Re: [TLS] [Cfrg] Closing out tls1.3 "Limits on key usage" PRs (#765/#769)
"Dang, Quynh (Fed)" <quynh.dang@nist.gov> Fri, 10 February 2017 12:48 UTC
Return-Path: <quynh.dang@nist.gov>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B2BFF129653 for <tls@ietfa.amsl.com>; Fri, 10 Feb 2017 04:48:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nistgov.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zqZl6OhnkEyR for <tls@ietfa.amsl.com>; Fri, 10 Feb 2017 04:48:43 -0800 (PST)
Received: from gcc01-CY1-obe.outbound.protection.outlook.com (mail-cy1gcc01on0092.outbound.protection.outlook.com [23.103.200.92]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2546F129483 for <tls@ietf.org>; Fri, 10 Feb 2017 04:48:43 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nistgov.onmicrosoft.com; s=selector1-nist-gov; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=VDJW7fswKUh9lKl3szACBtUEmkwvCD/WAZmiOSQ4ozY=; b=BFYe+rJCm8d3GEq16EVL1QC6zysmRsO53QdTF53B0a4z2ipZLuY+sw9zgTZYDQiT8DAPTUjG1a1chykqBkgnTD+Tbjf7UPDWnbeLO0rX/X0h6cnNWmGlOYU0/kvzrDAF4WWRf1YNuRnzZLHFPS9eWjjP892jf/eCIksEKJPr4t0=
Received: from CY4PR09MB1464.namprd09.prod.outlook.com (10.173.191.22) by CY4PR09MB1461.namprd09.prod.outlook.com (10.173.191.19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.888.16; Fri, 10 Feb 2017 12:48:41 +0000
Received: from CY4PR09MB1464.namprd09.prod.outlook.com ([10.173.191.22]) by CY4PR09MB1464.namprd09.prod.outlook.com ([10.173.191.22]) with mapi id 15.01.0888.026; Fri, 10 Feb 2017 12:48:41 +0000
From: "Dang, Quynh (Fed)" <quynh.dang@nist.gov>
To: "Paterson, Kenny" <Kenny.Paterson@rhul.ac.uk>, Sean Turner <sean@sn3rd.com>
Thread-Topic: [TLS] [Cfrg] Closing out tls1.3 "Limits on key usage" PRs (#765/#769)
Thread-Index: AQHSg5wBoDZYWLM7Y0meekq7MUVdlg==
Date: Fri, 10 Feb 2017 12:48:41 +0000
Message-ID: <D4C31FC4.2F5AF%qdang@nist.gov>
References: <352D31A3-5A8B-4790-9473-195C256DEEC8@sn3rd.com> <CABkgnnVrFGHe0eKREXbG_pv=y18ouopZsE2c5+Czz0HAGko6rg@mail.gmail.com> <D4C331C7.86224%kenny.paterson@rhul.ac.uk>
In-Reply-To: <D4C331C7.86224%kenny.paterson@rhul.ac.uk>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.7.1.161129
authentication-results: spf=none (sender IP is ) smtp.mailfrom=quynh.dang@nist.gov;
x-ms-exchange-messagesentrepresentingtype: 1
x-originating-ip: [129.6.105.150]
x-ms-office365-filtering-correlation-id: 3c2cc685-ee47-4611-669c-08d451b3244a
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001)(48565401081); SRVR:CY4PR09MB1461;
x-microsoft-exchange-diagnostics: 1; CY4PR09MB1461; 7:FNaw6j0epX9NwZAnWwwKsErqCnbjdjshHGKpmr6UTDLyAUJ0Gy+94I5CoqxF+ejEQPzOMdk7vgsWb+16zfyOdbletZWp9LeEzSCfzGeK3Ju3LChqVyn8a8BTjVHiiDnoHgwfvRRxpmyqlWi7YNlyOnX2zmnU4OzGxM598FBKJ7zXKCfgFoUD+rNCJaDE2KXyGoyHhSKAUMxqV/dsaT31kZ8dd0Y46eDsF1GDyz8SMtsK0K+s489e5NeIvGa9Y182kyhk9d8fill7TfkBKU4Ypw1QMna25Qo/8ElEear2/LZ0UTXjP22CjnTcMtBeSdFWLB9cot1wZwjAotZ/hBF/gwxLJ1QuZjhgOB9ur7ez2/MkfCvE58mtobENFE4QG7P8QG6igL3ROMjeempZHvkuSwN3Eovc0pMq1fG9wPOXkCHQYzj4CXKggsW0GNZcuclt5UzT/MpCIakzPXl0hnIuWibhccGhab/iXmmZj2PdjloUfje1EtMAR68fM+KBJ3iQ/++/LqcqgsCymBzmGq0DKA==
x-microsoft-antispam-prvs: <CY4PR09MB1461623A576D736108D7384CF3440@CY4PR09MB1461.namprd09.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(192374486261705);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040375)(601004)(2401047)(8121501046)(5005006)(3002001)(10201501046)(6055026)(6041248)(20161123564025)(20161123555025)(20161123562025)(20161123560025)(20161123558025)(6072148); SRVR:CY4PR09MB1461; BCL:0; PCL:0; RULEID:; SRVR:CY4PR09MB1461;
x-forefront-prvs: 0214EB3F68
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(7916002)(39850400002)(39410400002)(39840400002)(39450400003)(24454002)(189002)(377454003)(199003)(229853002)(2950100002)(77096006)(6436002)(5660300001)(92566002)(3846002)(102836003)(6116002)(6506006)(25786008)(606005)(6306002)(8656002)(54896002)(53936002)(236005)(97736004)(6512007)(99286003)(54906002)(101416001)(50986999)(66066001)(2900100001)(4001350100001)(2906002)(54356999)(3280700002)(68736007)(3660700001)(189998001)(76176999)(6486002)(122556002)(86362001)(4326007)(106356001)(105586002)(6246003)(106116001)(36756003)(53546003)(7906003)(81156014)(81166006)(7736002)(8676002)(8936002)(83506001)(38730400002); DIR:OUT; SFP:1102; SCL:1; SRVR:CY4PR09MB1461; H:CY4PR09MB1464.namprd09.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
received-spf: None (protection.outlook.com: nist.gov does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_D4C31FC42F5AFqdangnistgov_"
MIME-Version: 1.0
X-OriginatorOrg: nist.gov
X-MS-Exchange-CrossTenant-originalarrivaltime: 10 Feb 2017 12:48:41.4623 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 2ab5d82f-d8fa-4797-a93e-054655c61dec
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY4PR09MB1461
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/tcv0FXHn34u0B4efnoO5UBEhaEk>
Cc: IRTF CFRG <cfrg@irtf.org>, "<tls@ietf.org>" <tls@ietf.org>
Subject: Re: [TLS] [Cfrg] Closing out tls1.3 "Limits on key usage" PRs (#765/#769)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Feb 2017 12:48:44 -0000
Hi Kenny, From: TLS <tls-bounces@ietf.org<mailto:tls-bounces@ietf.org>> on behalf of "Paterson, Kenny" <Kenny.Paterson@rhul.ac.uk<mailto:Kenny.Paterson@rhul.ac.uk>> Date: Friday, February 10, 2017 at 4:06 AM To: Sean Turner <sean@sn3rd.com<mailto:sean@sn3rd.com>> Cc: IRTF CFRG <cfrg@irtf.org<mailto:cfrg@irtf.org>>, "<tls@ietf.org<mailto:tls@ietf.org>>" <tls@ietf.org<mailto:tls@ietf.org>> Subject: Re: [TLS] [Cfrg] Closing out tls1.3 "Limits on key usage" PRs (#765/#769) Hi, My preference is to go with the existing text, option a). >From the github discussion, I think option c) involves a less conservative security bound (success probability for IND-CPA attacker bounded by 2^{-32} instead of 2^{-60}). I can live with that, but the WG should be aware of the weaker security guarantees it provides. I do not understand option b). It seems to rely on an analysis of collisions of ciphertext blocks rather than the established security proof for AES-GCM. My suggestion was based on counting. I analyzed AES-GCM in TLS 1.3 as being a counter-mode encryption and each counter is a 96-bit nonce || 32-bit counter. I don’t know if there is another kind of proof that is more precise than that. Regards, Quynh. Regards, Kenny On 10/02/2017 05:44, "Cfrg on behalf of Martin Thomson" <cfrg-bounces@irtf.org<mailto:cfrg-bounces@irtf.org> on behalf of martin.thomson@gmail.com<mailto:martin.thomson@gmail.com>> wrote: On 10 February 2017 at 16:07, Sean Turner <sean@sn3rd.com<mailto:sean@sn3rd.com>> wrote: a) Close these two PRs and go with the existing text [0] b) Adopt PR#765 [1] c) Adopt PR#769 [2] a) I'm happy enough with the current text (I've implemented that any it's relatively easy). I could live with c, but I'm opposed to b. It just doesn't make sense. It's not obviously wrong any more, but the way it is written it is very confusing and easily open to misinterpretation. _______________________________________________ Cfrg mailing list Cfrg@irtf.org<mailto:Cfrg@irtf.org> https://www.irtf.org/mailman/listinfo/cfrg _______________________________________________ TLS mailing list TLS@ietf.org<mailto:TLS@ietf.org> https://www.ietf.org/mailman/listinfo/tls
- [TLS] Closing out tls1.3 "Limits on key usage" PR… Sean Turner
- Re: [TLS] [Cfrg] Closing out tls1.3 "Limits on ke… Stanislav V. Smyshlyaev
- Re: [TLS] [Cfrg] Closing out tls1.3 "Limits on ke… Martin Thomson
- Re: [TLS] [Cfrg] Closing out tls1.3 "Limits on ke… Paterson, Kenny
- Re: [TLS] [Cfrg] Closing out tls1.3 "Limits on ke… Ilari Liusvaara
- Re: [TLS] [Cfrg] Closing out tls1.3 "Limits on ke… Dang, Quynh (Fed)
- Re: [TLS] [Cfrg] Closing out tls1.3 "Limits on ke… Dang, Quynh (Fed)
- Re: [TLS] [Cfrg] Closing out tls1.3 "Limits on ke… Rene Struik
- Re: [TLS] [Cfrg] Closing out tls1.3 "Limits on ke… Paterson, Kenny
- Re: [TLS] [Cfrg] Closing out tls1.3 "Limits on ke… Dang, Quynh (Fed)
- Re: [TLS] [Cfrg] Closing out tls1.3 "Limits on ke… Dang, Quynh (Fed)
- Re: [TLS] [Cfrg] Closing out tls1.3 "Limits on ke… Rene Struik
- Re: [TLS] [Cfrg] Closing out tls1.3 "Limits on ke… Paterson, Kenny
- Re: [TLS] [Cfrg] Closing out tls1.3 "Limits on ke… Dang, Quynh (Fed)
- Re: [TLS] [Cfrg] Closing out tls1.3 "Limits on ke… Dang, Quynh (Fed)
- Re: [TLS] [Cfrg] Closing out tls1.3 "Limits on ke… Markulf Kohlweiss
- Re: [TLS] [Cfrg] Closing out tls1.3 "Limits on ke… Dang, Quynh (Fed)
- Re: [TLS] [Cfrg] Closing out tls1.3 "Limits on ke… Aaron Zauner
- Re: [TLS] [Cfrg] Closing out tls1.3 "Limits on ke… Tony Arcieri
- Re: [TLS] [Cfrg] Closing out tls1.3 "Limits on ke… Dang, Quynh (Fed)
- Re: [TLS] [Cfrg] Closing out tls1.3 "Limits on ke… Atul Luykx
- Re: [TLS] [Cfrg] Closing out tls1.3 "Limits on ke… Dang, Quynh (Fed)
- Re: [TLS] [Cfrg] Closing out tls1.3 "Limits on ke… Dang, Quynh (Fed)
- Re: [TLS] [Cfrg] Closing out tls1.3 "Limits on ke… Yoav Nir
- Re: [TLS] [Cfrg] Closing out tls1.3 "Limits on ke… Atul Luykx
- Re: [TLS] [Cfrg] Closing out tls1.3 "Limits on ke… Yoav Nir
- Re: [TLS] [Cfrg] Closing out tls1.3 "Limits on ke… Dang, Quynh (Fed)
- Re: [TLS] [Cfrg] Closing out tls1.3 "Limits on ke… Paterson, Kenny
- Re: [TLS] [Cfrg] Closing out tls1.3 "Limits on ke… Martin Thomson
- Re: [TLS] [Cfrg] Closing out tls1.3 "Limits on ke… Yoav Nir
- Re: [TLS] [Cfrg] Closing out tls1.3 "Limits on ke… Martin Thomson
- Re: [TLS] [Cfrg] Closing out tls1.3 "Limits on ke… Yoav Nir
- Re: [TLS] [Cfrg] Closing out tls1.3 "Limits on ke… Martin Thomson
- Re: [TLS] [Cfrg] Closing out tls1.3 "Limits on ke… Dang, Quynh (Fed)
- Re: [TLS] [Cfrg] Closing out tls1.3 "Limits on ke… Aaron Zauner
- Re: [TLS] [Cfrg] Closing out tls1.3 "Limits on ke… Aaron Zauner
- Re: [TLS] [Cfrg] Closing out tls1.3 "Limits on ke… Dang, Quynh (Fed)
- Re: [TLS] [Cfrg] Closing out tls1.3 "Limits on ke… Aaron Zauner
- Re: [TLS] [Cfrg] Closing out tls1.3 "Limits on ke… Dang, Quynh (Fed)
- Re: [TLS] [Cfrg] Closing out tls1.3 "Limits on ke… Aaron Zauner
- Re: [TLS] [Cfrg] Closing out tls1.3 "Limits on ke… Dang, Quynh (Fed)
- Re: [TLS] [Cfrg] Closing out tls1.3 "Limits on ke… Paterson, Kenny
- Re: [TLS] [Cfrg] Closing out tls1.3 "Limits on ke… Dang, Quynh (Fed)
- Re: [TLS] [Cfrg] Closing out tls1.3 "Limits on ke… Watson Ladd
- Re: [TLS] [Cfrg] Closing out tls1.3 "Limits on ke… Dang, Quynh (Fed)
- Re: [TLS] [Cfrg] Closing out tls1.3 "Limits on ke… Martin Thomson
- Re: [TLS] [Cfrg] Closing out tls1.3 "Limits on ke… Dang, Quynh (Fed)
- Re: [TLS] [Cfrg] Closing out tls1.3 "Limits on ke… Brian Smith
- Re: [TLS] [Cfrg] Closing out tls1.3 "Limits on ke… Andrey Jivsov
- Re: [TLS] [Cfrg] Closing out tls1.3 "Limits on ke… Hal Murray
- Re: [TLS] [Cfrg] Closing out tls1.3 "Limits on ke… Andrey Jivsov
- Re: [TLS] [Cfrg] Closing out tls1.3 "Limits on ke… Yoav Nir
- Re: [TLS] Closing out tls1.3 "Limits on key usage… Sean Turner
- Re: [TLS] [Cfrg] Closing out tls1.3 "Limits on ke… Russ Housley