Sunday, June 07, 2020

4.1 TLS Records and Basic Limits

TLS consists of one primary protocol: the TLS Record Protocol.  On top of the TLS Record Protocol sit four protocols, one of which (the application data protocol) is used for the bulk data encryption, and the TLS Handshake Protocol, which utilizes public key cryptography to establish identity, securely creates a shared secret to be used for the bulk data encryption, and makes sure that this part of the process can't be modified by an attacker.  A third one of interest to us is the change cipher spec protocol.

A record in the record layer has a maximum size of 16KB ($2^{14}$).

There is, as best I can tell, no official limit on the key lifetime or on the number of bytes that can be pushed through a single TLS except the limit on record sequence numbers of $2^{64}-1$.  Combined with the max record size, that's $2^{78}$ bytes, or 256 exabytes, which is a bloody lot of data.  So, if the lifetime of a session needs to be limited, it has to be done by breaking the connection and renegotiating. Apparently, adding a key renegotiate feature was considered for TLS 1.3, but doesn't seem to have been included.

Luykx and Paterson wrote up a short (8 page) summary recommending limits for TLS with different cryptosystems. (My copy is dated Aug. 2017, but the paper was referred to in Apr. 2016.) http://www.isg.rhul.ac.uk/~kp/TLS-AEbounds.pdf
Unfortunately, that paper has good references but doesn't go through the complete reasoning, so going one level deeper in the reading is really necessary.

In April 2016, Mozilla moved to limit the length of a connection, based on those results:
https://bugzilla.mozilla.org/show_bug.cgi?id=1268745
They set AES-CBC to about $2^{34.5}$, or about 24 billion records, about 400 terabytes max.  That should give a probability of $2^{-57}$ of "ciphertext integrity [being] breached", though I'm a little unclear on exactly what that means here -- is this just birthday bound leaking some plaintext, or is this compromise of the entire session key? Figuring that out will take more digging, since they express things differently than most of the resources I used above.

No comments:

Post a Comment