Re: [TLS] padding bug

Ben Laurie <benl@google.com> Tue, 24 September 2013 16:04 UTC

Return-Path: <benl@google.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 882E021F8F97 for <tls@ietfa.amsl.com>; Tue, 24 Sep 2013 09:04:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.978
X-Spam-Level:
X-Spam-Status: No, score=-1.978 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MP2vsmVa8q4U for <tls@ietfa.amsl.com>; Tue, 24 Sep 2013 09:04:20 -0700 (PDT)
Received: from mail-ie0-x22d.google.com (mail-ie0-x22d.google.com [IPv6:2607:f8b0:4001:c03::22d]) by ietfa.amsl.com (Postfix) with ESMTP id F2B4F21F963F for <tls@ietf.org>; Tue, 24 Sep 2013 09:03:56 -0700 (PDT)
Received: by mail-ie0-f173.google.com with SMTP id ar20so9346176iec.32 for <tls@ietf.org>; Tue, 24 Sep 2013 09:03:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=63VjmJ4eo5PIWGo99bLmWepzTQ/h1Ntne2CzcHtdE+s=; b=nIqpV2FcoAqc49rl30DGHdPAnECddDj9/ZO3RVTTLsLff29nGYvjZliH3muY0V0/QC 0RxeZKoehuVDf4wBeuJGE6EAKKZyRXg+vAM4DIU0OuKMdDm7pDQ+MqXvbu79BsLUiO/A jiRYxSHJlWxie70/lfJWdJwRs90BTmULdf8NhP/bDhYl3DYLdl9KL7L6XHvMR27j0XmV 4uL/BwL12MxkIciUJYlb6GEIuhXVSAbuBJRCIHblKci0p9PakjDcdszP+kD69kOkZfPO JrjxyporXUEB1fEKhUlQEWjJ3VbCNkDlkFIIkWL24mj0APdc3Y14luDxPmUkVTQ4c1cw TsiQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=63VjmJ4eo5PIWGo99bLmWepzTQ/h1Ntne2CzcHtdE+s=; b=ORZvHlPaVrK/3vtppsDQg+f2MDpAeloSAn5Vvft0WsHdDLzwkdHHPTy2H1jhBFv/G3 JPur/byfN1j9HUJZges9u5HcXXpw3mMM5mfQlYXpf2tzgykQlyaR0a7SKZirVIZqk3YR mWQwM2TwQNZzS4wcoYtnUoJK5ekRpxdG2hhQRr9eZgXCe7xxXjTjurRzCtiAQ+XSrOka JBqKO3EpkZ7bfxCoxlW5ldez7ssrDdVNM94mpiJKI5kZlYcCq1rIa1wqrYuSLQJJSEiS rfEhfdCTiKp7zJM2SAxppwTj6eKmbaANOVrAyaibKCr0r3j7ieoOz2bUdfnGN+V7Eb7A jCeQ==
X-Gm-Message-State: ALoCoQm24W0Bh1s1viUbF5KUjORG0r1DPFGbBxibwvDDwb1sNCFrChpAxJVNamRqxotqRKW7Dstrj7UQl+I6KxAO0vBz9c6AWaqAQsQaUDARHVi+JpfdbLLlduEximKEY0ZiRoc7u5fz6rvHhftc+Tf9uxpA7P2wsJpjbfZk8UdzPII5IvPb+7xGuDBv56w5EeNZb/75lTZy
MIME-Version: 1.0
X-Received: by 10.42.211.74 with SMTP id gn10mr3840933icb.17.1380038635705; Tue, 24 Sep 2013 09:03:55 -0700 (PDT)
Received: by 10.64.230.140 with HTTP; Tue, 24 Sep 2013 09:03:55 -0700 (PDT)
In-Reply-To: <CADMpkcKhCsunTd2wAecXWjXxrHGG-18v7aaZ40fG31qZw1zkcQ@mail.gmail.com>
References: <9A043F3CF02CD34C8E74AC1594475C73556760EA@uxcn10-6.UoA.auckland.ac.nz> <524148C3.7090709@gnutls.org> <CABrd9SRHheYhNjcbKosaEASfJ6EvZtN93HaLG=Cvzn_1ohKFgw@mail.gmail.com> <524176EA.3090401@gnutls.org> <CABrd9SQQ0Ormyx=wjnXO+Z-Zo52x_tYV7R4XuLMgbyHf2X7H=w@mail.gmail.com> <CADMpkcKhCsunTd2wAecXWjXxrHGG-18v7aaZ40fG31qZw1zkcQ@mail.gmail.com>
Date: Tue, 24 Sep 2013 17:03:55 +0100
Message-ID: <CABrd9SThkbL1MHt_7OpshbO_-r1ouQVkm3Sk+m0djFYot0rXoA@mail.gmail.com>
From: Ben Laurie <benl@google.com>
To: Bodo Moeller <bmoeller@acm.org>
Content-Type: text/plain; charset=ISO-8859-1
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] padding bug
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 24 Sep 2013 16:04:20 -0000

On 24 September 2013 15:28, Bodo Moeller <bmoeller@acm.org> wrote:
>
>> > I take your question that you actually read RFC2104 and the
>> > Preneel-van-Oorschot paper and you disagree with their points?
>
>
>>
>> c) In any case, the whole point of the truncation defence is to make
>>
>> it harder to go from _observing_ a colliding MAC to the ability to
>> construct more collisions. But it mostly does this by making it easier
>> to observe MAC collisions.
>
>
> I think this reasoning is not quite right because that attack requires
> *internal* collisions (and the internal state wouldn't be truncated).

That's what makes it harder :-)

>  Of
> course, it's not an attack on HMAC.
>
>
>>
>> d) If you _really_ want to defend against this attack, the right
>> answer is to design hash functions with bigger internal state.
>
>
> Exactly. Given a particular l-bit MAC with an l-bit internal state,
> truncating its outputs (such as to l/2 bits) isn't demonstrably an
> improvement.  Rather, if we want an l-bit MAC, it makes sense to have an
> internal state larger than l bits.
>
> Nikos, you pointed to RFC 2104. The following is a literal quote from that
> RFC: "The results in this area are not absolute as for the overall security
> advantages of truncation."  In particular, encrypt-then-MAC with untruncated
> MACs isn't a broken design.  (Assuming hypothetically there's a key recovery
> attack on the MAC alone, the encryption step means that the attacker can't
> pick MAC inputs after all.)
>
> Bodo
>