Re: [TLS] Data volume limits

Eric Rescorla <ekr@rtfm.com> Wed, 16 December 2015 03:29 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 305DF1A1EF9 for <tls@ietfa.amsl.com>; Tue, 15 Dec 2015 19:29:36 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.977
X-Spam-Level:
X-Spam-Status: No, score=-0.977 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, MIME_8BIT_HEADER=0.3] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bf1IoINZIqs3 for <tls@ietfa.amsl.com>; Tue, 15 Dec 2015 19:29:34 -0800 (PST)
Received: from mail-qk0-x22b.google.com (mail-qk0-x22b.google.com [IPv6:2607:f8b0:400d:c09::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0DC661A1EF4 for <tls@ietf.org>; Tue, 15 Dec 2015 19:29:34 -0800 (PST)
Received: by mail-qk0-x22b.google.com with SMTP id u65so26739866qkh.2 for <tls@ietf.org>; Tue, 15 Dec 2015 19:29:34 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=YGfAFhd9h88f1hSmmzj+9jgxj4LRKZAocpYMKS7T8hA=; b=GM2+70M/aA+PCCH7LiM3rOO0xzlFm9GRdgS9anFuZQHMNQreEv3DYGrt5GEzb8jYsd yKKZ0fipbzAtXHSTjhmg6wOAKGH1Z8bKfuyeE+DMCd0uTTg2zoxbReHs4TVpLtJ98I/G mZ6GlnQ9G4n6csHa63WQ4SU/3vOmGC66FacMmhZOAiXnSNkcoDthTJgTaRDhLuS/IJJz 73TkqIK9JI699gM5P14wvgX4ONy8UAqqPOtfbDuwglKda6mx8enV8IBSD63+BpA29FKl 9rnBa6iNbdskG3QBmkzQpPiQycq5Igpf1QtaVCz7dZdRXvUfxKjyCiIrBDEg6LBfgukQ an7w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=YGfAFhd9h88f1hSmmzj+9jgxj4LRKZAocpYMKS7T8hA=; b=O53zGh/aeWlOiUaLR0oQk3rTF22fepcNQC/3Hiho8ifdOhASl44hLjOuFnqAzxvUMz FBmE2iE7SDTvwVq5xbDeKIWWPhH6VFVX+rY1/0N4c7EP3N5vEfpZAlAdWQKtdCHoH4GI ZG6h2b6KU4mhHs7x5StShiGLWwobCU5mdwRYN6jSDSPSn6cdKRvgqvOZZxGPMuXz9YEn dpd4p1wNA+9QI9MCe1zROMniYCyLxTBfMSfLIzGXlfsJ+rwQo7t/9gAsvfjLs3+EbBr/ e2PKsEh9z0ok2Gd6bunnCWjWjoOx7P96zEuYX6BS8NET0JwlT2bfr1H+3MAyRkTpIV1R H7Uw==
X-Gm-Message-State: ALoCoQni2H7T6GqEclDkffs4NEeN0DQb7YkWygb4pVi3RvU9AsW50+JMXZA4XlKnAT+B9jh6lMgJcug7nLNOcICV81AwKm4MuA==
X-Received: by 10.13.218.198 with SMTP id c189mr25420519ywe.165.1450236573249; Tue, 15 Dec 2015 19:29:33 -0800 (PST)
MIME-Version: 1.0
Received: by 10.13.249.197 with HTTP; Tue, 15 Dec 2015 19:28:53 -0800 (PST)
In-Reply-To: <5670B774.5050605@streamsec.se>
References: <CABcZeBNR76DqPo0Mukf5L2G-WBSC+RCZKhVGqBZq=tJYfEHLUg@mail.gmail.com> <e007baa2f53249d49917e6023e578bc0@XCH-RTP-006.cisco.com> <CACsn0ckSo-affRmsTZaodCJZsFisPygnhk9=OZuV0_9SVMbUxQ@mail.gmail.com> <6674a4ec51fe4e158929bf429260d6ea@XCH-RTP-006.cisco.com> <CABcZeBNSHGGwM41c9QS0G-pnsEkuyA-q6FMhMgv2NQBDmwWwqA@mail.gmail.com> <5670AB96.9000602@streamsec.se> <CACsn0c=FyAn+EqmLTpQj=4U4RckCZFokhc8FLQhvJ1YDVs+aVQ@mail.gmail.com> <5670B774.5050605@streamsec.se>
From: Eric Rescorla <ekr@rtfm.com>
Date: Tue, 15 Dec 2015 19:28:53 -0800
Message-ID: <CABcZeBPi7grbz4hdZX5+m5OP5CHaeX-gy3xhA+rAkQjD40-ADw@mail.gmail.com>
To: =?UTF-8?Q?Henrick_Hellstr=C3=B6m?= <henrick@streamsec.se>
Content-Type: multipart/alternative; boundary=94eb2c08192aca24720526fb838b
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/nEr7oQZmvpiajEoiqNtjsARkst8>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Data volume limits
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Dec 2015 03:29:36 -0000

On Tue, Dec 15, 2015 at 4:59 PM, Henrick Hellström <henrick@streamsec.se>
wrote:

> On 2015-12-16 01:31, Watson Ladd wrote:
>
>> You don't understand the issue. The issue is PRP not colliding, whereas
>> PRF can.
>>
>
> Oh, but I concur. This means that if you observe two same valued cipher
> text blocks, you know that the corresponding key stream blocks can't be
> identical,


That assumes that the plaintext is identical, no? That may be true in some
limited
cases, but isn't generally true

-Ekr

and deduce that the corresponding plain text blocks have to be different.
> Such observations consequently leak information about the plain text, in
> the rare and unlikely event they actually occur.
>
> However, calling it an exploitable weakness is a bit of a stretch. AES-CBC
> is likely to loose confidentiality slightly faster, for typical plain texts.
>
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>