IETF Logo Mail Archive

Re: [TLS] Encrypt-then-MAC again (was Re: padding bug)

Nikos Mavrogiannopoulos <nmav@gnutls.org> Thu, 14 November 2013 03:49 UTC

Return-Path: <n.mavrogiannopoulos@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D207721E8157 for <tls@ietfa.amsl.com>; Wed, 13 Nov 2013 19:49:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kMtzYuaqpDd3 for <tls@ietfa.amsl.com>; Wed, 13 Nov 2013 19:49:39 -0800 (PST)
Received: from mail-ea0-x22a.google.com (mail-ea0-x22a.google.com [IPv6:2a00:1450:4013:c01::22a]) by ietfa.amsl.com (Postfix) with ESMTP id E0D7D21E8121 for <tls@ietf.org>; Wed, 13 Nov 2013 19:49:38 -0800 (PST)
Received: by mail-ea0-f170.google.com with SMTP id q10so570768eaj.29 for <tls@ietf.org>; Wed, 13 Nov 2013 19:49:37 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=sender:message-id:subject:from:to:cc:date:in-reply-to:references :content-type:mime-version:content-transfer-encoding; bh=CRbRHGvy+1fjmM3KCXWzF2YsTlH5pI0LhCX052V2nlM=; b=qM7UpQhu4vS/sGz80E3okrpaRCfk66/lVazvORRxeoczzbCq2+j3I7LibIdkpQAUWL jhLCLuu6kFS65BradVOQd6/M2EV6Zq0FAwngbFGpJx1/T1b67Bp0tUIgfLmjcQ3zS/XY vmfDRZd6HExalpSxf1jTG1pQ/N5hozAFVMEmtGeN3dd4NLjVjijUdvOBSiabpC23FYKo mDniAPJ4XF8xHwZbt7+7pcvvoZqdH7z7009BR7L+RDHMhOBbyhT4xtxVtzk9F11sJ0K2 pdCCXuLX2EjHeNy5UNKnM9Qlmfe1GemmvIPDUqnc8zsIcpgtEDTmoEzW/Hvn92AsUWBH F2kQ==
X-Received: by 10.14.94.199 with SMTP id n47mr5231115eef.81.1384400977863; Wed, 13 Nov 2013 19:49:37 -0800 (PST)
Received: from [10.100.2.3] (ip-62-245-100-42.net.upcbroadband.cz. [62.245.100.42]) by mx.google.com with ESMTPSA id z2sm94999600eee.7.2013.11.13.19.49.36 for <multiple recipients> (version=SSLv3 cipher=RC4-SHA bits=128/128); Wed, 13 Nov 2013 19:49:37 -0800 (PST)
Sender: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
Message-ID: <1384400970.2092.7.camel@aspire.lan>
From: Nikos Mavrogiannopoulos <nmav@gnutls.org>
To: mrex@sap.com
Date: Thu, 14 Nov 2013 04:49:30 +0100
In-Reply-To: <20131112222944.2B0FD1AA82@ld9781.wdf.sap.corp>
References: <20131112222944.2B0FD1AA82@ld9781.wdf.sap.corp>
Content-Type: text/plain; charset="UTF-8"
X-Mailer: Evolution 3.10.1 (3.10.1-1.fc20)
Mime-Version: 1.0
Content-Transfer-Encoding: 7bit
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Encrypt-then-MAC again (was Re: padding bug)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Nov 2013 03:49:39 -0000

On Tue, 2013-11-12 at 23:29 +0100, Martin Rex wrote:
> Nikos Mavrogiannopoulos wrote:
> > Martin Rex <mrex@sap.com> wrote:
> >> Personally, I would really prefer to _not_ move the MAC outside
> >> of the encryption, i.e. leave it as pad-mac-encrypt like Serge Vaudenay
> >> originally recommended.  In particular, keeping the hands off the
> >> GenericStreamCipher PDU processing.
> > 
> > I prefer this approach too, so I've taken the parts from the
> > length-hiding draft and moved them to a draft that simply describes a
> > new padding approach to solve the padding oracles. In any case I still
> > believe that something needs to be done about that, whether it is
> > pad-encrypt-then-mac or pad-mac-then-encrypt.
> > 
> > http://tools.ietf.org/html/draft-mavrogiannopoulos-new-tls-padding-00
> 
> This is a whole new extension adding bells and whistles, not a fix to
> any existing issues, and appears to be heading for TLSv1.2-only.
> Padding with arbitrary length is something that every application
> could do with every TLS implementation already in the installed base
> and every existing cipher suite, no changes to TLS necessary,
> requiring only minor changes of the application protocol.

There are two options. (a) Minor changes to the application protocol
(for all application protocols), or (b) minor changes to the TLS
protocol. The draft above takes the latter approach.

I also don't understand what do you mean by heading TLSv1.2-only. The
proposal in the above draft works from SSL 3.0 to TLS 1.2. There is
nothing TLS 1.2-specific there.

> You proposal adds the padding at the beginning only.  Since the
> problem exhibited by RC4 is inherent to any XOR-encryption with
> a pseudo-random-pad, AES-CCM, AES-GCM, etc. I would make such an
> extension use random fraction, random content, authenticated padding
> on both sides of the plaintext, with a combined minimum padding length of
> at least 16 bytes, in order to mitigate statistical attacks on
> any bias that may be found in the pseudo-random-pad.

The above draft does:
1. prevent padding oracle attacks
2. hide the length of the plaintext

What you propose there is having the plaintext appear and finish in an
unpredictable position. That's an interesting approach, not handled by
the draft above.

In simple terms you're asking for more bells and whistles :)

regards,
Nikos

v2.23.0 | Report a Bug | By Email