Re: [TLS] padding bug

Dr Stephen Henson <> Mon, 09 September 2013 14:58 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 1AF4311E8232 for <>; Mon, 9 Sep 2013 07:58:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id moAj0t7grJgM for <>; Mon, 9 Sep 2013 07:58:07 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id BE0A521F999D for <>; Mon, 9 Sep 2013 07:49:59 -0700 (PDT)
Received: from ([]:40062 helo=[]) by ( []:10465) with esmtpa (authdaemon_plain:drh) id 1VJ2mb-0007EC-7i (return-path <>); Mon, 09 Sep 2013 14:49:41 +0000
Message-ID: <>
Date: Mon, 09 Sep 2013 15:49:40 +0100
From: Dr Stephen Henson <>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/20130801 Thunderbird/17.0.8
MIME-Version: 1.0
To: Ben Laurie <>
References: <AAE0766F5AF36B46BAB7E0EFB927320630E4A54175@GBTWK10E001.Technology.local> <> <> <> <> <> <>
In-Reply-To: <>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Cc: "" <>
Subject: Re: [TLS] padding bug
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 09 Sep 2013 14:58:19 -0000

On 09/09/2013 14:31, Ben Laurie wrote:
> 2. If fixes the problem for all versions of TLS and SSLv3.

That to me is a very strong point in its favour. There have been weaknesses
affecting just about every ciphersuite with the exception of GCM mode, which
needs TLS 1.2. I'd love it if everyone moved to TLS 1.2 in the near future but
realistically that isn't going to happen. All manner of interop headaches
arrived with broken implementations when TLS 1.2 support was added to OpenSSL
and we still get frequent reports. Even with TLS 1.2 I'm uneasy about there
being only one symmetric cipher mode left.

I can add a few additional points in favour of this draft.

The signalling approach taken is similar to the one adopted with the secure
renegotiation (RFC5746), with the exception that extension intolerant servers
will choke. If we really care about those another signalling ciphersuite could
always be added.

I particularly liked the ease with which this could be implemented in OpenSSL
(Peter had similar experiences with Cryptlib). It took me just a few hours and
would've been less if some unfamiliar code hadn't been added recently:
ironically to address the "Lucky 13" attack.

It required no new APIs and it should work seamlessly with existing
applications. That's very important for a library if you have a large existing
code base.

One negative point relates to cryptographic hardware or software optimisations
(where you have an efficient or atomic way to handle record decryption) but I
think this will apply to other solutions too. Anything that needs to address
"Lucky 13" may have already hit this anyway.

On the particular point of addressing "Lucky 13" that attack was a real headache
for FIPS 140 compliance. Reimplementing algorithms at a low level to be constant
time will typically require revalidation with considerable expense and delays. A
partial (but far from perfect) mitigation was chosen as a compromise. If this
draft was adopted that would not be a problem any more as the existing validated
algorithm implementations could be used.

Dr Stephen N. Henson.
Core developer of the   OpenSSL project:
Freelance consultant see:
Email:, PGP key: via homepage.