Hi Tony, Thanks for bringing this up; an RFC deprecating and/or discouraging 3DES would be a good thing. The only good reason to use it is backwards compatibility, and too many applications don’t heed the birthday bound.
There is another issue to be considered, though. Most of the lightweight “designed for IoT” block ciphers have a 64 bit block size (and sometimes even smaller); see for instance Table 1.1 of https://eprint.iacr.org/2013/404.pdf So perhaps what the Internet needs here is sound guidance on how to use 64-bit block ciphers. Best practices here include both mandatory rekeying well below the birthday bound and/or the use of secure beyond the birthday bound modes of operation such as Iwata’s CENC. Best, David From: Cfrg <cfrg-boun...@irtf.org<mailto:cfrg-boun...@irtf.org>> on behalf of Tony Arcieri <basc...@gmail.com<mailto:basc...@gmail.com>> Date: Wednesday, August 24, 2016 at 10:08 PM To: "tls@ietf.org<mailto:tls@ietf.org>" <tls@ietf.org<mailto:tls@ietf.org>>, "c...@irtf.org<mailto:c...@irtf.org>" <c...@irtf.org<mailto:c...@irtf.org>> Subject: [Cfrg] 3DES diediedie This attack was published today[*]: https://sweet32.info/ I bring it up because I think the threat model is similar to the threats that lead to RC4 "diediedie" https://www.rfc-editor.org/info/rfc7465 Should there be a 3DES "diediedie"? I believe 3DES is MTI for TLS 1.0/1.1(?) but I think it would make sense for it to be banned from TLS 1.3. [*] Lest anyone claim the contrary, I am not surprised by this attack, and have pushed to have 3DES removed from TLS prior to the publication of this attack, and can probably find a TLS implementer who can back me up on that. -- Tony Arcieri
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
