IETF Logo Mail Archive

Re: [TLS] rfc7366: is encrypt-then-mac implemented?

"Yngve N. Pettersen" <yngve@spec-work.net> Sat, 01 November 2014 23:36 UTC

Return-Path: <yngve@spec-work.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C4FF81A1BA0 for <tls@ietfa.amsl.com>; Sat, 1 Nov 2014 16:36:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1
X-Spam-Level:
X-Spam-Status: No, score=-1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, J_CHICKENPOX_37=0.6, MIME_8BIT_HEADER=0.3] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QpM9tsov8Shh for <tls@ietfa.amsl.com>; Sat, 1 Nov 2014 16:36:55 -0700 (PDT)
Received: from smtp.domeneshop.no (smtp.domeneshop.no [IPv6:2a01:5b40:0:252::55]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1E7AB1A1B9A for <tls@ietf.org>; Sat, 1 Nov 2014 16:36:54 -0700 (PDT)
Received: from 151.170.251.212.customer.cdi.no ([212.251.170.151]:59964 helo=killashandra.invalid.invalid) by smtp.domeneshop.no with esmtpsa (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:256) (Exim 4.80) (envelope-from <yngve@spec-work.net>) id 1XkiE0-0007B7-NI; Sun, 02 Nov 2014 00:36:52 +0100
Content-Type: text/plain; charset="iso-8859-15"; format="flowed"; delsp="yes"
To: tls@ietf.org, Manuel Pégourié-Gonnard <mpg@polarssl.org>
References: <9A043F3CF02CD34C8E74AC1594475C739B9DB35D@uxcn10-5.UoA.auckland.ac.nz> <op.xonuwux33dfyax@killashandra.invalid.invalid> <54555161.1040606@polarssl.org> <op.xon248yd3dfyax@killashandra.invalid.invalid> <54556D32.80100@polarssl.org>
Date: Sun, 02 Nov 2014 00:36:40 +0100
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
From: "Yngve N. Pettersen" <yngve@spec-work.net>
Message-ID: <op.xon6jerc3dfyax@killashandra.invalid.invalid>
In-Reply-To: <54556D32.80100@polarssl.org>
User-Agent: Opera Mail/12.17 (Win32)
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/1DWtnt5NekvoM8qx9A9v5umMeUA
Subject: Re: [TLS] rfc7366: is encrypt-then-mac implemented?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 01 Nov 2014 23:36:58 -0000

On Sun, 02 Nov 2014 00:30:58 +0100, Manuel Pégourié-Gonnard  
<mpg@polarssl.org> wrote:

> (Cutting a lot of details where we agree about the important points, to  
> get to
> the "what should be done now" part.)
>
> On 01/11/2014 23:23, Yngve N. Pettersen wrote:
>> On Sat, 01 Nov 2014 22:32:17 +0100, Manuel Pégourié-Gonnard
>> <mpg@polarssl.org> wrote:
>>> I'm under the impression that Peter's paragraph in [1] suits this goal.
>>>
>>> [1]  
>>> http://mailarchive.ietf.org/arch/msg/tls/3NOHlIUShLo9AAzXx4t2u7QV8Sw
>>>
>>> Do you agree? I reproduce the specific paragraph here for convenience's
>>> sake:
>>>
>>>   Note that the value of the 'uint16 length' field in the TLSCiphertext
>>> record
>>>   differs from the length value used in the MAC calculation, since the
>>>   TLSCiphertext record contains both the ciphtertext and the MAC, while
>>> the
>>>   MAC calculation is performed only over the ciphertext.  So the length
>>> value
>>>   encoded in the TLSCiphertext record is 'length' while the length  
>>> value
>>> used
>>>   in the MAC calculation is 'length - SecurityParameters.mac_length'.
>>
>> It seems to describe the conclusions above, indeed, but personally I  
>> would
>> prefer that the formula should not reference TLSCiphertext.length at  
>> all,
>> but instead refer to the length of the field with the encrypted data, or
>> specifically defined as avariable in a separate formula as 'length -
>> SecurityParameters.mac_length'. Less chance of confusion, that way, and
>> having multiple values of a variable is never a good idea, unless it is
>> inside an algorithm that explicitly update the values as part of a step,
>> after it was used for something.
>>
> 100% agreed, I think for me the use of the same name for two different  
> values
> was the root cause of the confusion. How about combining Peter's above  
> paragraph
> with my proposed rewriting of the MAC calculation as:
>
>            In TLS [2] notation, the MAC calculation for TLS 1.0 without
>    the explicit Initialization Vector (IV) is:
>
>    MAC(MAC_write_key, seq_num +
>        TLSCipherText.type +
>        TLSCipherText.version +
>        length of (ENC(content + padding + padding_length)) +
>        ENC(content + padding + padding_length));
>
>    and for TLS 1.1 and greater with an explicit IV is:
>
>    MAC(MAC_write_key, seq_num +
>        TLSCipherText.type +
>        TLSCipherText.version +
>        length of (IV + ENC(content + padding + padding_length)) +
>        IV +
>        ENC(content + padding + padding_length));
>
>     where the length is encoded as two bytes in the usual way.
>
> It's admittedly not he most elegant, but at least it's clear and  
> unambiguous,
> which is probably more important than elegance for an erratum.

That looks fairly OK to me.

A possible tweak one could add, is to define

     encrypted_content = ENC(content + padding + padding_length)

and use that in the formula instead.



-- 
Sincerely,
Yngve N. Pettersen

Using Opera's mail client: http://www.opera.com/mail/

v2.23.0 | Report a Bug | By Email