On Fri, Aug 26, 2016 at 10:55 AM, David McGrew (mcgrew) <mcg...@cisco.com> wrote: > Hi Tony, > > Thanks for bringing this up; an RFC deprecating and/or discouraging 3DES > would be a good thing. The only good reason to use it is backwards > compatibility, and too many applications don’t heed the birthday bound. > > There is another issue to be considered, though. Most of the lightweight > “designed for IoT” block ciphers have a 64 bit block size (and sometimes > even smaller); see for instance Table 1.1 of > https://eprint.iacr.org/2013/404.pdf So perhaps what the Internet needs > here is sound guidance on how to use 64-bit block ciphers. Best practices > here include both mandatory rekeying well below the birthday bound and/or > the use of secure beyond the birthday bound modes of operation such as > Iwata’s CENC.
Or use PRF instead of PRP for counter mode. I'm happy to check the arithmetic if we want an RFC for this, but am very overcommitted on editing right now. > > Best, > > David > > From: Cfrg <cfrg-boun...@irtf.org> on behalf of Tony Arcieri > <basc...@gmail.com> > Date: Wednesday, August 24, 2016 at 10:08 PM > To: "tls@ietf.org" <tls@ietf.org>, "c...@irtf.org" <c...@irtf.org> > Subject: [Cfrg] 3DES diediedie > > This attack was published today[*]: > > https://sweet32.info/ > > I bring it up because I think the threat model is similar to the threats > that lead to RC4 "diediedie" > > https://www.rfc-editor.org/info/rfc7465 > > Should there be a 3DES "diediedie"? > > I believe 3DES is MTI for TLS 1.0/1.1(?) but I think it would make sense for > it to be banned from TLS 1.3. > > [*] Lest anyone claim the contrary, I am not surprised by this attack, and > have pushed to have 3DES removed from TLS prior to the publication of this > attack, and can probably find a TLS implementer who can back me up on that. > > -- > Tony Arcieri > > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls > -- "Man is born free, but everywhere he is in chains". --Rousseau. _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls