IETF Logo Mail Archive

Re: [Gen-art] Gen-art LC review of draft-ietf-tls-encrypt-then-mac-02

Sean Turner <TurnerS@ieca.com> Tue, 17 June 2014 10:54 UTC

Return-Path: <TurnerS@ieca.com>
X-Original-To: gen-art@ietfa.amsl.com
Delivered-To: gen-art@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5CD601A0340 for <gen-art@ietfa.amsl.com>; Tue, 17 Jun 2014 03:54:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.957
X-Spam-Level:
X-Spam-Status: No, score=-0.957 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, IP_NOT_FRIENDLY=0.334, J_CHICKENPOX_37=0.6, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_FSL_HELO_BARE_IP_2=0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7snsLIEBJx9I for <gen-art@ietfa.amsl.com>; Tue, 17 Jun 2014 03:54:01 -0700 (PDT)
Received: from gateway07.websitewelcome.com (gateway07.websitewelcome.com [69.56.216.30]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BABA81A0343 for <gen-art@ietf.org>; Tue, 17 Jun 2014 03:53:56 -0700 (PDT)
Received: by gateway07.websitewelcome.com (Postfix, from userid 5007) id 1F6E3AD367700; Tue, 17 Jun 2014 05:53:55 -0500 (CDT)
Received: from gator3286.hostgator.com (gator3286.hostgator.com [198.57.247.250]) by gateway07.websitewelcome.com (Postfix) with ESMTP id 753FAAD352E42 for <gen-art@ietf.org>; Tue, 17 Jun 2014 05:52:44 -0500 (CDT)
Received: from [96.231.225.192] (port=49918 helo=192.168.1.4) by gator3286.hostgator.com with esmtpsa (TLSv1:AES128-SHA:128) (Exim 4.82) (envelope-from <TurnerS@ieca.com>) id 1Wwr0N-0000Ls-0g; Tue, 17 Jun 2014 05:52:43 -0500
Content-Type: text/plain; charset="windows-1252"
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.2\))
From: Sean Turner <TurnerS@ieca.com>
In-Reply-To: <1402838624.2995.4557.camel@mightyatom>
Date: Tue, 17 Jun 2014 06:52:40 -0400
Content-Transfer-Encoding: quoted-printable
Message-Id: <EE6543A5-1070-4C87-B000-23F77FC1E126@ieca.com>
References: <1402838624.2995.4557.camel@mightyatom>
To: Elwyn Davies <elwynd@dial.pipex.com>
X-Mailer: Apple Mail (2.1878.2)
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - gator3286.hostgator.com
X-AntiAbuse: Original Domain - ietf.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - ieca.com
X-BWhitelist: no
X-Source-IP: 96.231.225.192
X-Exim-ID: 1Wwr0N-0000Ls-0g
X-Source:
X-Source-Args:
X-Source-Dir:
X-Source-Sender: (192.168.1.4) [96.231.225.192]:49918
X-Source-Auth: sean.turner@ieca.com
X-Email-Count: 3
X-Source-Cap: ZG9tbWdyNDg7ZG9tbWdyNDg7Z2F0b3IzMjg2Lmhvc3RnYXRvci5jb20=
Archived-At: http://mailarchive.ietf.org/arch/msg/gen-art/7aViNCq81ucuRNGLr3yS8uAq2z0
Cc: General Area Review Team <gen-art@ietf.org>, draft-ietf-tls-encrypt-then-mac.all@tools.ietf.org
Subject: Re: [Gen-art] Gen-art LC review of draft-ietf-tls-encrypt-then-mac-02
X-BeenThere: gen-art@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "GEN-ART: General Area Review Team" <gen-art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/gen-art>, <mailto:gen-art-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/gen-art/>
List-Post: <mailto:gen-art@ietf.org>
List-Help: <mailto:gen-art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/gen-art>, <mailto:gen-art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Jun 2014 10:54:05 -0000

On Jun 15, 2014, at 09:23, Elwyn Davies <elwynd@dial.pipex.com> wrote:

> I am the assigned Gen-ART reviewer for this draft. For background on
> Gen-ART, please see the FAQ at
> 
> <http://wiki.tools.ietf.org/area/gen/trac/wiki/GenArtfaq>.
> 
> Please resolve these comments along with any other Last Call comments
> you may receive.
> 
> Document: draft-ietf-tls-encrypt-then-mac-02.txt
> Reviewer: Elwyn Davies
> Review Date: 15 June 2014
> IETF LC End Date: 20 June 2014
> IESG Telechat date: (if known) -
> 
> Summary: Almost ready.
> 
> Major issues:
> 
> Minor issues:
> Header/Abstract/Intro: Doesn't this update RFC 6347 and either or both
> of RFC 6066 and RFC 5246 since it defines a new extension? 

My feeling is that it doesn’t update any of the drafts.  It documents a new optional extensions that implementations are free to implement so it need not update the base specs.  WRT including all the extensions in one draft, RFC 6066 defines many extensions but not all:

http://datatracker.ietf.org/doc/rfc6520/
http://datatracker.ietf.org/doc/rfc6961/

this is just another one.

> s3.1: [I am not a TLS expert so I may not have got this right...] If the
> rehandshake proposes to use a cipher that doesn't need encrypt-then-mac
> as per GenericStreamCiphers, or GenericAEADCiphers as mentioned in s3,
> then presumably this is allowed whether encrypt-then-mac had or had not
> been negotiated previously on the session.  It should be clarified
> whether this is allowed and, if it isn't, what the response should be.
> 
> If it is allowed and the session switches to a GenericStreamCipher, or a
> GenericAEADCipher, then it appears that if the original session was
> using encrypt-then-mac, a downgrade to a cipher that does need
> encrypt-then-mac but isn't using it could be achieved by using a second
> rehandshake without encrypt-then-mac since the first rehandshake goes to
> a situation that doesn't use encrypt-then-mac after the first
> rehandshake.   The solution seems to be to record whether the session
> ever used encrypt-then-mac rather than whether is is currently using it,
> and then apply the rules in s3.1 based on the record.  

I’ll leave this one to Peter.

> Nits/editorial comments:
> s3: (very nitty nit)  I think the MAC calculation piece would be clearer
> with what it updates noted before the update. Thus:
> 
> OLD
> In TLS [2] notation the MAC calculation is:
> 
>   MAC(MAC_write_key, seq_num +
>       TLSCipherText.type +
>       TLSCipherText.version +
>       TLSCipherText.length +
>       ENC(content + padding + padding_length));
> 
>   for TLS 1.0 without the explicit IV and:
> 
>   MAC(MAC_write_key, seq_num +
>       TLSCipherText.type +
>       TLSCipherText.version +
>       TLSCipherText.length +
>       IV +
>       ENC(content + padding + padding_length));
> 
>   for TLS 1.1 and greater with explicit IV (for DTLS the sequence
>   number is replaced by the combined epoch and sequence number as per
>   DTLS [4]).
> 
> NEW:
> In TLS [2] notation the MAC calculation is:
>  o For TLS 1.0 without the explicit IV
> 
>   MAC(MAC_write_key, seq_num +
>       TLSCipherText.type +
>       TLSCipherText.version +
>       TLSCipherText.length +
>       ENC(content + padding + padding_length));
> 
>  o For TLS 1.1 and greater with explicit IV
> 
>   MAC(MAC_write_key, seq_num +
>       TLSCipherText.type +
>       TLSCipherText.version +
>       TLSCipherText.length +
>       IV +
>       ENC(content + padding + padding_length));
> 
>  o For DTLS the sequence number in the TLS 1.1 description is replaced 
>    by the combined epoch and sequence number as per DTLS [4]).
> 
> s3, next to last para:
>> For DTLS, the record MUST be discarded and a fatal bad_record_mac MAY
>>   be generated [2].
> Shouldn't the reference here be [4] for DTLS? 

Nope - the bad_record_mac is defined in [2].  DTLS and TLS share some things: e.g., alert protocol values.

> s3.1 (last para)/s7.1: Shouldn't the TLS_ext reference [3] be to the updated RFC 6066?

At first I thought the answer was no, but since three people have commented on it I guess should be updated.

spt

v2.23.0 | Report a Bug | By Email