Re: [Gen-art] Gen-art LC review of draft-ietf-tls-encrypt-then-mac-02
Elwyn Davies <elwynd@dial.pipex.com> Tue, 17 June 2014 11:41 UTC
Return-Path: <elwynd@dial.pipex.com>
X-Original-To: gen-art@ietfa.amsl.com
Delivered-To: gen-art@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2E47F1A034D for <gen-art@ietfa.amsl.com>; Tue, 17 Jun 2014 04:41:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.3
X-Spam-Level:
X-Spam-Status: No, score=-101.3 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, J_CHICKENPOX_37=0.6, USER_IN_WHITELIST=-100] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zcOZBzRXfnkm for <gen-art@ietfa.amsl.com>; Tue, 17 Jun 2014 04:41:06 -0700 (PDT)
Received: from b.b.painless.aa.net.uk (b.painless.aa.net.uk [IPv6:2001:8b0:0:30::51bb:1e34]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 947571A0358 for <gen-art@ietf.org>; Tue, 17 Jun 2014 04:41:06 -0700 (PDT)
Received: from mightyatom.folly.org.uk ([81.187.254.250]) by b.painless.aa.net.uk with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.72) (envelope-from <elwynd@dial.pipex.com>) id 1Wwrl7-0002kx-4y; Tue, 17 Jun 2014 12:41:01 +0100
From: Elwyn Davies <elwynd@dial.pipex.com>
To: Sean Turner <TurnerS@ieca.com>
In-Reply-To: <EE6543A5-1070-4C87-B000-23F77FC1E126@ieca.com>
References: <1402838624.2995.4557.camel@mightyatom> <EE6543A5-1070-4C87-B000-23F77FC1E126@ieca.com>
Content-Type: text/plain; charset="iso-8859-7"
Date: Tue, 17 Jun 2014 12:40:58 +0100
Message-Id: <1403005258.2995.5012.camel@mightyatom>
Mime-Version: 1.0
X-Mailer: Evolution 2.26.3
Content-Transfer-Encoding: quoted-printable
Archived-At: http://mailarchive.ietf.org/arch/msg/gen-art/W3V9EOh1I-_boI2yQNdhle0QePk
Cc: General Area Review Team <gen-art@ietf.org>, draft-ietf-tls-encrypt-then-mac.all@tools.ietf.org
Subject: Re: [Gen-art] Gen-art LC review of draft-ietf-tls-encrypt-then-mac-02
X-BeenThere: gen-art@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "GEN-ART: General Area Review Team" <gen-art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/gen-art>, <mailto:gen-art-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/gen-art/>
List-Post: <mailto:gen-art@ietf.org>
List-Help: <mailto:gen-art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/gen-art>, <mailto:gen-art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Jun 2014 11:41:11 -0000
On Tue, 2014-06-17 at 06:52 -0400, Sean Turner wrote: > On Jun 15, 2014, at 09:23, Elwyn Davies <elwynd@dial.pipex.com> wrote: > > > I am the assigned Gen-ART reviewer for this draft. For background on > > Gen-ART, please see the FAQ at > > > > <http://wiki.tools.ietf.org/area/gen/trac/wiki/GenArtfaq>. > > > > Please resolve these comments along with any other Last Call comments > > you may receive. > > > > Document: draft-ietf-tls-encrypt-then-mac-02.txt > > Reviewer: Elwyn Davies > > Review Date: 15 June 2014 > > IETF LC End Date: 20 June 2014 > > IESG Telechat date: (if known) - > > > > Summary: Almost ready. > > > > Major issues: > > > > Minor issues: > > Header/Abstract/Intro: Doesn't this update RFC 6347 and either or both > > of RFC 6066 and RFC 5246 since it defines a new extension? > > My feeling is that it doesn’t update any of the drafts. It documents a new optional extensions that implementations are free to implement so it need not update the base specs. WRT including all the extensions in one draft, RFC 6066 defines many extensions but not all: > > http://datatracker.ietf.org/doc/rfc6520/ > http://datatracker.ietf.org/doc/rfc6961/ > > this is just another one. Fair enough > > > s3.1: [I am not a TLS expert so I may not have got this right...] If the > > rehandshake proposes to use a cipher that doesn't need encrypt-then-mac > > as per GenericStreamCiphers, or GenericAEADCiphers as mentioned in s3, > > then presumably this is allowed whether encrypt-then-mac had or had not > > been negotiated previously on the session. It should be clarified > > whether this is allowed and, if it isn't, what the response should be. > > > > If it is allowed and the session switches to a GenericStreamCipher, or a > > GenericAEADCipher, then it appears that if the original session was > > using encrypt-then-mac, a downgrade to a cipher that does need > > encrypt-then-mac but isn't using it could be achieved by using a second > > rehandshake without encrypt-then-mac since the first rehandshake goes to > > a situation that doesn't use encrypt-then-mac after the first > > rehandshake. The solution seems to be to record whether the session > > ever used encrypt-then-mac rather than whether is is currently using it, > > and then apply the rules in s3.1 based on the record. > > I’ll leave this one to Peter. > > > Nits/editorial comments: > > s3: (very nitty nit) I think the MAC calculation piece would be clearer > > with what it updates noted before the update. Thus: > > > > OLD > > In TLS [2] notation the MAC calculation is: > > > > MAC(MAC_write_key, seq_num + > > TLSCipherText.type + > > TLSCipherText.version + > > TLSCipherText.length + > > ENC(content + padding + padding_length)); > > > > for TLS 1.0 without the explicit IV and: > > > > MAC(MAC_write_key, seq_num + > > TLSCipherText.type + > > TLSCipherText.version + > > TLSCipherText.length + > > IV + > > ENC(content + padding + padding_length)); > > > > for TLS 1.1 and greater with explicit IV (for DTLS the sequence > > number is replaced by the combined epoch and sequence number as per > > DTLS [4]). > > > > NEW: > > In TLS [2] notation the MAC calculation is: > > o For TLS 1.0 without the explicit IV > > > > MAC(MAC_write_key, seq_num + > > TLSCipherText.type + > > TLSCipherText.version + > > TLSCipherText.length + > > ENC(content + padding + padding_length)); > > > > o For TLS 1.1 and greater with explicit IV > > > > MAC(MAC_write_key, seq_num + > > TLSCipherText.type + > > TLSCipherText.version + > > TLSCipherText.length + > > IV + > > ENC(content + padding + padding_length)); > > > > o For DTLS the sequence number in the TLS 1.1 description is replaced > > by the combined epoch and sequence number as per DTLS [4]). > > > > s3, next to last para: > >> For DTLS, the record MUST be discarded and a fatal bad_record_mac MAY > >> be generated [2]. > > Shouldn't the reference here be [4] for DTLS? > > Nope - the bad_record_mac is defined in [2]. DTLS and TLS share some things: e.g., alert protocol values. > True; However s4.1.2.1 of [4] has quite a lot to say about exactly this situation. I'd be inclined to s/[2]/as discussed in Section 4.1.2.1 of [4]/. > > s3.1 (last para)/s7.1: Shouldn't the TLS_ext reference [3] be to the updated RFC 6066? > > At first I thought the answer was no, but since three people have commented on it I guess should be updated. > Fine! Regards, Elwyn > spt
- [Gen-art] Gen-art LC review of draft-ietf-tls-enc… Elwyn Davies
- Re: [Gen-art] Gen-art LC review of draft-ietf-tls… Sean Turner
- Re: [Gen-art] Gen-art LC review of draft-ietf-tls… Elwyn Davies
- Re: [Gen-art] Gen-art LC review of draft-ietf-tls… Peter Gutmann
- Re: [Gen-art] Gen-art LC review of draft-ietf-tls… Elwyn Davies