Re: [TLS] Encrypt-then-MAC again (was Re: padding bug)

Nikos Mavrogiannopoulos <> Sat, 30 November 2013 16:00 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 0F7E31AE44E for <>; Sat, 30 Nov 2013 08:00:24 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -6.903
X-Spam-Status: No, score=-6.903 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id KK6Nbabx61-w for <>; Sat, 30 Nov 2013 08:00:22 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 606221AE454 for <>; Sat, 30 Nov 2013 08:00:22 -0800 (PST)
Received: from ( []) by (8.14.4/8.14.4) with ESMTP id rAUFo3s4030048 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Sat, 30 Nov 2013 10:50:05 -0500
Received: from [] ( []) by (8.13.8/8.13.8) with ESMTP id rAUFo0rG019640 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sat, 30 Nov 2013 10:50:01 -0500
Message-ID: <1385826600.11639.25.camel@aspire.lan>
From: Nikos Mavrogiannopoulos <>
To: Watson Ladd <>
Date: Sat, 30 Nov 2013 16:50:00 +0100
In-Reply-To: <>
References: <> <> <1385767358.5937.18.camel@aspire.lan> <>
Organization: Red Hat
Content-Type: text/plain; charset="UTF-8"
Mime-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Scanned-By: MIMEDefang 2.67 on
Subject: Re: [TLS] Encrypt-then-MAC again (was Re: padding bug)
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sat, 30 Nov 2013 16:00:24 -0000

On Fri, 2013-11-29 at 17:23 -0800, Watson Ladd wrote:

> > Contrary to popular opinion on this list AtE is a standard way of
> > operation with no flaws known unless used with an unauthenticated pad
> > (as in TLS). When SSL 3.0 was designed AtE was believed to be the
> > conservative approach comparing to EtA.
> The passive voice is doing a lot of work here. Bellare and Namparah
> showed that EtA is generically secure,
> AtE isn't. Rogaway sent out an email in 1995 pleading for EtA in TLS.
> "no flaws known"!="proved to be secure"

Proven to be secure doesn't mean that attacks don't exist. The TLS
padding scheme was proven to be secure prior to be broken; ironically by
the same person who made the proof. Attacks work by playing outside the
requirements of the proof.

Nevertheless, there is much more recent work on EtA vs AtE, that
actually proves AtE secure (not "generically" as you pose, you just need
a decent cipher). You may check "The order of encryption and
authentication for protecting communications (or: How secure is SSL?)".
There are even newer papers than that, it is just this that came to