IETF Logo Mail Archive

Re: [TLS] rfc7366: is encrypt-then-mac implemented?

Manuel Pégourié-Gonnard <mpg@polarssl.org> Thu, 30 October 2014 12:56 UTC

Return-Path: <mpg@polarssl.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F19FE1A0054 for <tls@ietfa.amsl.com>; Thu, 30 Oct 2014 05:56:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.997
X-Spam-Level:
X-Spam-Status: No, score=0.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HELO_MISMATCH_COM=0.553, HOST_EQ_NL=1.545, J_CHICKENPOX_37=0.6, MIME_8BIT_HEADER=0.3, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0myAIqpcRGd4 for <tls@ietfa.amsl.com>; Thu, 30 Oct 2014 05:56:29 -0700 (PDT)
Received: from vps2.offspark.com (vps2.brainspark.nl [141.138.204.106]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D69441A000F for <tls@ietf.org>; Thu, 30 Oct 2014 05:56:27 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=polarssl.org; s=exim; h=Subject:Content-Transfer-Encoding:Content-Type:In-Reply-To:References:To:MIME-Version:From:Date:Message-ID; bh=SlkLyiSCEKlHCwAqr4S6lz/T4fQM5dqDoexohcvTKD0=; b=HeHb75hTiz05cN4VaT4dnJBwZOd7d/sISqz//H5U2iDsWBeq+XYCQsTrnVuH0s2i0YRJNazDTz+I1Hj0QO9KNVdcgEWTGRluy6ByljmFlzINmDw/OfxTvDeueBFPXDBWJVx73aD/f8RxE9t4++NOhhhZj9wQul5B/XOhbY3arjw=;
Received: from thue.elzevir.fr ([88.165.216.11] helo=[192.168.0.124]) by vps2.offspark.com with esmtpsa (TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <mpg@polarssl.org>) id 1XjpH0-0002vc-Tr; Thu, 30 Oct 2014 13:56:19 +0100
Message-ID: <54523577.3000508@polarssl.org>
Date: Thu, 30 Oct 2014 13:56:23 +0100
From: Manuel Pégourié-Gonnard <mpg@polarssl.org>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.2.0
MIME-Version: 1.0
To: Peter Gutmann <pgut001@cs.auckland.ac.nz>, "<tls@ietf.org>" <tls@ietf.org>
References: <9A043F3CF02CD34C8E74AC1594475C739B9DBFE4@uxcn10-5.UoA.auckland.ac.nz>
In-Reply-To: <9A043F3CF02CD34C8E74AC1594475C739B9DBFE4@uxcn10-5.UoA.auckland.ac.nz>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: 8bit
X-SA-Exim-Connect-IP: 88.165.216.11
X-SA-Exim-Mail-From: mpg@polarssl.org
X-SA-Exim-Version: 4.2.1 (built Mon, 26 Dec 2011 16:24:06 +0000)
X-SA-Exim-Scanned: Yes (on vps2.offspark.com)
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/-xzMEYwhwATxi8sR_hyW_zkHcoE
Subject: Re: [TLS] rfc7366: is encrypt-then-mac implemented?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 30 Oct 2014 12:56:31 -0000

On 30/10/2014 13:24, Peter Gutmann wrote:
> Manuel Pégourié-Gonnard <mpg@polarssl.org> writes:
>> On 30/10/2014 11:44, Peter Gutmann wrote:
>>> Oh, so the issue isn't that you're MAC'ing extra stuff that isn't there, but
>>> that you're using a length value that includes stuff that isn't MAC'd?  In
>>> other words in the above 'length' isn't 'length of encrypted_stuff that
>>> follows the length value' but 'length of encrypted_stuff that follows the
>>> length value + length of MAC'?
>> Precisely. It looks like we're making progress in undertanding each other.
> 
> OK, so I'll try and summarise this, for:
> 
> struct {
>        ContentType type;
>        ProtocolVersion version;
>        uint16 length;
>        GenericBlockCipher fragment;
>        opaque MAC;
>        } TLSCiphertext;
> 
> what goes on the wire for the 'length' field is the overall length of
> everything that follows, i.e. the ciphertext fragment length plus MAC length.
> 
Ok. I think all implementations so far agree on this point.

> What gets MAC'd is something like:
> 
>     MAC(MAC_write_key, seq_num +
>                        TLSCompressed.type +
>                        TLSCompressed.version +
>                        TLSCompressed.length +
>                        GenericBlockCipher.fragment);
> 
> (I say "something like" because RFC 5246 doesn't make this explicit, it refers
> back to section 6.2.3.1 which is for null or generic stream ciphers and uses
> TLSCompressed.fragment when it should be TLSCiphertext.fragment).
> 
Are you refering the "normal" (MtE) case or the EtM case here? I'm confused. in
the MtE case, what's MAC'ed is indeed TLSCompressed.fragment. Anyways, what
matters is the text in RFC 7366 about MAC computation, which uses
TLSCiphertext.length.

> Since the MAC value isn't part of the data that's MAC'd, its length isn't
> included in the MAC calculation.
> 
I understand this reasoning and it certainly makes sense, I'm not discussing
that. But that means that when you write TLSCiphertext.length at the beginning
of page 3 in:

   MAC(MAC_write_key, seq_num +
       TLSCipherText.type +
       TLSCipherText.version +
       TLSCipherText.length +
       IV +
       ENC(content + padding + padding_length));

you mean something different from the length field of the TLSCiphertext
structure just two paragraphs below. Which I find rather confusing.

> Now the other interpretation, that more recent implementations are using, is
> that what gets MAC'd is the length of GenericBlockCipher.fragment plus the
> length of MAC[SecurityParameters.mac_length], which is the length value that
> goes on the wire.
> 
Right. This is supported by the fact that both (what get's MAC'd and what goes
in the wire) are written as TLSCiphertext.length in the RFC.

> Arguments could be made that either interpretation is valid... it could be
> just a case of saying "who will be least inconvenienced by switching over?".
> In any case it points to what's required for issuing a clarification to the
> text.
> 
Again, I have no preference on which interpretation is chosen, as long as there
remains only one arguably valid way to interpret the text.

If you want to go the same way as the eid server (which is reasonnable IMO as it
is deployed) I'd suggest changing from

   MAC(MAC_write_key, seq_num +
       TLSCipherText.type +
       TLSCipherText.version +
       TLSCipherText.length +
       IV +
       ENC(content + padding + padding_length));

to

   MAC(MAC_write_key, seq_num +
       TLSCipherText.type +
       TLSCipherText.version +
       length of ENC(content + padding + padding_length) +
       IV +
       ENC(content + padding + padding_length));

    where the length is encoded as two bytes in the usual way.

This avoids any ambiguity related to TLSCiphertext.xxx and how its definition
should or should not be adapted from the one in RFC 5246.

To be extra sure that people don't get confused about what goes on the wire
(even though all implementations so far agreed on this point), you could also change

   This is identical to the existing TLS/DTLS layout, with the only
   difference being that the MAC value is moved outside the encrypted
   data.

to add:

   This is identical to the existing TLS/DTLS layout, with the only
   differences being that the MAC value is moved outside the encrypted
   data and length is now sum of the length of fragment and the length
   of the MAC.

(or something to that effect).

Manuel.

v2.23.0 | Report a Bug | By Email