Re: [TLS] rfc7366: is encrypt-then-mac implemented?
"Yngve N. Pettersen" <yngve@spec-work.net> Sat, 01 November 2014 23:36 UTC
Return-Path: <yngve@spec-work.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C4FF81A1BA0 for <tls@ietfa.amsl.com>; Sat, 1 Nov 2014 16:36:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1
X-Spam-Level:
X-Spam-Status: No, score=-1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, J_CHICKENPOX_37=0.6, MIME_8BIT_HEADER=0.3] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QpM9tsov8Shh for <tls@ietfa.amsl.com>; Sat, 1 Nov 2014 16:36:55 -0700 (PDT)
Received: from smtp.domeneshop.no (smtp.domeneshop.no [IPv6:2a01:5b40:0:252::55]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1E7AB1A1B9A for <tls@ietf.org>; Sat, 1 Nov 2014 16:36:54 -0700 (PDT)
Received: from 151.170.251.212.customer.cdi.no ([212.251.170.151]:59964 helo=killashandra.invalid.invalid) by smtp.domeneshop.no with esmtpsa (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:256) (Exim 4.80) (envelope-from <yngve@spec-work.net>) id 1XkiE0-0007B7-NI; Sun, 02 Nov 2014 00:36:52 +0100
Content-Type: text/plain; charset="iso-8859-15"; format="flowed"; delsp="yes"
To: tls@ietf.org, Manuel Pégourié-Gonnard <mpg@polarssl.org>
References: <9A043F3CF02CD34C8E74AC1594475C739B9DB35D@uxcn10-5.UoA.auckland.ac.nz> <op.xonuwux33dfyax@killashandra.invalid.invalid> <54555161.1040606@polarssl.org> <op.xon248yd3dfyax@killashandra.invalid.invalid> <54556D32.80100@polarssl.org>
Date: Sun, 02 Nov 2014 00:36:40 +0100
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
From: "Yngve N. Pettersen" <yngve@spec-work.net>
Message-ID: <op.xon6jerc3dfyax@killashandra.invalid.invalid>
In-Reply-To: <54556D32.80100@polarssl.org>
User-Agent: Opera Mail/12.17 (Win32)
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/1DWtnt5NekvoM8qx9A9v5umMeUA
Subject: Re: [TLS] rfc7366: is encrypt-then-mac implemented?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 01 Nov 2014 23:36:58 -0000
On Sun, 02 Nov 2014 00:30:58 +0100, Manuel Pégourié-Gonnard <mpg@polarssl.org> wrote: > (Cutting a lot of details where we agree about the important points, to > get to > the "what should be done now" part.) > > On 01/11/2014 23:23, Yngve N. Pettersen wrote: >> On Sat, 01 Nov 2014 22:32:17 +0100, Manuel Pégourié-Gonnard >> <mpg@polarssl.org> wrote: >>> I'm under the impression that Peter's paragraph in [1] suits this goal. >>> >>> [1] >>> http://mailarchive.ietf.org/arch/msg/tls/3NOHlIUShLo9AAzXx4t2u7QV8Sw >>> >>> Do you agree? I reproduce the specific paragraph here for convenience's >>> sake: >>> >>> Note that the value of the 'uint16 length' field in the TLSCiphertext >>> record >>> differs from the length value used in the MAC calculation, since the >>> TLSCiphertext record contains both the ciphtertext and the MAC, while >>> the >>> MAC calculation is performed only over the ciphertext. So the length >>> value >>> encoded in the TLSCiphertext record is 'length' while the length >>> value >>> used >>> in the MAC calculation is 'length - SecurityParameters.mac_length'. >> >> It seems to describe the conclusions above, indeed, but personally I >> would >> prefer that the formula should not reference TLSCiphertext.length at >> all, >> but instead refer to the length of the field with the encrypted data, or >> specifically defined as avariable in a separate formula as 'length - >> SecurityParameters.mac_length'. Less chance of confusion, that way, and >> having multiple values of a variable is never a good idea, unless it is >> inside an algorithm that explicitly update the values as part of a step, >> after it was used for something. >> > 100% agreed, I think for me the use of the same name for two different > values > was the root cause of the confusion. How about combining Peter's above > paragraph > with my proposed rewriting of the MAC calculation as: > > In TLS [2] notation, the MAC calculation for TLS 1.0 without > the explicit Initialization Vector (IV) is: > > MAC(MAC_write_key, seq_num + > TLSCipherText.type + > TLSCipherText.version + > length of (ENC(content + padding + padding_length)) + > ENC(content + padding + padding_length)); > > and for TLS 1.1 and greater with an explicit IV is: > > MAC(MAC_write_key, seq_num + > TLSCipherText.type + > TLSCipherText.version + > length of (IV + ENC(content + padding + padding_length)) + > IV + > ENC(content + padding + padding_length)); > > where the length is encoded as two bytes in the usual way. > > It's admittedly not he most elegant, but at least it's clear and > unambiguous, > which is probably more important than elegance for an erratum. That looks fairly OK to me. A possible tweak one could add, is to define encrypted_content = ENC(content + padding + padding_length) and use that in the formula instead. -- Sincerely, Yngve N. Pettersen Using Opera's mail client: http://www.opera.com/mail/
- [TLS] rfc7366: is encrypt-then-mac implemented? Nikos Mavrogiannopoulos
- Re: [TLS] rfc7366: is encrypt-then-mac implemente… Manuel Pégourié-Gonnard
- Re: [TLS] rfc7366: is encrypt-then-mac implemente… Peter Gutmann
- Re: [TLS] rfc7366: is encrypt-then-mac implemente… Nikos Mavrogiannopoulos
- Re: [TLS] rfc7366: is encrypt-then-mac implemente… Manuel Pégourié-Gonnard
- Re: [TLS] rfc7366: is encrypt-then-mac implemente… Peter Gutmann
- Re: [TLS] rfc7366: is encrypt-then-mac implemente… Peter Gutmann
- Re: [TLS] rfc7366: is encrypt-then-mac implemente… Peter Gutmann
- Re: [TLS] rfc7366: is encrypt-then-mac implemente… Manuel Pégourié-Gonnard
- Re: [TLS] rfc7366: is encrypt-then-mac implemente… Peter Gutmann
- Re: [TLS] rfc7366: is encrypt-then-mac implemente… Nikos Mavrogiannopoulos
- Re: [TLS] rfc7366: is encrypt-then-mac implemente… Martin Rex
- Re: [TLS] rfc7366: is encrypt-then-mac implemente… Nikos Mavrogiannopoulos
- Re: [TLS] rfc7366: is encrypt-then-mac implemente… Manuel Pégourié-Gonnard
- Re: [TLS] rfc7366: is encrypt-then-mac implemente… Manuel Pégourié-Gonnard
- Re: [TLS] rfc7366: is encrypt-then-mac implemente… Peter Gutmann
- Re: [TLS] rfc7366: is encrypt-then-mac implemente… Manuel Pégourié-Gonnard
- Re: [TLS] rfc7366: is encrypt-then-mac implemente… Peter Gutmann
- Re: [TLS] rfc7366: is encrypt-then-mac implemente… Ilari Liusvaara
- Re: [TLS] rfc7366: is encrypt-then-mac implemente… Manuel Pégourié-Gonnard
- Re: [TLS] rfc7366: is encrypt-then-mac implemente… Manuel Pégourié-Gonnard
- Re: [TLS] rfc7366: is encrypt-then-mac implemente… Christian Kahlo
- Re: [TLS] rfc7366: is encrypt-then-mac implemente… Peter Gutmann
- Re: [TLS] rfc7366: is encrypt-then-mac implemente… Christian Kahlo
- Re: [TLS] rfc7366: is encrypt-then-mac implemente… Manuel Pégourié-Gonnard
- Re: [TLS] rfc7366: is encrypt-then-mac implemente… Peter Gutmann
- Re: [TLS] rfc7366: is encrypt-then-mac implemente… Manuel Pégourié-Gonnard
- Re: [TLS] rfc7366: is encrypt-then-mac implemente… Peter Gutmann
- Re: [TLS] rfc7366: is encrypt-then-mac implemente… Henrick Hellström
- Re: [TLS] rfc7366: is encrypt-then-mac implemente… Manuel Pégourié-Gonnard
- Re: [TLS] rfc7366: is encrypt-then-mac implemente… Manuel Pégourié-Gonnard
- Re: [TLS] rfc7366: is encrypt-then-mac implemente… Christian Kahlo
- Re: [TLS] rfc7366: is encrypt-then-mac implemente… Peter Gutmann
- Re: [TLS] rfc7366: is encrypt-then-mac implemente… Manuel Pégourié-Gonnard
- Re: [TLS] rfc7366: is encrypt-then-mac implemente… Yngve N. Pettersen
- Re: [TLS] rfc7366: is encrypt-then-mac implemente… Manuel Pégourié-Gonnard
- Re: [TLS] rfc7366: is encrypt-then-mac implemente… Christian Kahlo
- Re: [TLS] rfc7366: is encrypt-then-mac implemente… Christian Kahlo
- [TLS] record-level version number in ClientHello Manuel Pégourié-Gonnard
- Re: [TLS] rfc7366: is encrypt-then-mac implemente… Yngve N. Pettersen
- Re: [TLS] rfc7366: is encrypt-then-mac implemente… Manuel Pégourié-Gonnard
- Re: [TLS] rfc7366: is encrypt-then-mac implemente… Yngve N. Pettersen
- Re: [TLS] rfc7366: is encrypt-then-mac implemente… Manuel Pégourié-Gonnard
- Re: [TLS] rfc7366: is encrypt-then-mac implemente… Nikos Mavrogiannopoulos
- Re: [TLS] rfc7366: is encrypt-then-mac implemente… Christian Kahlo
- Re: [TLS] rfc7366: is encrypt-then-mac implemente… Christian Kahlo
- Re: [TLS] rfc7366: is encrypt-then-mac implemente… Martin Rex
- Re: [TLS] rfc7366: is encrypt-then-mac implemente… Christian Kahlo
- Re: [TLS] record-level version number in ClientHe… Martin Thomson
- Re: [TLS] rfc7366: is encrypt-then-mac implemente… Martin Rex
- Re: [TLS] rfc7366: is encrypt-then-mac implemente… Manuel Pégourié-Gonnard
- Re: [TLS] rfc7366: is encrypt-then-mac implemente… Martin Rex
- Re: [TLS] rfc7366: is encrypt-then-mac implemente… Manuel Pégourié-Gonnard
- Re: [TLS] rfc7366: is encrypt-then-mac implemente… Nikos Mavrogiannopoulos
- [TLS] rfc7366: status Nikos Mavrogiannopoulos
- Re: [TLS] rfc7366: status Martin Rex