Re: [TLS] Data limit for GCM under a given key.
Eric Rescorla <ekr@rtfm.com> Sat, 07 November 2015 03:50 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E5C931ACEBD for <tls@ietfa.amsl.com>; Fri, 6 Nov 2015 19:50:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.277
X-Spam-Level:
X-Spam-Status: No, score=-1.277 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WCdUAc8CJenz for <tls@ietfa.amsl.com>; Fri, 6 Nov 2015 19:50:43 -0800 (PST)
Received: from mail-yk0-x22c.google.com (mail-yk0-x22c.google.com [IPv6:2607:f8b0:4002:c07::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3F3251ACEBC for <tls@ietf.org>; Fri, 6 Nov 2015 19:50:43 -0800 (PST)
Received: by ykba4 with SMTP id a4so204566092ykb.3 for <tls@ietf.org>; Fri, 06 Nov 2015 19:50:42 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm_com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=Fls49T0o722D8thH2UFea+8+50LwnR1WBEe+nBW7erI=; b=E8jX9PRnM7/RgxsjXSS7ea9mK81ftPSB1gPgyO1lJQl01d0Lz82FVd3JeENGID2N1j NGd3hYa01SjL7qr5kKzCvZM0hoaNynNcl0T02c4BuXqrdzUE9OkfU57NzEzBqHwotOLG 4vJcRZ3D9IInh7hDcSB/SuLTlHiq289W2sGf7Y7XOTZhz9UpRzlReI9/MauWGeZo5UeZ 4svxDhAMZcmGsnhwWF4oqrtUIESWM2XHUEs1Zf5G4eB/oljEwJigxZbJeOrN9CKZgsWU 1ey9auTmPPIzzwNdoHuKE7gUrSTyxDA0x76wKOxuMnydJQbnoJaUYz+Md5R1kNL+GKkB ANBA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=Fls49T0o722D8thH2UFea+8+50LwnR1WBEe+nBW7erI=; b=MnLYFphfeMKLvvfhDlXonI0JZVl2L5JD1NTWDEHxLDRhXTJjSQID1cmfiuOTKG3sTR qN+OV7DvFbVh14eOOoQjLLivT1nMSj2mcon1sERsPn5MhWDywi5JiNYngZHzyM4manHC ZXCPSfXyAVbVD2PcrrJwrXDhUi5ILZI1gANFkVf5aDxb+L5PloSXw0bRyTo4d1OgPJAc Z1+WHgzweBVdrsBmvyyKq7gub4Ci40KdI844fITl9G8hCK0TOZ8ut71bSLqpDMxwbJQD eplKJ7lUAga5BKJt8hBa5okvBCle89XKFCaxbgUADMGAuEGg/cg4KN+31jR6XKTdpCFL W8OQ==
X-Gm-Message-State: ALoCoQn3N24c891CFFPeKss2ym38lLTH0bhX4kddaC7ipJAOa9vWFDENZecKKVsNyJRAjhfj5fqp
X-Received: by 10.129.93.193 with SMTP id r184mr13801875ywb.115.1446868242489; Fri, 06 Nov 2015 19:50:42 -0800 (PST)
MIME-Version: 1.0
Received: by 10.13.221.203 with HTTP; Fri, 6 Nov 2015 19:50:03 -0800 (PST)
In-Reply-To: <5FA3B020-DDCC-4745-B969-9A54A98C9948@gmail.com>
References: <CABcZeBODjk8rapgbNTST8bmFFVzKqB4tJyrvje-CTgk1=gfqFw@mail.gmail.com> <CAHOTMV++hODJgstmROMv6BPUveDQgH=+KoN8UKCecRxtQQ+N9g@mail.gmail.com> <CABcZeBN749=rdOD3fsqwV3hj1X538G_-hbh2QvSmbMj6qWwOvA@mail.gmail.com> <201511062139.11139.davemgarrett@gmail.com> <5FA3B020-DDCC-4745-B969-9A54A98C9948@gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Fri, 06 Nov 2015 19:50:03 -0800
Message-ID: <CABcZeBPTiVNk5EQU+tx9FdzbLTqDrf8+NmZqWu-1uHHtSiko=Q@mail.gmail.com>
To: Yoav Nir <ynir.ietf@gmail.com>
Content-Type: multipart/alternative; boundary="001a114d71d8a194290523eb4351"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/kQTuPxBRWeZx57e2tMtXqAQe22I>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Data limit for GCM under a given key.
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 07 Nov 2015 03:50:45 -0000
On Fri, Nov 6, 2015 at 7:46 PM, Yoav Nir <ynir.ietf@gmail.com> wrote: > > > On 7 Nov 2015, at 11:39 AM, Dave Garrett <davemgarrett@gmail.com> wrote: > > > > On Friday, November 06, 2015 08:13:44 pm Eric Rescorla wrote: > >> Update: we discussed this extensively in Yokohama and based on Watson's > >> feedback and offline comments from David McGrew, the consensus was that > we > >> needed to add some sort of rekeying mechanism to support long-lived > flows. > >> Expect a PR on this next week. > >> > >> Note: We'll still need guidance to implementations on when to re-key, > but > >> we don't expect to have a hard protocol limit. > > > > If re-keying is back up for discussion, let me restate my request for it > to be routine, rather than only an niche-case feature. Any re-key schedule > should be considered valid, but the spec should set a "SHOULD"-level > requirement that the minimum be once every N hours or M terabytes, > whichever comes first (where N & M are some bike-shedable numbers with some > expectation of randomization in values for each period). > > N and M will be different depending on the algorithms, no? > > I think before we start with pull requests we should be certain of what > the requirements are for this rekeying. > These were discussed extensively both in the interim and at IETF. The purpose of rekeying in this context is to deal with cryptographic exhaustion, namely having more ciphertext under the same key than is safe for a given algorithm (where safe is defined by an analysis like the one Watson has posted upthread). > Are we OK with just generating new keys from the same internal state (so > the handshake message is pretty much only “rekey now”), I believe this is what we agreed both in Seattle and in Prague. -Ekr > or > Do we want freshness (usually in the form of new mutual nonces, or > Do we want forward secrecy so another diffie-hellamn exchange? > > Yoav > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls >
- [TLS] Version in record MAC Eric Rescorla
- Re: [TLS] Version in record MAC Colm MacCárthaigh
- Re: [TLS] Version in record MAC David Benjamin
- Re: [TLS] Version in record MAC Martin Thomson
- Re: [TLS] Version in record MAC Eric Rescorla
- Re: [TLS] Version in record MAC Martin Thomson
- Re: [TLS] Version in record MAC Eric Rescorla
- Re: [TLS] Version in record MAC Martin Thomson
- Re: [TLS] Version in record MAC Russ Housley
- Re: [TLS] Version in record MAC Adam Langley
- Re: [TLS] Version in record MAC Eric Rescorla
- Re: [TLS] Version in record MAC David McGrew (mcgrew)
- Re: [TLS] Version in record MAC Eric Rescorla
- Re: [TLS] Version in record MAC Eric Rescorla
- Re: [TLS] Version in record MAC Ilari Liusvaara
- Re: [TLS] Version in record MAC Eric Rescorla
- Re: [TLS] Version in record MAC Adam Langley
- Re: [TLS] Version in record MAC Eric Rescorla
- Re: [TLS] Version in record MAC Eric Rescorla
- [TLS] Collision issue in ciphertexts. Dang, Quynh
- Re: [TLS] [Cfrg] Collision issue in ciphertexts. Watson Ladd
- Re: [TLS] [Cfrg] Collision issue in ciphertexts. Dang, Quynh
- [TLS] Data limit for GCM under a given key. Dang, Quynh
- Re: [TLS] Data limit for GCM under a given key. Watson Ladd
- Re: [TLS] Data limit for GCM under a given key. Dang, Quynh
- Re: [TLS] Data limit for GCM under a given key. Watson Ladd
- Re: [TLS] Data limit for GCM under a given key. Tony Arcieri
- Re: [TLS] Data limit for GCM under a given key. Eric Rescorla
- Re: [TLS] Data limit for GCM under a given key. Yoav Nir
- Re: [TLS] Data limit for GCM under a given key. Dave Garrett
- Re: [TLS] Data limit for GCM under a given key. Eric Rescorla
- Re: [TLS] Data limit for GCM under a given key. Eric Rescorla
- Re: [TLS] Data limit for GCM under a given key. Eric Rescorla
- Re: [TLS] Data limit for GCM under a given key. Dave Garrett
- Re: [TLS] Data limit for GCM under a given key. Dang, Quynh
- Re: [TLS] Data limit for GCM under a given key. Quynh Dang
- Re: [TLS] Data limit for GCM under a given key. Yoav Nir