IETF Logo Mail Archive

Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt

Watson Ladd <watsonbladd@gmail.com> Wed, 13 July 2016 13:26 UTC

Return-Path: <watsonbladd@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AFD6512D739 for <tls@ietfa.amsl.com>; Wed, 13 Jul 2016 06:26:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EaeDtAg_0C7m for <tls@ietfa.amsl.com>; Wed, 13 Jul 2016 06:26:08 -0700 (PDT)
Received: from mail-vk0-x22b.google.com (mail-vk0-x22b.google.com [IPv6:2607:f8b0:400c:c05::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7F23A12B056 for <tls@ietf.org>; Wed, 13 Jul 2016 06:26:08 -0700 (PDT)
Received: by mail-vk0-x22b.google.com with SMTP id o63so65021452vkg.1 for <tls@ietf.org>; Wed, 13 Jul 2016 06:26:08 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=JbiHHVWkCBeljYxXpPYwMKaSOIihCP+RENF4BJJvsYI=; b=Cwaa/YVw0WKdovWyejtTOXOgBXDzUPzUlwhqwTkiyTPNlf9aTuEI35nOTpJZGJRFPM Rm5p8yL6/jojj3PJlITgAGzlh/oMvY7pI0tmMXv78auJSfWKi+PwqJb4fwEXdvX1/6+/ kdRY1VHTNsDMaixDiZRxkaLy/Qk++K19Fe3o4+yLIulS3NZybtHgyow42+Y8JymIpy4r LjV6AMKuu3nKrxPiykwq7jirF0THg1u7ctlw7l/BD3MubJOLxD8SqUDxXhXAGOERDo1I TBoJn+wOkqnoGrrgvFlL3znnmteFu/WkK0gENnrFBDFzWkzl3AIUKVvzxlTtlAMJmSBE IZsg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=JbiHHVWkCBeljYxXpPYwMKaSOIihCP+RENF4BJJvsYI=; b=gSdNVQFPCxUV1wE5Pg9XJxY78xqMtQr0J/B6kB72QGlnUbjhGSFt6y6PpOEXuq9Q8p osO4ZweLWeoFq0h56nd4OqwoZ8EtGNbEk1TwXvyrKa4gdG2LJ1l5HFqaAFQn3vAWoe3k S0+j4N7QgtxpMreiKsJPUOcq1Mt4Ehii1tV4l+xJh15aBzdC3m4xwDnc3rxbEgBRQbFG K55zQORQp4TgSUDbpAo9KxKikbG3mgEKDJ1BvK4JuzFlSZuyjK9Yr6ytte5gx5bMENNR 4ecewyk0eJsLcs5stNn5kwm8rj7oKR6prrAiFeopfTuPf2we176Da51NOkc0lR/BgNdA OWtQ==
X-Gm-Message-State: ALyK8tL/i+9zWFN5zn+3U/4ZNYUplRu9gD2i1P8if/wH3TvUow2wDI564NLiNd27vJ1NYQtfaH9WuaFv0jLzhQ==
X-Received: by 10.176.65.40 with SMTP id j37mr3184997uad.117.1468416367517; Wed, 13 Jul 2016 06:26:07 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.159.39.194 with HTTP; Wed, 13 Jul 2016 06:26:06 -0700 (PDT)
In-Reply-To: <553ea052cc05b4f7315e19c943b0c2b0@esat.kuleuven.be>
References: <CABcZeBMiLmwBeuLt=v4qdcJwe5rdsK_9R4-2TUXYC=sttmwH-g@mail.gmail.com> <D3AA5BD6.27AC0%qdang@nist.gov> <D3AAB674.709EA%kenny.paterson@rhul.ac.uk> <D3AA7549.27B09%qdang@nist.gov> <d1f35d74e93b4067bf17f587b904ebff@XCH-RTP-006.cisco.com> <D3AAD721.70A11%kenny.paterson@rhul.ac.uk> <D3AA9B01.27B9F%qdang@nist.gov> <D3AAE2B7.70A78%kenny.paterson@rhul.ac.uk> <ede4e2ffadd142f781e7a9c04081c825@XCH-RTP-006.cisco.com> <0ad33f70cbe2aabba1f16f4cac876b0f@esat.kuleuven.be> <D3AB99DD.27C8B%qdang@nist.gov> <553ea052cc05b4f7315e19c943b0c2b0@esat.kuleuven.be>
From: Watson Ladd <watsonbladd@gmail.com>
Date: Wed, 13 Jul 2016 06:26:06 -0700
Message-ID: <CACsn0ckFJSEabLOw60-1Pt=e3gLj1W+5yVvWRGzB=avNMQ_X+g@mail.gmail.com>
To: Atul Luykx <Atul.Luykx@esat.kuleuven.be>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/zkqPWGcQAJsSDcbCI-WQ8fYpxBc>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Jul 2016 13:26:12 -0000

On Wed, Jul 13, 2016 at 5:30 AM, Atul Luykx <Atul.Luykx@esat.kuleuven.be> wrote:
> Hey Quynh,
>
>> How can one use the distinguishing attack with the data complexity bound I
>> suggested for recovering 1 bit of the encryption key in the context of TLS
>> ?
>
> You cannot recover any bits of the encryption key unless you attack AES.
>
> No-one, as far as I know, has analyzed what kind of attacks one can perform
> against GCM around and beyond the birthday bound (except for the forgery
> attacks, which require repeated nonces or known forgeries). However, for CTR
> mode, the underlying encryption of GCM, David McGrew typed up a document
> describing an attack one could perform to recover information about the
> plaintext:
> http://eprint.iacr.org/2012/623
> He describes it for 64 bit block ciphers, but the attacks work equally well
> for 128 bit block ciphers, at a higher data complexity of course.
>
> Basically, there are a lot of unknowns, and it could be that the bounds you
> recommend will be good enough in practice. However, it's important to be
> clear about the risks involved in venturing into unknown territory.
>
> Atul

Furthermore the cost of avoiding this is trivial. The rekeying
mechanism has been designed to have minimal code complexity.
>
>
> On 2016-07-13 13:14, Dang, Quynh (Fed) wrote:
>>
>> Hi Atul,
>>
>> On 7/12/16, 3:50 PM, "Atul Luykx" <Atul.Luykx@esat.kuleuven.be> wrote:
>>
>>>> To be clear, this probability is that an attacker would be able to
>>>> take a huge (4+ Petabyte) ciphertext, and a compatibly sized potential
>>>> (but incorrect) plaintext, and with probability 2^{-32}, be able to
>>>> determine that this plaintext was not the one used for the ciphertext
>>>> (and with probability 0.999999999767..., know nothing about whether
>>>> his guessed plaintext was correct or not).
>>>
>>>
>>> You need to be careful when making such claims. There are schemes for
>>> which when you reach the birthday bound you can perform partial key
>>> recovery.
>>>
>>> The probabilities we calculated guarantee that there won't be any
>>> attacks (with the usual assumptions...). Beyond the bounds, there are no
>>> guarantees. In particular, you cannot conclude that one, for example,
>>> loses 1 bit of security once beyond the birthday bound.
>>
>>
>> How can one use the distinguishing attack with the data complexity bound I
>> suggested for recovering 1 bit of the encryption key in the context of TLS
>> ?
>>
>>
>> Regards,
>> Quynh.
>>
>>
>>
>>
>>>
>>> Atul
>>>
>>> On 2016-07-12 20:06, Scott Fluhrer (sfluhrer) wrote:
>>>>>
>>>>> -----Original Message-----
>>>>> From: Paterson, Kenny [mailto:Kenny.Paterson@rhul.ac.uk]
>>>>> Sent: Tuesday, July 12, 2016 1:17 PM
>>>>> To: Dang, Quynh (Fed); Scott Fluhrer (sfluhrer); Eric Rescorla;
>>>>> tls@ietf.org
>>>>> Subject: Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt
>>>>>
>>>>> Hi
>>>>>
>>>>> On 12/07/2016 18:04, "Dang, Quynh (Fed)" <quynh.dang@nist.gov> wrote:
>>>>>
>>>>> >Hi Kenny,
>>>>> >
>>>>> >On 7/12/16, 12:33 PM, "Paterson, Kenny" <Kenny.Paterson@rhul.ac.uk>
>>>>> wrote:
>>>>> >
>>>>> >>Finally, you write "to come to the 2^38 record limit, they assume
>>>>> that
>>>>> >>each record is the maximum 2^14 bytes". For clarity, we did not
>>>>> >>recommend a limit of 2^38 records. That's Quynh's preferred number,
>>>>> >>and is unsupported by our analysis.
>>>>> >
>>>>> >What is problem with my suggestion even with the record size being the
>>>>> >maximum value?
>>>>>
>>>>> There may be no problem with your suggestion. I was simply trying to
>>>>> make it
>>>>> clear that 2^38 records was your suggestion for the record limit and
>>>>> not ours.
>>>>> Indeed, if one reads our note carefully, one will find that we do not
>>>>> make any
>>>>> specific recommendations. We consider the decision to be one for the
>>>>> WG;
>>>>> our preferred role is to supply the analysis and help interpret it if
>>>>> people
>>>>> want that. Part of that involves correcting possible misconceptions
>>>>> and
>>>>> misinterpretations before they get out of hand.
>>>>>
>>>>> Now 2^38 does come out of our analysis if you are willing to accept
>>>>> single key
>>>>> attack security (in the indistinguishability sense) of 2^{-32}. So in
>>>>> that limited
>>>>> sense, 2^38 is supported by our analysis. But it is not our
>>>>> recommendation.
>>>>>
>>>>> But, speaking now in a personal capacity, I consider that security
>>>>> margin to be
>>>>> too small (i.e. I think that 2^{-32} is too big a success
>>>>> probability).
>>>>
>>>>
>>>> To be clear, this probability is that an attacker would be able to
>>>> take a huge (4+ Petabyte) ciphertext, and a compatibly sized potential
>>>> (but incorrect) plaintext, and with probability 2^{-32}, be able to
>>>> determine that this plaintext was not the one used for the ciphertext
>>>> (and with probability 0.999999999767..., know nothing about whether
>>>> his guessed plaintext was correct or not).
>>>>
>>>> I'm just trying to get people to understand what we're talking about.
>>>> This is not "with probability 2^{-32}, he can recover the plaintext"
>>>>
>>>>
>>>>>
>>>>> Regards,
>>>>>
>>>>> Kenny
>>>>
>>>>
>>>> _______________________________________________
>>>> TLS mailing list
>>>> TLS@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/tls
>
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls



-- 
"Man is born free, but everywhere he is in chains".
--Rousseau.

v2.23.0 | Report a Bug | By Email