Re: [Gen-art] Gen-art LC review of draft-ietf-tls-encrypt-then-mac-02
Elwyn Davies <elwynd@dial.pipex.com> Wed, 18 June 2014 13:47 UTC
Return-Path: <elwynd@dial.pipex.com>
X-Original-To: gen-art@ietfa.amsl.com
Delivered-To: gen-art@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 396091A0259 for <gen-art@ietfa.amsl.com>; Wed, 18 Jun 2014 06:47:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -100.879
X-Spam-Level:
X-Spam-Status: No, score=-100.879 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, MISSING_HEADERS=1.021, USER_IN_WHITELIST=-100] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VjaLQTbm8Okc for <gen-art@ietfa.amsl.com>; Wed, 18 Jun 2014 06:47:22 -0700 (PDT)
Received: from b.b.painless.aa.net.uk (b.painless.aa.net.uk [IPv6:2001:8b0:0:30::51bb:1e34]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7431E1A0212 for <gen-art@ietf.org>; Wed, 18 Jun 2014 06:47:22 -0700 (PDT)
Received: from mightyatom.folly.org.uk ([81.187.254.250]) by b.painless.aa.net.uk with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.72) (envelope-from <elwynd@dial.pipex.com>) id 1WxGCr-00014m-6P; Wed, 18 Jun 2014 14:47:17 +0100
From: Elwyn Davies <elwynd@dial.pipex.com>
In-Reply-To: <9A043F3CF02CD34C8E74AC1594475C738DEC8474@uxcn10-tdc06.UoA.auckland.ac.nz>
References: <9A043F3CF02CD34C8E74AC1594475C738DEC8474@uxcn10-tdc06.UoA.auckland.ac.nz>
Content-Type: text/plain
Date: Wed, 18 Jun 2014 14:47:15 +0100
Message-Id: <1403099235.2995.5046.camel@mightyatom>
Mime-Version: 1.0
X-Mailer: Evolution 2.26.3
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/gen-art/G1TW5rb07u5TP9lvh90LvqACG80
Cc: "gen-art@ietf.org" <gen-art@ietf.org>, "draft-ietf-tls-encrypt-then-mac.all@tools.ietf.org" <draft-ietf-tls-encrypt-then-mac.all@tools.ietf.org>
Subject: Re: [Gen-art] Gen-art LC review of draft-ietf-tls-encrypt-then-mac-02
X-BeenThere: gen-art@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "GEN-ART: General Area Review Team" <gen-art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/gen-art>, <mailto:gen-art-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/gen-art/>
List-Post: <mailto:gen-art@ietf.org>
List-Help: <mailto:gen-art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/gen-art>, <mailto:gen-art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Jun 2014 13:47:24 -0000
Hi, Peter. On Tue, 2014-06-17 at 20:23 +0000, Peter Gutmann wrote: > Apologies for the slow reply, currently travelling with limited Internet > access... NP. Mainly about the rehandshake point (below)... I think the other points are sorted. > > >Header/Abstract/Intro: Doesn't this update RFC 6347 and either or both of RFC > >6066 and RFC 5246 since it defines a new extension? > > It doesn't really update any other RFC, it does add a new extension but then > the purpose of having generic extensions is that they don't require > changing/updating anything else. Fair enough. Sean T made the same point in a mail you may have seen > > >s3.1: [I am not a TLS expert so I may not have got this right...] If the > >rehandshake proposes to use a cipher that doesn't need encrypt-then-mac as > >per GenericStreamCiphers, or GenericAEADCiphers as mentioned in s3, then > >presumably this is allowed whether encrypt-then-mac had or had not been > >negotiated previously on the session. It should be clarified whether this is > >allowed and, if it isn't, what the response should be. > > It shouldn't be allowed since it's falling back to a non-EtM form. It doesn't > matter what the cipher form is (stream cipher or whatever), once you've agreed > on EtM then you can't fall back to a non-EtM cipher (see the third line of the > table in section 3.1). This seems a bit odd. I thought s3 said it was OK to use one of the ciphers mentioned without EtM, apparently because it is deemed secure enough without changing to EtM. Apologies if I am being stupid here, but could you explain why it is no longer secure enough after using an EtM cipher? > > >s3: (very nitty nit) I think the MAC calculation piece would be clearer with > >what it updates noted before the update. Thus: > > OK, fixed. > > >s3, next to last para: > >> For DTLS, the record MUST be discarded and a fatal bad_record_mac MAY > >> be generated [2]. > >Shouldn't the reference here be [4] for DTLS? > > Oops, yep. Also fixed. Filleted from my correspondence with Sean: ====================== > > > Shouldn't the reference here be [4] for DTLS? > > > > Nope - the bad_record_mac is defined in [2]. DTLS and TLS share some > > things: e.g., alert protocol values. > > > True; However s4.1.2.1 of [4] has quite a lot to say about exactly this > situation. I'd be inclined to s/[2]/as discussed in Section 4.1.2. of [4]/. ====================== > > >s3.1 (last para)/s7.1: Shouldn't the TLS_ext reference [3] be to the updated > >RFC 6066? > > Ah, yes. Also fixed. > > Peter. Regards, Elwyn
- [Gen-art] Gen-art LC review of draft-ietf-tls-enc… Elwyn Davies
- Re: [Gen-art] Gen-art LC review of draft-ietf-tls… Sean Turner
- Re: [Gen-art] Gen-art LC review of draft-ietf-tls… Elwyn Davies
- Re: [Gen-art] Gen-art LC review of draft-ietf-tls… Peter Gutmann
- Re: [Gen-art] Gen-art LC review of draft-ietf-tls… Elwyn Davies