On Fri, Aug 26, 2016 at 10:55 AM, David McGrew (mcgrew) <[email protected]> wrote: > Hi Tony, > > Thanks for bringing this up; an RFC deprecating and/or discouraging 3DES > would be a good thing. The only good reason to use it is backwards > compatibility, and too many applications don’t heed the birthday bound. > > There is another issue to be considered, though. Most of the lightweight > “designed for IoT” block ciphers have a 64 bit block size (and sometimes > even smaller); see for instance Table 1.1 of > https://eprint.iacr.org/2013/404.pdf So perhaps what the Internet needs > here is sound guidance on how to use 64-bit block ciphers. Best practices > here include both mandatory rekeying well below the birthday bound and/or > the use of secure beyond the birthday bound modes of operation such as > Iwata’s CENC.
Or use PRF instead of PRP for counter mode. I'm happy to check the arithmetic if we want an RFC for this, but am very overcommitted on editing right now. > > Best, > > David > > From: Cfrg <[email protected]> on behalf of Tony Arcieri > <[email protected]> > Date: Wednesday, August 24, 2016 at 10:08 PM > To: "[email protected]" <[email protected]>, "[email protected]" <[email protected]> > Subject: [Cfrg] 3DES diediedie > > This attack was published today[*]: > > https://sweet32.info/ > > I bring it up because I think the threat model is similar to the threats > that lead to RC4 "diediedie" > > https://www.rfc-editor.org/info/rfc7465 > > Should there be a 3DES "diediedie"? > > I believe 3DES is MTI for TLS 1.0/1.1(?) but I think it would make sense for > it to be banned from TLS 1.3. > > [*] Lest anyone claim the contrary, I am not surprised by this attack, and > have pushed to have 3DES removed from TLS prior to the publication of this > attack, and can probably find a TLS implementer who can back me up on that. > > -- > Tony Arcieri > > > _______________________________________________ > TLS mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/tls > -- "Man is born free, but everywhere he is in chains". --Rousseau. _______________________________________________ TLS mailing list [email protected] https://www.ietf.org/mailman/listinfo/tls
