Re: [TLS] Data volume limits

Henrick Hellström <henrick@streamsec.se> Wed, 16 December 2015 00:09 UTC

Return-Path: <henrick@streamsec.se>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 53A6A1A8842 for <tls@ietfa.amsl.com>; Tue, 15 Dec 2015 16:09:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.95
X-Spam-Level:
X-Spam-Status: No, score=-1.95 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_SE=0.35, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FdmddjnSNZXY for <tls@ietfa.amsl.com>; Tue, 15 Dec 2015 16:09:02 -0800 (PST)
Received: from vsp2.ballou.se (vsp2.ballou.se [91.189.40.83]) by ietfa.amsl.com (Postfix) with SMTP id D8A241A8841 for <tls@ietf.org>; Tue, 15 Dec 2015 16:09:01 -0800 (PST)
X-Halon-ID: 3419824f-a389-11e5-976f-0050569222ec
X-Halon-Scanned: 7f4a955dd6f4c149d51110a345668da22aa82d04
Received: from nmail1.ballou.se (unknown [10.0.0.116]) by vsp2.ballou.se (Halon Mail Gateway) with ESMTP for <tls@ietf.org>; Wed, 16 Dec 2015 01:08:58 +0100 (CET)
Received: from [192.168.0.190] (c-1ec0e555.06-134-73746f39.cust.bredbandsbolaget.se [85.229.192.30]) (Authenticated sender: henrick@streamsec.se) by nmail1.ballou.se (Postfix) with ESMTPSA id C0DECC9378 for <tls@ietf.org>; Wed, 16 Dec 2015 01:08:57 +0100 (CET)
References: <CABcZeBNR76DqPo0Mukf5L2G-WBSC+RCZKhVGqBZq=tJYfEHLUg@mail.gmail.com> <e007baa2f53249d49917e6023e578bc0@XCH-RTP-006.cisco.com> <CACsn0ckSo-affRmsTZaodCJZsFisPygnhk9=OZuV0_9SVMbUxQ@mail.gmail.com> <6674a4ec51fe4e158929bf429260d6ea@XCH-RTP-006.cisco.com> <CABcZeBNSHGGwM41c9QS0G-pnsEkuyA-q6FMhMgv2NQBDmwWwqA@mail.gmail.com>
To: tls@ietf.org
From: =?UTF-8?Q?Henrick_Hellstr=c3=b6m?= <henrick@streamsec.se>
Message-ID: <5670AB96.9000602@streamsec.se>
Date: Wed, 16 Dec 2015 01:08:54 +0100
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.4.0
MIME-Version: 1.0
In-Reply-To: <CABcZeBNSHGGwM41c9QS0G-pnsEkuyA-q6FMhMgv2NQBDmwWwqA@mail.gmail.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/vpFCRkJ_Y2Wx8HnI2NIn68wvPEg>
Subject: Re: [TLS] Data volume limits
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: henrick@streamsec.se
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Dec 2015 00:09:04 -0000

On 2015-12-16 00:48, Eric Rescorla wrote:
>
>
> On Tue, Dec 15, 2015 at 3:08 PM, Scott Fluhrer (sfluhrer)
> <sfluhrer@cisco.com <mailto:sfluhrer@cisco.com>> wrote:
>     The quadratic behavior in the security proofs are there for just
>     about any block cipher mode, and is the reason why you want to stay
>     well below the birthday bound.
>
>
> The birthday bound here is 2^{64}, right?
>
> -Ekr
>
>        However, that's as true for (say) CBC mode as it is for GCM

Actually, no.

Using the sequence number as part of the effective nonce, means that it 
won't collide. There is no relevant bound for collisions in the nonces 
or in the CTR state, because they simply won't happen (unless there is 
an implementation flaw). There won't be any potentially exploitable 
collisions.

However, theoretically, the GHASH state might collide with a 2^{64} 
birthday bound. This possibility doesn't seem entirely relevant, though.