On Tue, Dec 29, 2015 at 2:10 PM, Brian Smith wrote:
> Ilari Liusvaara wrote:
>>
>> OTOH, you can't drop an attacker knowing older key without doing
>> new key exchange.
>
>
> I think it would be very unfortunate to have the complexity of key update
On 01/01/2016 06:35 AM, Aaron Zauner wrote:
> This might be a good time to point again to my existing AES-OCB
> draft that hasn't really seen a lot of discussion nor love lately.
> It expired but I've recently updated the draft (not yet uploaded
> to IETF as I'm waiting for implementer feedback
I think it is a good idea to rekey AES-GCM after approximately 2^32
records, give or take a few magnitudes.
The question for me isn't whether AES-GCM requires frequent rekeying (it
does), but exactly how much complexity the rekeying mechanism would add,
to the protocol and to implementations.
On Fri, Jan 01, 2016 at 01:54:00PM +0100, Henrick Wibell Hellström wrote:
> I think it is a good idea to rekey AES-GCM after approximately 2^32 records,
> give or take a few magnitudes.
>
> The question for me isn't whether AES-GCM requires frequent rekeying (it
> does), but exactly how much
Hi Samuel,
* Samuel Neves [01/01/2016 12:19:36] wrote:
> OCB is, if anything, worse than GCM when it comes to data volume limits. It
> has the same confidentiality bounds as GCM
> (slightly worse, in fact), but once you hit a collision you also lose
> authenticity and enable
[Msg for followup picked at random from this thread -JimC]
One thing we should remember on this thread is that it does not only
apply to aes and its' 128-bit block size.
Because TLS chose to create a NotQuiteChaCha rather than use ChaCha,
its chacha20poly1305 also has a small data volume limit
Quoting Aaron Zauner :
On the other hand, after 2^60 OCB messages of 2^16 blocks (and thus 2^76
total blocks), a block collision is almost guaranteed to have happened,
enabling the aforementioned forgeries.
Sure. Would you see any way to improve this situation in the draft,
On Fri, Jan 1, 2016 at 11:00 AM, James Cloos wrote:
> [Msg for followup picked at random from this thread -JimC]
>
> One thing we should remember on this thread is that it does not only
> apply to aes and its' 128-bit block size.
>
> Because TLS chose to create a