> -----Original Message-----
> From: TLS [mailto:tls-boun...@ietf.org] On Behalf Of Fedor Brunner
> Sent: Thursday, May 12, 2016 4:10 AM
> To: tls@ietf.org
> Subject: [TLS] removing 128-bit ciphers in TLS 1.3
>
> Because of this attacks:
>
> https://blog.cr.yp.to/20151120-batchattacks.html
>
> could please consider to obsoleting 128-bit ciphers in TLS 1.3.
But that attack isn't effective against the GCM-based cipher suite in TLS 1.2.
GCM (as implemented in TLS 1.2) has both sides agree on a 32 bit salt as a part
of the key agreement; a batch attack (such as Bernstein describes) doesn't work
unless you happen to guess the 128 bit key *and* the 32 bit salt; hence if
you've collected 2**N TLS sessions, then the attacker would need a work effort
of about 2**{160-N) to happen to be able to decrypt 1 random session. If we
estimate N=50 (literally, 1 quadrillion TLS sessions, which I suspect is in the
ballpark for number of TLS sessions world-wide), this would put the work effort
at 2**110.
I suspect that's a bit much, even for the NSA.
>
>
> For example AES-128 encryption has been removed from Suite B
>
> https://www.nsa.gov/ia/programs/suiteb_cryptography/index.shtml
One could argue that perhaps the reason NSA removed it from Suite B because
they couldn't break it; hence that would be an excellent reason to keep it :-)
Attempts at humor aside, I believe their reason was that they think AES-128 was
insufficiently strong against a Quantum Computer. Now, I rather think that we
should be moving TLS to use Quantum Resistant cryptography; but as of right
now, TLS is rather far from that goal, and the symmetric key size is a minor
issue; how we perform key exchange and authentication are much harder, and much
more immediately important.
Now, I wouldn't be against going only to AES-256 (the cost delta isn't that
much); however if we do it, it should be for valid reasons...
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
