>>> >>* Remove non-closure warning alerts. Require treating unknown alerts
>>> >>as
>>> >>  fatal.
>>> >>
>>> >>
>>> >>* Make the rules for accepting 0-RTT less restrictive.
>>> >>
>>> >>
>>> >>* Clarify 0-RTT backward-compatibility rules.
>>> >>
>>> >>
>>> >>* Clarify how 0-RTT and PSK identities interact.
>>> >>
>>> >>
>>> >>* Add a section describing the data limits for each cipher.
>>> >>
>>> >>
>>> >>* Major editorial restructuring.
>>> >>
>>> >>
>>> >>* Replace the Security Analysis section with a WIP draft.
>>> >>
>>> >>
>>> >>(*) indicates changes to the wire protocol which may require
>>> >>implementations
>>> >>    to update.
>>> >>
>>> >>
>>> >>
>>> >>
>>> >>
>>> >
>>> 
>>> _______________________________________________
>>> TLS mailing list
>>> TLS@ietf.org
>>> https://www.ietf.org/mailman/listinfo/tls
>

v2.23.0 | Report a Bug | By Email