Re: [TLS] Data volume limits

2016-01-01 Thread Watson Ladd
On Tue, Dec 29, 2015 at 2:10 PM, Brian Smith wrote: > Ilari Liusvaara wrote: >> >> OTOH, you can't drop an attacker knowing older key without doing >> new key exchange. > > > I think it would be very unfortunate to have the complexity of key update

Re: [TLS] Data volume limits

2016-01-01 Thread Samuel Neves
On 01/01/2016 06:35 AM, Aaron Zauner wrote: > This might be a good time to point again to my existing AES-OCB > draft that hasn't really seen a lot of discussion nor love lately. > It expired but I've recently updated the draft (not yet uploaded > to IETF as I'm waiting for implementer feedback

Re: [TLS] Data volume limits

2016-01-01 Thread Henrick Wibell Hellström
I think it is a good idea to rekey AES-GCM after approximately 2^32 records, give or take a few magnitudes. The question for me isn't whether AES-GCM requires frequent rekeying (it does), but exactly how much complexity the rekeying mechanism would add, to the protocol and to implementations.

Re: [TLS] Data volume limits

2016-01-01 Thread Ilari Liusvaara
On Fri, Jan 01, 2016 at 01:54:00PM +0100, Henrick Wibell Hellström wrote: > I think it is a good idea to rekey AES-GCM after approximately 2^32 records, > give or take a few magnitudes. > > The question for me isn't whether AES-GCM requires frequent rekeying (it > does), but exactly how much

Re: [TLS] Data volume limits

2016-01-01 Thread Aaron Zauner
Hi Samuel, * Samuel Neves [01/01/2016 12:19:36] wrote: > OCB is, if anything, worse than GCM when it comes to data volume limits. It > has the same confidentiality bounds as GCM > (slightly worse, in fact), but once you hit a collision you also lose > authenticity and enable

Re: [TLS] Data volume limits

2016-01-01 Thread James Cloos
[Msg for followup picked at random from this thread -JimC] One thing we should remember on this thread is that it does not only apply to aes and its' 128-bit block size. Because TLS chose to create a NotQuiteChaCha rather than use ChaCha, its chacha20poly1305 also has a small data volume limit

Re: [TLS] Data volume limits

2016-01-01 Thread Samuel Neves
Quoting Aaron Zauner : On the other hand, after 2^60 OCB messages of 2^16 blocks (and thus 2^76 total blocks), a block collision is almost guaranteed to have happened, enabling the aforementioned forgeries. Sure. Would you see any way to improve this situation in the draft,

Re: [TLS] Data volume limits

2016-01-01 Thread Eric Rescorla
On Fri, Jan 1, 2016 at 11:00 AM, James Cloos wrote: > [Msg for followup picked at random from this thread -JimC] > > One thing we should remember on this thread is that it does not only > apply to aes and its' 128-bit block size. > > Because TLS chose to create a