Re: [IPsec] updating ESP and AH requirements (was: Call for agenda items)
Paul Hoffman wrote: You may be overstating that many people agree that it is worth doing, but it is certainly worth discussing. I'm definitely interested in that discussion, as I'm in the midst of an update to the IPsec requirements for iSCSI. David McGrew wrote: The issue is that 3DES has a 64-bit block instead of a 128-bit block; please see draft-irtf-cfrg-cipher-catalog-01 Section 2.2.3. (In retrospect, there should have been a citation in the draft.) That suggests that an explanation of the birthday bound concern along with a discussion of transmission rate and rekeying concerns would be appropriate for the ESP and AH requirements draft, as opposed to a blanket SHOULD NOT statement for 3DES. A 1 Gbit/sec link running encrypted at line rate can get to the 4 Gigabyte birthday bound stated in the cfrg draft fairly quickly, but a much slower throughput rate may take much longer before rekeying becomes necessary, if ever (e.g., a remote access session's entire traffic may be measured in 10s of Megabytes or less). Aside - there may be a math error in the draft. For a block size (w) of 64 (i.e., 2^6): - w * 2^(w/2) bits = 2^6 * 2^32 bits = 2^38 bits - 2^38 bits is 2^35 bytes (byte contains 8=2^3 bits) - 2^35 bytes is 2^5 gigabytes (gigabyte contains 2^30 bits). That would be 32 gigabytes, but this aside doesn't change the above discussion, as a 1 Gbit/sec rate will get there in a few minutes, and a 10 Gbit/sec rate will get there in under a minute. Moreover the draft warns (with good reason) that getting close to the birthday bound is not a good idea. Thanks, --David David L. Black, Distinguished Engineer EMC Corporation, 176 South St., Hopkinton, MA 01748 +1 (508) 293-7953 FAX: +1 (508) 293-7786 david.bl...@emc.com Mobile: +1 (978) 394-7754 -Original Message- From: ipsec-boun...@ietf.org [mailto:ipsec-boun...@ietf.org] On Behalf Of David McGrew (mcgrew) Sent: Tuesday, October 23, 2012 8:37 AM To: Paul Hoffman Cc: IPsecme WG; wajdi.k.fegh...@intel.com Subject: Re: [IPsec] updating ESP and AH requirements (was: Call for agenda items) On 10/22/12 8:32 PM, Paul Hoffman paul.hoff...@vpnc.org wrote: On Oct 22, 2012, at 4:55 PM, David McGrew (mcgrew) mcg...@cisco.com wrote: One thing that deserves to be on the agenda is a discussion of the need to update the ESP and AH crypto requirements, which have not been updated since 2007, and to provide guidance on how to use ESP and AH to achieve security goals. I have a draft proposing what that could look like, draft-mcgrew-ipsec-me-esp-ah-reqts-00. This is off-charter, but I believe that it is something that many people would agree is worth doing. You may be overstating that many people agree that it is worth doing, but it is certainly worth discussing. Of course, comments on the detailed requirements are welcome as well. Your listing of TripleDES as SHOULD NOT without any cryptographic justification might raise some eyebrows. The issue is that 3DES has a 64-bit block instead of a 128-bit block; please see draft-irtf-cfrg-cipher-catalog-01 Section 2.2.3. (In retrospect, there should have been a citation in the draft.) David --Paul Hoffman ___ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec ___ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
Re: [IPsec] updating ESP and AH requirements (was: Call for agenda items)
David Black wrote: David McGrew wrote: The issue is that 3DES has a 64-bit block instead of a 128-bit block; please see draft-irtf-cfrg-cipher-catalog-01 Section 2.2.3. (In retrospect, there should have been a citation in the draft.) That suggests that an explanation of the birthday bound concern along with a discussion of transmission rate and rekeying concerns would be appropriate for the ESP and AH requirements draft, as opposed to a blanket SHOULD NOT statement for 3DES. Would a MAY- be more appropriate? A 1 Gbit/sec link running encrypted at line rate can get to the 4 Gigabyte birthday bound stated in the cfrg draft fairly quickly, The problem is that the birthday bound is not a hard boundary, where you're perfectly safe if you stay below it, and becomes a concern only if you cross it. Instead, it's the pointer where the probability where you leak some data (specifically, the value of the exclusive-or of two 8 bytes segments of plaintext) is fairly good. However, this leakage can occur (with significantly lower probability) considerably before that. but a much slower throughput rate may take much longer before rekeying becomes necessary, if ever (e.g., a remote access session's entire traffic may be measured in 10s of Megabytes or less). If we consider a 50Megabyte remote access session encrypted with 3DES, there's approximately a 1 in a million probability that there will be some leakage (that is, someone going through the transcript will be able to deduce of value of the exclusive-or of two 8 byte segments). How bad would it be if someone could deduce that comparatively small amount of information? Is that probability low enough to be acceptable? Well, I don't know if we (the working group) can answer either question; they're far too dependent on what is being protected, and the security goals of the system. At the best, we could try to document the issues. On the other hand, what are the arguments for keeping 3DES? Ten years ago, that was the one cipher that everyone implemented, and so it was necessary for interoperability. However, nowadays, AES-128 appears to fill that role (and also doesn't have the above potential security concern); what reason would someone now have to implement 3DES rather than AES? ___ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
Re: [IPsec] updating ESP and AH requirements (was: Call for agenda items)
On 10/22/12 8:32 PM, Paul Hoffman paul.hoff...@vpnc.org wrote: On Oct 22, 2012, at 4:55 PM, David McGrew (mcgrew) mcg...@cisco.com wrote: One thing that deserves to be on the agenda is a discussion of the need to update the ESP and AH crypto requirements, which have not been updated since 2007, and to provide guidance on how to use ESP and AH to achieve security goals. I have a draft proposing what that could look like, draft-mcgrew-ipsec-me-esp-ah-reqts-00. This is off-charter, but I believe that it is something that many people would agree is worth doing. You may be overstating that many people agree that it is worth doing, but it is certainly worth discussing. Of course, comments on the detailed requirements are welcome as well. Your listing of TripleDES as SHOULD NOT without any cryptographic justification might raise some eyebrows. The issue is that 3DES has a 64-bit block instead of a 128-bit block; please see draft-irtf-cfrg-cipher-catalog-01 Section 2.2.3. (In retrospect, there should have been a citation in the draft.) David --Paul Hoffman ___ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
Re: [IPsec] updating ESP and AH requirements (was: Call for agenda items)
On Oct 22, 2012, at 4:55 PM, David McGrew (mcgrew) mcg...@cisco.com wrote: One thing that deserves to be on the agenda is a discussion of the need to update the ESP and AH crypto requirements, which have not been updated since 2007, and to provide guidance on how to use ESP and AH to achieve security goals. I have a draft proposing what that could look like, draft-mcgrew-ipsec-me-esp-ah-reqts-00. This is off-charter, but I believe that it is something that many people would agree is worth doing. You may be overstating that many people agree that it is worth doing, but it is certainly worth discussing. Of course, comments on the detailed requirements are welcome as well. Your listing of TripleDES as SHOULD NOT without any cryptographic justification might raise some eyebrows. --Paul Hoffman ___ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec