On Tue, Dec 15, 2015 at 7:59 PM, Henrick Hellström <henr...@streamsec.se> wrote:
> On 2015-12-16 01:31, Watson Ladd wrote:
>>
>> You don't understand the issue. The issue is PRP not colliding, whereas
>> PRF can.
>
>
> Oh, but I concur. This means that if you observe two same valued cipher text
> blocks, you know that the corresponding key stream blocks can't be
> identical, and deduce that the corresponding plain text blocks have to be
> different. Such observations consequently leak information about the plain
> text, in the rare and unlikely event they actually occur.
>
> However, calling it an exploitable weakness is a bit of a stretch. AES-CBC
> is likely to loose confidentiality slightly faster, for typical plain texts.
The problem is that once you stack enough of those negligible
probabilities together, you end up with something big. Push up to
2^{63} bytes, and the collision probability is 1/4 or 1/2 (I didn't
recompute it just now). And while the definition seems to involve only
a minor loss of security, that's the definition people use for
security.
Using 2^{-64} as a success probability ensures that attackers who can
exploit multiple connections are still defended against. Could we do
better with 2^{-32}? Sure. But at this point we're saying you can
transport over 16 Gbyte of data before rekeying: I think that's enough
for almost all purposes.
--
"Man is born free, but everywhere he is in chains".
--Rousseau.
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
