> -----Original Message----- > From: TLS [mailto:tls-boun...@ietf.org] On Behalf Of Fedor Brunner > Sent: Thursday, May 12, 2016 4:10 AM > To: tls@ietf.org > Subject: [TLS] removing 128-bit ciphers in TLS 1.3 > > Because of this attacks: > > https://blog.cr.yp.to/20151120-batchattacks.html > > could please consider to obsoleting 128-bit ciphers in TLS 1.3.
But that attack isn't effective against the GCM-based cipher suite in TLS 1.2. GCM (as implemented in TLS 1.2) has both sides agree on a 32 bit salt as a part of the key agreement; a batch attack (such as Bernstein describes) doesn't work unless you happen to guess the 128 bit key *and* the 32 bit salt; hence if you've collected 2**N TLS sessions, then the attacker would need a work effort of about 2**{160-N) to happen to be able to decrypt 1 random session. If we estimate N=50 (literally, 1 quadrillion TLS sessions, which I suspect is in the ballpark for number of TLS sessions world-wide), this would put the work effort at 2**110. I suspect that's a bit much, even for the NSA. > > > For example AES-128 encryption has been removed from Suite B > > https://www.nsa.gov/ia/programs/suiteb_cryptography/index.shtml One could argue that perhaps the reason NSA removed it from Suite B because they couldn't break it; hence that would be an excellent reason to keep it :-) Attempts at humor aside, I believe their reason was that they think AES-128 was insufficiently strong against a Quantum Computer. Now, I rather think that we should be moving TLS to use Quantum Resistant cryptography; but as of right now, TLS is rather far from that goal, and the symmetric key size is a minor issue; how we perform key exchange and authentication are much harder, and much more immediately important. Now, I wouldn't be against going only to AES-256 (the cost delta isn't that much); however if we do it, it should be for valid reasons... _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls