Re: [TLS] 3DES diediedie

Geoffrey Keating <geoffk@geoffk.org> Thu, 25 August 2016 23:02 UTC

Return-Path: <geoffk@geoffk.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3A3D612D0C8 for <tls@ietfa.amsl.com>; Thu, 25 Aug 2016 16:02:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001, URIBL_RED=0.001] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id u95OQwBYhC_f for <tls@ietfa.amsl.com>; Thu, 25 Aug 2016 16:02:09 -0700 (PDT)
Received: from dragaera.releasedominatrix.com (dragaera.releasedominatrix.com [198.0.208.83]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 09D3B12B026 for <tls@ietf.org>; Thu, 25 Aug 2016 16:02:09 -0700 (PDT)
Received: by dragaera.releasedominatrix.com (Postfix, from userid 501) id 8AC3733D1F0; Thu, 25 Aug 2016 23:02:08 +0000 (UTC)
Sender: geoffk@localhost.localdomain
To: Tony Arcieri <bascule@gmail.com>
References: <CAHOTMV+r5PVxqnSozYyqJqq_YocMKV06aAa-43t+5Huzh7Lo=A@mail.gmail.com>
From: Geoffrey Keating <geoffk@geoffk.org>
Date: 25 Aug 2016 16:02:08 -0700
In-Reply-To: <CAHOTMV+r5PVxqnSozYyqJqq_YocMKV06aAa-43t+5Huzh7Lo=A@mail.gmail.com>
Message-ID: <m2y43ko3kf.fsf@localhost.localdomain>
Lines: 31
User-Agent: Gnus/5.09 (Gnus v5.9.0) Emacs/21.4
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/wAUgAUs8zS4zZAaZNT88iEs67ug>
Cc: "cfrg@irtf.org" <cfrg@irtf.org>, "<tls@ietf.org>" <tls@ietf.org>
Subject: Re: [TLS] 3DES diediedie
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Aug 2016 23:02:11 -0000

Tony Arcieri <bascule@gmail.com> writes:

> This attack was published today[*]:
> 
> https://sweet32.info/
> 
> I bring it up because I think the threat model is similar to the threats
> that lead to RC4 "diediedie"
> 
> https://www.rfc-editor.org/info/rfc7465
> 
> Should there be a 3DES "diediedie"?

I think so.

> I believe 3DES is MTI for TLS 1.0/1.1(?) but I think it would make sense
> for it to be banned from TLS 1.3.

At least one purpose of such a RFC would be to replace the MTI ciphersuite
with a different ciphersuite.

> [*] Lest anyone claim the contrary, I am not surprised by this attack, and
> have pushed to have 3DES removed from TLS prior to the publication of this
> attack, and can probably find a TLS implementer who can back me up on that.

The problem has even been described previously on this very mailing list
<https://www.ietf.org/mail-archive/web/tls/current/msg04560.html> (the
original is off here:
<http://lists.links.org/pipermail/mogul-open/2009-November/000069.html>).