Re: [TLS] rfc7366: is encrypt-then-mac implemented?
Manuel Pégourié-Gonnard <mpg@polarssl.org> Thu, 30 October 2014 12:56 UTC
Return-Path: <mpg@polarssl.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F19FE1A0054 for <tls@ietfa.amsl.com>; Thu, 30 Oct 2014 05:56:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.997
X-Spam-Level:
X-Spam-Status: No, score=0.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HELO_MISMATCH_COM=0.553, HOST_EQ_NL=1.545, J_CHICKENPOX_37=0.6, MIME_8BIT_HEADER=0.3, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0myAIqpcRGd4 for <tls@ietfa.amsl.com>; Thu, 30 Oct 2014 05:56:29 -0700 (PDT)
Received: from vps2.offspark.com (vps2.brainspark.nl [141.138.204.106]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D69441A000F for <tls@ietf.org>; Thu, 30 Oct 2014 05:56:27 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=polarssl.org; s=exim; h=Subject:Content-Transfer-Encoding:Content-Type:In-Reply-To:References:To:MIME-Version:From:Date:Message-ID; bh=SlkLyiSCEKlHCwAqr4S6lz/T4fQM5dqDoexohcvTKD0=; b=HeHb75hTiz05cN4VaT4dnJBwZOd7d/sISqz//H5U2iDsWBeq+XYCQsTrnVuH0s2i0YRJNazDTz+I1Hj0QO9KNVdcgEWTGRluy6ByljmFlzINmDw/OfxTvDeueBFPXDBWJVx73aD/f8RxE9t4++NOhhhZj9wQul5B/XOhbY3arjw=;
Received: from thue.elzevir.fr ([88.165.216.11] helo=[192.168.0.124]) by vps2.offspark.com with esmtpsa (TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <mpg@polarssl.org>) id 1XjpH0-0002vc-Tr; Thu, 30 Oct 2014 13:56:19 +0100
Message-ID: <54523577.3000508@polarssl.org>
Date: Thu, 30 Oct 2014 13:56:23 +0100
From: Manuel Pégourié-Gonnard <mpg@polarssl.org>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.2.0
MIME-Version: 1.0
To: Peter Gutmann <pgut001@cs.auckland.ac.nz>, "<tls@ietf.org>" <tls@ietf.org>
References: <9A043F3CF02CD34C8E74AC1594475C739B9DBFE4@uxcn10-5.UoA.auckland.ac.nz>
In-Reply-To: <9A043F3CF02CD34C8E74AC1594475C739B9DBFE4@uxcn10-5.UoA.auckland.ac.nz>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: 8bit
X-SA-Exim-Connect-IP: 88.165.216.11
X-SA-Exim-Mail-From: mpg@polarssl.org
X-SA-Exim-Version: 4.2.1 (built Mon, 26 Dec 2011 16:24:06 +0000)
X-SA-Exim-Scanned: Yes (on vps2.offspark.com)
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/-xzMEYwhwATxi8sR_hyW_zkHcoE
Subject: Re: [TLS] rfc7366: is encrypt-then-mac implemented?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 30 Oct 2014 12:56:31 -0000
On 30/10/2014 13:24, Peter Gutmann wrote: > Manuel Pégourié-Gonnard <mpg@polarssl.org> writes: >> On 30/10/2014 11:44, Peter Gutmann wrote: >>> Oh, so the issue isn't that you're MAC'ing extra stuff that isn't there, but >>> that you're using a length value that includes stuff that isn't MAC'd? In >>> other words in the above 'length' isn't 'length of encrypted_stuff that >>> follows the length value' but 'length of encrypted_stuff that follows the >>> length value + length of MAC'? >> Precisely. It looks like we're making progress in undertanding each other. > > OK, so I'll try and summarise this, for: > > struct { > ContentType type; > ProtocolVersion version; > uint16 length; > GenericBlockCipher fragment; > opaque MAC; > } TLSCiphertext; > > what goes on the wire for the 'length' field is the overall length of > everything that follows, i.e. the ciphertext fragment length plus MAC length. > Ok. I think all implementations so far agree on this point. > What gets MAC'd is something like: > > MAC(MAC_write_key, seq_num + > TLSCompressed.type + > TLSCompressed.version + > TLSCompressed.length + > GenericBlockCipher.fragment); > > (I say "something like" because RFC 5246 doesn't make this explicit, it refers > back to section 6.2.3.1 which is for null or generic stream ciphers and uses > TLSCompressed.fragment when it should be TLSCiphertext.fragment). > Are you refering the "normal" (MtE) case or the EtM case here? I'm confused. in the MtE case, what's MAC'ed is indeed TLSCompressed.fragment. Anyways, what matters is the text in RFC 7366 about MAC computation, which uses TLSCiphertext.length. > Since the MAC value isn't part of the data that's MAC'd, its length isn't > included in the MAC calculation. > I understand this reasoning and it certainly makes sense, I'm not discussing that. But that means that when you write TLSCiphertext.length at the beginning of page 3 in: MAC(MAC_write_key, seq_num + TLSCipherText.type + TLSCipherText.version + TLSCipherText.length + IV + ENC(content + padding + padding_length)); you mean something different from the length field of the TLSCiphertext structure just two paragraphs below. Which I find rather confusing. > Now the other interpretation, that more recent implementations are using, is > that what gets MAC'd is the length of GenericBlockCipher.fragment plus the > length of MAC[SecurityParameters.mac_length], which is the length value that > goes on the wire. > Right. This is supported by the fact that both (what get's MAC'd and what goes in the wire) are written as TLSCiphertext.length in the RFC. > Arguments could be made that either interpretation is valid... it could be > just a case of saying "who will be least inconvenienced by switching over?". > In any case it points to what's required for issuing a clarification to the > text. > Again, I have no preference on which interpretation is chosen, as long as there remains only one arguably valid way to interpret the text. If you want to go the same way as the eid server (which is reasonnable IMO as it is deployed) I'd suggest changing from MAC(MAC_write_key, seq_num + TLSCipherText.type + TLSCipherText.version + TLSCipherText.length + IV + ENC(content + padding + padding_length)); to MAC(MAC_write_key, seq_num + TLSCipherText.type + TLSCipherText.version + length of ENC(content + padding + padding_length) + IV + ENC(content + padding + padding_length)); where the length is encoded as two bytes in the usual way. This avoids any ambiguity related to TLSCiphertext.xxx and how its definition should or should not be adapted from the one in RFC 5246. To be extra sure that people don't get confused about what goes on the wire (even though all implementations so far agreed on this point), you could also change This is identical to the existing TLS/DTLS layout, with the only difference being that the MAC value is moved outside the encrypted data. to add: This is identical to the existing TLS/DTLS layout, with the only differences being that the MAC value is moved outside the encrypted data and length is now sum of the length of fragment and the length of the MAC. (or something to that effect). Manuel.
- [TLS] rfc7366: is encrypt-then-mac implemented? Nikos Mavrogiannopoulos
- Re: [TLS] rfc7366: is encrypt-then-mac implemente… Manuel Pégourié-Gonnard
- Re: [TLS] rfc7366: is encrypt-then-mac implemente… Peter Gutmann
- Re: [TLS] rfc7366: is encrypt-then-mac implemente… Nikos Mavrogiannopoulos
- Re: [TLS] rfc7366: is encrypt-then-mac implemente… Manuel Pégourié-Gonnard
- Re: [TLS] rfc7366: is encrypt-then-mac implemente… Peter Gutmann
- Re: [TLS] rfc7366: is encrypt-then-mac implemente… Peter Gutmann
- Re: [TLS] rfc7366: is encrypt-then-mac implemente… Peter Gutmann
- Re: [TLS] rfc7366: is encrypt-then-mac implemente… Manuel Pégourié-Gonnard
- Re: [TLS] rfc7366: is encrypt-then-mac implemente… Peter Gutmann
- Re: [TLS] rfc7366: is encrypt-then-mac implemente… Nikos Mavrogiannopoulos
- Re: [TLS] rfc7366: is encrypt-then-mac implemente… Martin Rex
- Re: [TLS] rfc7366: is encrypt-then-mac implemente… Nikos Mavrogiannopoulos
- Re: [TLS] rfc7366: is encrypt-then-mac implemente… Manuel Pégourié-Gonnard
- Re: [TLS] rfc7366: is encrypt-then-mac implemente… Manuel Pégourié-Gonnard
- Re: [TLS] rfc7366: is encrypt-then-mac implemente… Peter Gutmann
- Re: [TLS] rfc7366: is encrypt-then-mac implemente… Manuel Pégourié-Gonnard
- Re: [TLS] rfc7366: is encrypt-then-mac implemente… Peter Gutmann
- Re: [TLS] rfc7366: is encrypt-then-mac implemente… Ilari Liusvaara
- Re: [TLS] rfc7366: is encrypt-then-mac implemente… Manuel Pégourié-Gonnard
- Re: [TLS] rfc7366: is encrypt-then-mac implemente… Manuel Pégourié-Gonnard
- Re: [TLS] rfc7366: is encrypt-then-mac implemente… Christian Kahlo
- Re: [TLS] rfc7366: is encrypt-then-mac implemente… Peter Gutmann
- Re: [TLS] rfc7366: is encrypt-then-mac implemente… Christian Kahlo
- Re: [TLS] rfc7366: is encrypt-then-mac implemente… Manuel Pégourié-Gonnard
- Re: [TLS] rfc7366: is encrypt-then-mac implemente… Peter Gutmann
- Re: [TLS] rfc7366: is encrypt-then-mac implemente… Manuel Pégourié-Gonnard
- Re: [TLS] rfc7366: is encrypt-then-mac implemente… Peter Gutmann
- Re: [TLS] rfc7366: is encrypt-then-mac implemente… Henrick Hellström
- Re: [TLS] rfc7366: is encrypt-then-mac implemente… Manuel Pégourié-Gonnard
- Re: [TLS] rfc7366: is encrypt-then-mac implemente… Manuel Pégourié-Gonnard
- Re: [TLS] rfc7366: is encrypt-then-mac implemente… Christian Kahlo
- Re: [TLS] rfc7366: is encrypt-then-mac implemente… Peter Gutmann
- Re: [TLS] rfc7366: is encrypt-then-mac implemente… Manuel Pégourié-Gonnard
- Re: [TLS] rfc7366: is encrypt-then-mac implemente… Yngve N. Pettersen
- Re: [TLS] rfc7366: is encrypt-then-mac implemente… Manuel Pégourié-Gonnard
- Re: [TLS] rfc7366: is encrypt-then-mac implemente… Christian Kahlo
- Re: [TLS] rfc7366: is encrypt-then-mac implemente… Christian Kahlo
- [TLS] record-level version number in ClientHello Manuel Pégourié-Gonnard
- Re: [TLS] rfc7366: is encrypt-then-mac implemente… Yngve N. Pettersen
- Re: [TLS] rfc7366: is encrypt-then-mac implemente… Manuel Pégourié-Gonnard
- Re: [TLS] rfc7366: is encrypt-then-mac implemente… Yngve N. Pettersen
- Re: [TLS] rfc7366: is encrypt-then-mac implemente… Manuel Pégourié-Gonnard
- Re: [TLS] rfc7366: is encrypt-then-mac implemente… Nikos Mavrogiannopoulos
- Re: [TLS] rfc7366: is encrypt-then-mac implemente… Christian Kahlo
- Re: [TLS] rfc7366: is encrypt-then-mac implemente… Christian Kahlo
- Re: [TLS] rfc7366: is encrypt-then-mac implemente… Martin Rex
- Re: [TLS] rfc7366: is encrypt-then-mac implemente… Christian Kahlo
- Re: [TLS] record-level version number in ClientHe… Martin Thomson
- Re: [TLS] rfc7366: is encrypt-then-mac implemente… Martin Rex
- Re: [TLS] rfc7366: is encrypt-then-mac implemente… Manuel Pégourié-Gonnard
- Re: [TLS] rfc7366: is encrypt-then-mac implemente… Martin Rex
- Re: [TLS] rfc7366: is encrypt-then-mac implemente… Manuel Pégourié-Gonnard
- Re: [TLS] rfc7366: is encrypt-then-mac implemente… Nikos Mavrogiannopoulos
- [TLS] rfc7366: status Nikos Mavrogiannopoulos
- Re: [TLS] rfc7366: status Martin Rex