Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt
Watson Ladd <watsonbladd@gmail.com> Wed, 13 July 2016 13:26 UTC
Return-Path: <watsonbladd@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AFD6512D739 for <tls@ietfa.amsl.com>; Wed, 13 Jul 2016 06:26:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EaeDtAg_0C7m for <tls@ietfa.amsl.com>; Wed, 13 Jul 2016 06:26:08 -0700 (PDT)
Received: from mail-vk0-x22b.google.com (mail-vk0-x22b.google.com [IPv6:2607:f8b0:400c:c05::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7F23A12B056 for <tls@ietf.org>; Wed, 13 Jul 2016 06:26:08 -0700 (PDT)
Received: by mail-vk0-x22b.google.com with SMTP id o63so65021452vkg.1 for <tls@ietf.org>; Wed, 13 Jul 2016 06:26:08 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=JbiHHVWkCBeljYxXpPYwMKaSOIihCP+RENF4BJJvsYI=; b=Cwaa/YVw0WKdovWyejtTOXOgBXDzUPzUlwhqwTkiyTPNlf9aTuEI35nOTpJZGJRFPM Rm5p8yL6/jojj3PJlITgAGzlh/oMvY7pI0tmMXv78auJSfWKi+PwqJb4fwEXdvX1/6+/ kdRY1VHTNsDMaixDiZRxkaLy/Qk++K19Fe3o4+yLIulS3NZybtHgyow42+Y8JymIpy4r LjV6AMKuu3nKrxPiykwq7jirF0THg1u7ctlw7l/BD3MubJOLxD8SqUDxXhXAGOERDo1I TBoJn+wOkqnoGrrgvFlL3znnmteFu/WkK0gENnrFBDFzWkzl3AIUKVvzxlTtlAMJmSBE IZsg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=JbiHHVWkCBeljYxXpPYwMKaSOIihCP+RENF4BJJvsYI=; b=gSdNVQFPCxUV1wE5Pg9XJxY78xqMtQr0J/B6kB72QGlnUbjhGSFt6y6PpOEXuq9Q8p osO4ZweLWeoFq0h56nd4OqwoZ8EtGNbEk1TwXvyrKa4gdG2LJ1l5HFqaAFQn3vAWoe3k S0+j4N7QgtxpMreiKsJPUOcq1Mt4Ehii1tV4l+xJh15aBzdC3m4xwDnc3rxbEgBRQbFG K55zQORQp4TgSUDbpAo9KxKikbG3mgEKDJ1BvK4JuzFlSZuyjK9Yr6ytte5gx5bMENNR 4ecewyk0eJsLcs5stNn5kwm8rj7oKR6prrAiFeopfTuPf2we176Da51NOkc0lR/BgNdA OWtQ==
X-Gm-Message-State: ALyK8tL/i+9zWFN5zn+3U/4ZNYUplRu9gD2i1P8if/wH3TvUow2wDI564NLiNd27vJ1NYQtfaH9WuaFv0jLzhQ==
X-Received: by 10.176.65.40 with SMTP id j37mr3184997uad.117.1468416367517; Wed, 13 Jul 2016 06:26:07 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.159.39.194 with HTTP; Wed, 13 Jul 2016 06:26:06 -0700 (PDT)
In-Reply-To: <553ea052cc05b4f7315e19c943b0c2b0@esat.kuleuven.be>
References: <CABcZeBMiLmwBeuLt=v4qdcJwe5rdsK_9R4-2TUXYC=sttmwH-g@mail.gmail.com> <D3AA5BD6.27AC0%qdang@nist.gov> <D3AAB674.709EA%kenny.paterson@rhul.ac.uk> <D3AA7549.27B09%qdang@nist.gov> <d1f35d74e93b4067bf17f587b904ebff@XCH-RTP-006.cisco.com> <D3AAD721.70A11%kenny.paterson@rhul.ac.uk> <D3AA9B01.27B9F%qdang@nist.gov> <D3AAE2B7.70A78%kenny.paterson@rhul.ac.uk> <ede4e2ffadd142f781e7a9c04081c825@XCH-RTP-006.cisco.com> <0ad33f70cbe2aabba1f16f4cac876b0f@esat.kuleuven.be> <D3AB99DD.27C8B%qdang@nist.gov> <553ea052cc05b4f7315e19c943b0c2b0@esat.kuleuven.be>
From: Watson Ladd <watsonbladd@gmail.com>
Date: Wed, 13 Jul 2016 06:26:06 -0700
Message-ID: <CACsn0ckFJSEabLOw60-1Pt=e3gLj1W+5yVvWRGzB=avNMQ_X+g@mail.gmail.com>
To: Atul Luykx <Atul.Luykx@esat.kuleuven.be>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/zkqPWGcQAJsSDcbCI-WQ8fYpxBc>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Jul 2016 13:26:12 -0000
On Wed, Jul 13, 2016 at 5:30 AM, Atul Luykx <Atul.Luykx@esat.kuleuven.be> wrote: > Hey Quynh, > >> How can one use the distinguishing attack with the data complexity bound I >> suggested for recovering 1 bit of the encryption key in the context of TLS >> ? > > You cannot recover any bits of the encryption key unless you attack AES. > > No-one, as far as I know, has analyzed what kind of attacks one can perform > against GCM around and beyond the birthday bound (except for the forgery > attacks, which require repeated nonces or known forgeries). However, for CTR > mode, the underlying encryption of GCM, David McGrew typed up a document > describing an attack one could perform to recover information about the > plaintext: > http://eprint.iacr.org/2012/623 > He describes it for 64 bit block ciphers, but the attacks work equally well > for 128 bit block ciphers, at a higher data complexity of course. > > Basically, there are a lot of unknowns, and it could be that the bounds you > recommend will be good enough in practice. However, it's important to be > clear about the risks involved in venturing into unknown territory. > > Atul Furthermore the cost of avoiding this is trivial. The rekeying mechanism has been designed to have minimal code complexity. > > > On 2016-07-13 13:14, Dang, Quynh (Fed) wrote: >> >> Hi Atul, >> >> On 7/12/16, 3:50 PM, "Atul Luykx" <Atul.Luykx@esat.kuleuven.be> wrote: >> >>>> To be clear, this probability is that an attacker would be able to >>>> take a huge (4+ Petabyte) ciphertext, and a compatibly sized potential >>>> (but incorrect) plaintext, and with probability 2^{-32}, be able to >>>> determine that this plaintext was not the one used for the ciphertext >>>> (and with probability 0.999999999767..., know nothing about whether >>>> his guessed plaintext was correct or not). >>> >>> >>> You need to be careful when making such claims. There are schemes for >>> which when you reach the birthday bound you can perform partial key >>> recovery. >>> >>> The probabilities we calculated guarantee that there won't be any >>> attacks (with the usual assumptions...). Beyond the bounds, there are no >>> guarantees. In particular, you cannot conclude that one, for example, >>> loses 1 bit of security once beyond the birthday bound. >> >> >> How can one use the distinguishing attack with the data complexity bound I >> suggested for recovering 1 bit of the encryption key in the context of TLS >> ? >> >> >> Regards, >> Quynh. >> >> >> >> >>> >>> Atul >>> >>> On 2016-07-12 20:06, Scott Fluhrer (sfluhrer) wrote: >>>>> >>>>> -----Original Message----- >>>>> From: Paterson, Kenny [mailto:Kenny.Paterson@rhul.ac.uk] >>>>> Sent: Tuesday, July 12, 2016 1:17 PM >>>>> To: Dang, Quynh (Fed); Scott Fluhrer (sfluhrer); Eric Rescorla; >>>>> tls@ietf.org >>>>> Subject: Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt >>>>> >>>>> Hi >>>>> >>>>> On 12/07/2016 18:04, "Dang, Quynh (Fed)" <quynh.dang@nist.gov> wrote: >>>>> >>>>> >Hi Kenny, >>>>> > >>>>> >On 7/12/16, 12:33 PM, "Paterson, Kenny" <Kenny.Paterson@rhul.ac.uk> >>>>> wrote: >>>>> > >>>>> >>Finally, you write "to come to the 2^38 record limit, they assume >>>>> that >>>>> >>each record is the maximum 2^14 bytes". For clarity, we did not >>>>> >>recommend a limit of 2^38 records. That's Quynh's preferred number, >>>>> >>and is unsupported by our analysis. >>>>> > >>>>> >What is problem with my suggestion even with the record size being the >>>>> >maximum value? >>>>> >>>>> There may be no problem with your suggestion. I was simply trying to >>>>> make it >>>>> clear that 2^38 records was your suggestion for the record limit and >>>>> not ours. >>>>> Indeed, if one reads our note carefully, one will find that we do not >>>>> make any >>>>> specific recommendations. We consider the decision to be one for the >>>>> WG; >>>>> our preferred role is to supply the analysis and help interpret it if >>>>> people >>>>> want that. Part of that involves correcting possible misconceptions >>>>> and >>>>> misinterpretations before they get out of hand. >>>>> >>>>> Now 2^38 does come out of our analysis if you are willing to accept >>>>> single key >>>>> attack security (in the indistinguishability sense) of 2^{-32}. So in >>>>> that limited >>>>> sense, 2^38 is supported by our analysis. But it is not our >>>>> recommendation. >>>>> >>>>> But, speaking now in a personal capacity, I consider that security >>>>> margin to be >>>>> too small (i.e. I think that 2^{-32} is too big a success >>>>> probability). >>>> >>>> >>>> To be clear, this probability is that an attacker would be able to >>>> take a huge (4+ Petabyte) ciphertext, and a compatibly sized potential >>>> (but incorrect) plaintext, and with probability 2^{-32}, be able to >>>> determine that this plaintext was not the one used for the ciphertext >>>> (and with probability 0.999999999767..., know nothing about whether >>>> his guessed plaintext was correct or not). >>>> >>>> I'm just trying to get people to understand what we're talking about. >>>> This is not "with probability 2^{-32}, he can recover the plaintext" >>>> >>>> >>>>> >>>>> Regards, >>>>> >>>>> Kenny >>>> >>>> >>>> _______________________________________________ >>>> TLS mailing list >>>> TLS@ietf.org >>>> https://www.ietf.org/mailman/listinfo/tls > > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls -- "Man is born free, but everywhere he is in chains". --Rousseau.
- Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Atul Luykx
- Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt David McGrew
- Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt David McGrew
- Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Peter Gutmann
- Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Atul Luykx
- Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt David McGrew
- Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Paterson, Kenny
- Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Dang, Quynh (Fed)
- Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Watson Ladd
- Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Atul Luykx
- Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Hubert Kario
- Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Dang, Quynh (Fed)
- Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Dang, Quynh (Fed)
- Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Dang, Quynh (Fed)
- Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Benjamin Kaduk
- Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Eric Rescorla
- Re: [TLS] TLS 1.3 signature algorithms in TLS 1.2 David Benjamin
- Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Ilari Liusvaara
- Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Benjamin Kaduk
- Re: [TLS] TLS 1.3 signature algorithms in TLS 1.2 Ilari Liusvaara
- Re: [TLS] TLS 1.3 signature algorithms in TLS 1.2 Ilari Liusvaara
- Re: [TLS] TLS 1.3 signature algorithms in TLS 1.2 David Benjamin
- Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Atul Luykx
- Re: [TLS] TLS 1.3 signature algorithms in TLS 1.2 Ilari Liusvaara
- Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Paterson, Kenny
- Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Paterson, Kenny
- Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Paterson, Kenny
- Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Scott Fluhrer (sfluhrer)
- Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Dang, Quynh (Fed)
- Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Dang, Quynh (Fed)
- Re: [TLS] TLS 1.3 signature algorithms in TLS 1.2 David Benjamin
- [TLS] TLS 1.3 signature algorithms in TLS 1.2 David Benjamin
- Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Paterson, Kenny
- Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Scott Fluhrer (sfluhrer)
- Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Dang, Quynh (Fed)
- Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Paterson, Kenny
- Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Dang, Quynh (Fed)
- Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Dang, Quynh (Fed)
- [TLS] New draft: draft-ietf-tls-tls13-14.txt Eric Rescorla
- Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Ilari Liusvaara
- Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Dave Garrett
- Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Ilari Liusvaara
- Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Dang, Quynh (Fed)
- Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Paterson, Kenny
- Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Dang, Quynh (Fed)
- Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Paterson, Kenny
- Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Paterson, Kenny