[Gen-art] Gen-art LC review of draft-ietf-tls-encrypt-then-mac-02
Elwyn Davies <elwynd@dial.pipex.com> Sun, 15 June 2014 13:23 UTC
Return-Path: <elwynd@dial.pipex.com>
X-Original-To: gen-art@ietfa.amsl.com
Delivered-To: gen-art@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 305181B28FA for <gen-art@ietfa.amsl.com>; Sun, 15 Jun 2014 06:23:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.3
X-Spam-Level:
X-Spam-Status: No, score=-101.3 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, J_CHICKENPOX_37=0.6, USER_IN_WHITELIST=-100] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2Z6LgjjCz-GG for <gen-art@ietfa.amsl.com>; Sun, 15 Jun 2014 06:23:50 -0700 (PDT)
Received: from b.b.painless.aa.net.uk (b.painless.aa.net.uk [IPv6:2001:8b0:0:30::51bb:1e34]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D5FC81B281B for <gen-art@ietf.org>; Sun, 15 Jun 2014 06:23:49 -0700 (PDT)
Received: from mightyatom.folly.org.uk ([81.187.254.250]) by b.painless.aa.net.uk with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.72) (envelope-from <elwynd@dial.pipex.com>) id 1WwAPS-00007w-Ko; Sun, 15 Jun 2014 14:23:46 +0100
From: Elwyn Davies <elwynd@dial.pipex.com>
To: General Area Review Team <gen-art@ietf.org>
Content-Type: text/plain
Date: Sun, 15 Jun 2014 14:23:44 +0100
Message-Id: <1402838624.2995.4557.camel@mightyatom>
Mime-Version: 1.0
X-Mailer: Evolution 2.26.3
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/gen-art/pnI7mOcap_voKmaMK2qPnZTR1Ys
Cc: draft-ietf-tls-encrypt-then-mac.all@tools.ietf.org
Subject: [Gen-art] Gen-art LC review of draft-ietf-tls-encrypt-then-mac-02
X-BeenThere: gen-art@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "GEN-ART: General Area Review Team" <gen-art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/gen-art>, <mailto:gen-art-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/gen-art/>
List-Post: <mailto:gen-art@ietf.org>
List-Help: <mailto:gen-art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/gen-art>, <mailto:gen-art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 15 Jun 2014 13:23:52 -0000
I am the assigned Gen-ART reviewer for this draft. For background on
Gen-ART, please see the FAQ at
<http://wiki.tools.ietf.org/area/gen/trac/wiki/GenArtfaq>.
Please resolve these comments along with any other Last Call comments
you may receive.
Document: draft-ietf-tls-encrypt-then-mac-02.txt
Reviewer: Elwyn Davies
Review Date: 15 June 2014
IETF LC End Date: 20 June 2014
IESG Telechat date: (if known) -
Summary: Almost ready.
Major issues:
Minor issues:
Header/Abstract/Intro: Doesn't this update RFC 6347 and either or both
of RFC 6066 and RFC 5246 since it defines a new extension?
s3.1: [I am not a TLS expert so I may not have got this right...] If the
rehandshake proposes to use a cipher that doesn't need encrypt-then-mac
as per GenericStreamCiphers, or GenericAEADCiphers as mentioned in s3,
then presumably this is allowed whether encrypt-then-mac had or had not
been negotiated previously on the session. It should be clarified
whether this is allowed and, if it isn't, what the response should be.
If it is allowed and the session switches to a GenericStreamCipher, or a
GenericAEADCipher, then it appears that if the original session was
using encrypt-then-mac, a downgrade to a cipher that does need
encrypt-then-mac but isn't using it could be achieved by using a second
rehandshake without encrypt-then-mac since the first rehandshake goes to
a situation that doesn't use encrypt-then-mac after the first
rehandshake. The solution seems to be to record whether the session
ever used encrypt-then-mac rather than whether is is currently using it,
and then apply the rules in s3.1 based on the record.
Nits/editorial comments:
s3: (very nitty nit) I think the MAC calculation piece would be clearer
with what it updates noted before the update. Thus:
OLD
In TLS [2] notation the MAC calculation is:
MAC(MAC_write_key, seq_num +
TLSCipherText.type +
TLSCipherText.version +
TLSCipherText.length +
ENC(content + padding + padding_length));
for TLS 1.0 without the explicit IV and:
MAC(MAC_write_key, seq_num +
TLSCipherText.type +
TLSCipherText.version +
TLSCipherText.length +
IV +
ENC(content + padding + padding_length));
for TLS 1.1 and greater with explicit IV (for DTLS the sequence
number is replaced by the combined epoch and sequence number as per
DTLS [4]).
NEW:
In TLS [2] notation the MAC calculation is:
o For TLS 1.0 without the explicit IV
MAC(MAC_write_key, seq_num +
TLSCipherText.type +
TLSCipherText.version +
TLSCipherText.length +
ENC(content + padding + padding_length));
o For TLS 1.1 and greater with explicit IV
MAC(MAC_write_key, seq_num +
TLSCipherText.type +
TLSCipherText.version +
TLSCipherText.length +
IV +
ENC(content + padding + padding_length));
o For DTLS the sequence number in the TLS 1.1 description is replaced
by the combined epoch and sequence number as per DTLS [4]).
s3, next to last para:
> For DTLS, the record MUST be discarded and a fatal bad_record_mac MAY
> be generated [2].
Shouldn't the reference here be [4] for DTLS?
s3.1 (last para)/s7.1: Shouldn't the TLS_ext reference [3] be to the updated RFC 6066?
- [Gen-art] Gen-art LC review of draft-ietf-tls-enc… Elwyn Davies
- Re: [Gen-art] Gen-art LC review of draft-ietf-tls… Sean Turner
- Re: [Gen-art] Gen-art LC review of draft-ietf-tls… Elwyn Davies
- Re: [Gen-art] Gen-art LC review of draft-ietf-tls… Peter Gutmann
- Re: [Gen-art] Gen-art LC review of draft-ietf-tls… Elwyn Davies