Re: [TLS] [Cfrg] 3DES diediedie

Stephen Farrell <stephen.farrell@cs.tcd.ie> Thu, 25 August 2016 10:01 UTC

Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 34AD212D758 for <tls@ietfa.amsl.com>; Thu, 25 Aug 2016 03:01:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.849
X-Spam-Level:
X-Spam-Status: No, score=-4.849 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.548, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cs.tcd.ie
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7InxXHTHFjI2 for <tls@ietfa.amsl.com>; Thu, 25 Aug 2016 03:01:11 -0700 (PDT)
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 79D9712D7C9 for <tls@ietf.org>; Thu, 25 Aug 2016 03:01:11 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id 98FC7BE75; Thu, 25 Aug 2016 11:01:09 +0100 (IST)
X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9oAFwNiH_S1t; Thu, 25 Aug 2016 11:01:05 +0100 (IST)
Received: from [192.168.138.252] (unknown [58.251.152.17]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id E30CCBE5C; Thu, 25 Aug 2016 11:01:01 +0100 (IST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; s=mail; t=1472119265; bh=LQbsTgbfxps/RWcd3zTXloUKCfI4Ut/Lchs40/UDE5g=; h=Subject:To:References:From:Date:In-Reply-To:From; b=FNJ+hxsegu37ThZV+cpu4P1vRSf8GfcQ0QD4KctPX0E3EiJ6nq0jVBxGHQKQkE3WC HeYzVeRTPkC/LC0QRNfG56liK9Or+8wjwZ8RD7qzYkZOG30fS5qpyPjnUUwPa6bM7w iSnI3jZ2p+zBsLOuM2E1ZGh1YzvBcvkAzHINOHOY=
To: John Mattsson <john.mattsson@ericsson.com>, Peter Gutmann <pgut001@cs.auckland.ac.nz>, Tony Arcieri <bascule@gmail.com>, "<tls@ietf.org>" <tls@ietf.org>, "cfrg@irtf.org" <cfrg@irtf.org>
References: <D3E489EA.4EC34%john.mattsson@ericsson.com>
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Openpgp: id=D66EA7906F0B897FB2E97D582F3C8736805F8DA2; url=
Message-ID: <1c39a2c0-3338-7941-a7d8-8d9535c0ccfc@cs.tcd.ie>
Date: Thu, 25 Aug 2016 11:00:54 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.2.0
MIME-Version: 1.0
In-Reply-To: <D3E489EA.4EC34%john.mattsson@ericsson.com>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha-256; boundary="------------ms000209080809070202060605"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/oH-wXMuSlSf2V0bddmrIhVo9G8I>
Subject: Re: [TLS] [Cfrg] 3DES diediedie
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Aug 2016 10:01:23 -0000


On 25/08/16 10:54, John Mattsson wrote:
> I think the recently published attack has more to do with bad
> implementations/specification than a newly discovered weakness in 3DES.
> That you should never encrypt anything near 2^32 blocks is well known (but
> I don’t know how well this is explained in NIST or IETF specifications, if
> at all).
> 
> I am very supportive of everything speeding up the deprecation of weak

Just in case folks haven't considered it, the "d" in the name of
the IETF's curdle WG [1] stands for deprecation. Obviously that
has to be done with care and consideration, but there is a generic
venue where folks can propose that kind of thing.

Cheers,
S.

[1] https://tools.ietf.org/wg/curdle/

> algorithms and protocols, but  then I think CFRG should make a broader
> approach and look at more candidates for general deprecation like SHA-1
> signatures, 1024-bit MODP, and 1024-bit RSA… I think all of these are far
> weaker than 3-key 3DES.
> 
> Making sure that IETF provides good implementation guidelines and
> requirements for all ciphers might be as important.
> 
> /John
> 
> 
> On 25/08/16 05:28, "Cfrg on behalf of Peter Gutmann"
> <cfrg-bounces@irtf.org on behalf of pgut001@cs.auckland.ac.nz> wrote:
> 
>> Tony Arcieri <bascule@gmail.com> writes:
>>
>>> Should there be a 3DES "diediedie"?
>>
>> Only if there's an actualy issue.  3DES is still very widely supported
>> (particularly in financial systems and embedded), and provides a useful
>> backup to AES.  An attack that recovers cookie if you can record 785GB
>> of traffic isn't anything I'm losing any sleep over.
>>
>> Peter.
>> _______________________________________________
>> Cfrg mailing list
>> Cfrg@irtf.org
>> https://www.irtf.org/mailman/listinfo/cfrg
> 
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>