A record in the record layer has a maximum size of 16KB ($2^{14}$).
There is, as best I can tell, no official limit on the key lifetime or on the number of bytes that can be pushed through a single TLS except the limit on record sequence numbers of $2^{64}-1$. Combined with the max record size, that's $2^{78}$ bytes, or 256 exabytes, which is a bloody lot of data. So, if the lifetime of a session needs to be limited, it has to be done by breaking the connection and renegotiating. Apparently, adding a key renegotiate feature was considered for TLS 1.3, but doesn't seem to have been included.
Luykx and Paterson wrote up a short (8 page) summary recommending limits for TLS with different cryptosystems. (My copy is dated Aug. 2017, but the paper was referred to in Apr. 2016.) http://www.isg.rhul.ac.uk/~kp/TLS-AEbounds.pdf
Unfortunately, that paper has good references but doesn't go through the complete reasoning, so going one level deeper in the reading is really necessary.
In April 2016, Mozilla moved to limit the length of a connection, based on those results:
https://bugzilla.mozilla.org/show_bug.cgi?id=1268745
They set AES-CBC to about $2^{34.5}$, or about 24 billion records, about 400 terabytes max. That should give a probability of $2^{-57}$ of "ciphertext integrity [being] breached", though I'm a little unclear on exactly what that means here -- is this just birthday bound leaking some plaintext, or is this compromise of the entire session key? Figuring that out will take more digging, since they express things differently than most of the resources I used above.
No comments:
Post a Comment