Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt

"Paterson, Kenny" <Kenny.Paterson@rhul.ac.uk> Tue, 12 July 2016 18:55 UTC

From: "Paterson, Kenny" <Kenny.Paterson@rhul.ac.uk>
To: "Scott Fluhrer (sfluhrer)" <sfluhrer@cisco.com>
Thread-Topic: [TLS] New draft: draft-ietf-tls-tls13-14.txt
Thread-Index: AQHR26esSHCH//KpSE6diooP42E52KAUxHSAgAAiIQCAAAGugIAACUMAgAAetID///d5AIAAFNgA///8WwCAAA2LTA==
Date: Tue, 12 Jul 2016 18:54:54 +0000
Message-ID: <9D7727FF-08B6-4836-9231-A4D44051D2AA@rhul.ac.uk>
References: <CABcZeBMiLmwBeuLt=v4qdcJwe5rdsK_9R4-2TUXYC=sttmwH-g@mail.gmail.com> <D3AA5BD6.27AC0%qdang@nist.gov> <D3AAB674.709EA%kenny.paterson@rhul.ac.uk> <D3AA7549.27B09%qdang@nist.gov> <d1f35d74e93b4067bf17f587b904ebff@XCH-RTP-006.cisco.com> <D3AAD721.70A11%kenny.paterson@rhul.ac.uk> <D3AA9B01.27B9F%qdang@nist.gov> <D3AAE2B7.70A78%kenny.paterson@rhul.ac.uk>, <ede4e2ffadd142f781e7a9c04081c825@XCH-RTP-006.cisco.com>
In-Reply-To: <ede4e2ffadd142f781e7a9c04081c825@XCH-RTP-006.cisco.com>
Accept-Language: en-GB, en-US
Content-Language: en-GB
received-spf: None (protection.outlook.com: rhul.ac.uk does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-originalarrivaltime: 12 Jul 2016 18:54:54.2861 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 2efd699a-1922-4e69-b601-108008d28a2e
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR03MB1822
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/njb0yZUwCfeg8TmaIKbEea7s4XY>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Jul 2016 18:55:01 -0000

Yup, that's crypto, folks. 

These are the kinds of numbers we should be worrying about for a protocol that will be deployed for decades to billions of people and devices. 

> On 12 Jul 2016, at 19:06, Scott Fluhrer (sfluhrer) <sfluhrer@cisco.com> wrote:
> 
> 
>> -----Original Message-----
>> From: Paterson, Kenny [mailto:Kenny.Paterson@rhul.ac.uk]
>> Sent: Tuesday, July 12, 2016 1:17 PM
>> To: Dang, Quynh (Fed); Scott Fluhrer (sfluhrer); Eric Rescorla; tls@ietf.org
>> Subject: Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt
>> 
>> Hi
>> 
>>> On 12/07/2016 18:04, "Dang, Quynh (Fed)" <quynh.dang@nist.gov> wrote:
>>> 
>>> Hi Kenny,
>>> 
>>>> On 7/12/16, 12:33 PM, "Paterson, Kenny" <Kenny.Paterson@rhul.ac.uk>
>>> wrote:
>>> 
>>>> Finally, you write "to come to the 2^38 record limit, they assume that
>>>> each record is the maximum 2^14 bytes". For clarity, we did not
>>>> recommend a limit of 2^38 records. That's Quynh's preferred number,
>>>> and is unsupported by our analysis.
>>> 
>>> What is problem with my suggestion even with the record size being the
>>> maximum value?
>> 
>> There may be no problem with your suggestion. I was simply trying to make it
>> clear that 2^38 records was your suggestion for the record limit and not ours.
>> Indeed, if one reads our note carefully, one will find that we do not make any
>> specific recommendations. We consider the decision to be one for the WG;
>> our preferred role is to supply the analysis and help interpret it if people
>> want that. Part of that involves correcting possible misconceptions and
>> misinterpretations before they get out of hand.
>> 
>> Now 2^38 does come out of our analysis if you are willing to accept single key
>> attack security (in the indistinguishability sense) of 2^{-32}. So in that limited
>> sense, 2^38 is supported by our analysis. But it is not our recommendation.
>> 
>> But, speaking now in a personal capacity, I consider that security margin to be
>> too small (i.e. I think that 2^{-32} is too big a success probability).
> 
> To be clear, this probability is that an attacker would be able to take a huge (4+ Petabyte) ciphertext, and a compatibly sized potential (but incorrect) plaintext, and with probability 2^{-32}, be able to determine that this plaintext was not the one used for the ciphertext (and with probability 0.999999999767..., know nothing about whether his guessed plaintext was correct or not).
> 
> I'm just trying to get people to understand what we're talking about.  This is not "with probability 2^{-32}, he can recover the plaintext"
> 
> 
>> 
>> Regards,
>> 
>> Kenny
>

Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Atul Luykx
Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt David McGrew
Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt David McGrew
Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Peter Gutmann
Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Atul Luykx
Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt David McGrew
Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Paterson, Kenny
Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Dang, Quynh (Fed)
Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Watson Ladd
Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Atul Luykx
Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Hubert Kario
Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Dang, Quynh (Fed)
Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Dang, Quynh (Fed)
Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Dang, Quynh (Fed)
Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Benjamin Kaduk
Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Eric Rescorla
Re: [TLS] TLS 1.3 signature algorithms in TLS 1.2 David Benjamin
Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Ilari Liusvaara
Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Benjamin Kaduk
Re: [TLS] TLS 1.3 signature algorithms in TLS 1.2 Ilari Liusvaara
Re: [TLS] TLS 1.3 signature algorithms in TLS 1.2 Ilari Liusvaara
Re: [TLS] TLS 1.3 signature algorithms in TLS 1.2 David Benjamin
Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Atul Luykx
Re: [TLS] TLS 1.3 signature algorithms in TLS 1.2 Ilari Liusvaara
Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Paterson, Kenny
Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Paterson, Kenny
Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Paterson, Kenny
Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Scott Fluhrer (sfluhrer)
Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Dang, Quynh (Fed)
Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Dang, Quynh (Fed)
Re: [TLS] TLS 1.3 signature algorithms in TLS 1.2 David Benjamin
[TLS] TLS 1.3 signature algorithms in TLS 1.2 David Benjamin
Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Paterson, Kenny
Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Scott Fluhrer (sfluhrer)
Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Dang, Quynh (Fed)
Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Paterson, Kenny
Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Dang, Quynh (Fed)
Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Dang, Quynh (Fed)
[TLS] New draft: draft-ietf-tls-tls13-14.txt Eric Rescorla
Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Ilari Liusvaara
Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Dave Garrett
Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Ilari Liusvaara
Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Dang, Quynh (Fed)
Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Paterson, Kenny
Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Dang, Quynh (Fed)
Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Paterson, Kenny
Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Paterson, Kenny