Eric Rescorla <e...@rtfm.com> writes:
> Watson kindly prepared some text that described the limits on what's safe
> for AES-GCM and restricting all algorithms with TLS 1.3 to that lower
> limit (2^{36} bytes), even though ChaCha doesn't have the same
> restriction.Can we see a brief writeup explaining the 2^36 number? I don't like re-keying. It is usually a sign that your primitives are too weak and you are attempting to hide that fact. To me, it is similar to discard the first X byte of RC4 output. If AES-GCM cannot provide confidentiality beyond 64GB (which would surprise me somewhat), I believe we ought to be careful about recommending it. Of course, the devil is in the details: if the risk is that the secret key is leaked, that's fatal; if the risk is that the attacker can tell whether two particular plaintext 128 byte blocks are the same or not in the entire file, that can be a risk we can live with (similar to the discard X bytes of RC4 fix). I believe 64GB is within the range that people download in a web browser these days. More data intensive longer-running protocols often transfer significantly more. /Simon
signature.asc
Description: PGP signature
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
