Re: [TLS] TLS 1.2 Long-term Support Profile draft posted

Henrick Hellström <henrick@streamsec.se> Tue, 29 March 2016 01:23 UTC

Return-Path: <henrick@streamsec.se>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2125312D0AC for <tls@ietfa.amsl.com>; Mon, 28 Mar 2016 18:23:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Yhb3j5UvNK3e for <tls@ietfa.amsl.com>; Mon, 28 Mar 2016 18:23:15 -0700 (PDT)
Received: from vsp2.ballou.se (vsp2.ballou.se [91.189.40.83]) by ietfa.amsl.com (Postfix) with SMTP id 265FE12D0B8 for <tls@ietf.org>; Mon, 28 Mar 2016 18:23:14 -0700 (PDT)
X-Halon-Scanned: 7f4a955dd6f4c149d51110a345668da22aa82d04
Received: from nmail1.ballou.se (unknown [10.0.0.116]) by vsp2.ballou.se (Halon Mail Gateway) with ESMTP for <tls@ietf.org>; Tue, 29 Mar 2016 03:23:11 +0200 (CEST)
Received: from [192.168.0.190] (c-76cbe555.06-134-73746f39.cust.bredbandsbolaget.se [85.229.203.118]) (Authenticated sender: henrick@streamsec.se) by nmail1.ballou.se (Postfix) with ESMTPSA id 939FAC93DD for <tls@ietf.org>; Tue, 29 Mar 2016 03:23:18 +0200 (CEST)
References: <9A043F3CF02CD34C8E74AC1594475C73F4C2374E@uxcn10-tdc05.UoA.auckland.ac.nz> <CACsn0cks1tvdcYkVRj9r3TZe1GEcNA5f2x14PQntk3j1Ws+rPg@mail.gmail.com> <9A043F3CF02CD34C8E74AC1594475C73F4C25E6A@uxcn10-tdc05.UoA.auckland.ac.nz>
To: tls@ietf.org
From: =?UTF-8?Q?Henrick_Hellstr=c3=b6m?= <henrick@streamsec.se>
Message-ID: <56F9D8FD.8020402@streamsec.se>
Date: Tue, 29 Mar 2016 03:23:09 +0200
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.7.0
MIME-Version: 1.0
In-Reply-To: <9A043F3CF02CD34C8E74AC1594475C73F4C25E6A@uxcn10-tdc05.UoA.auckland.ac.nz>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/1sNGJkZEB_SGdU5hUDY2cvjYMU0>
Subject: Re: [TLS] TLS 1.2 Long-term Support Profile draft posted
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
Reply-To: henrick@streamsec.se
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 29 Mar 2016 01:23:18 -0000

On 2016-03-18 09:57, Peter Gutmann wrote:
> Watson Ladd<watsonbladd@gmail.com>;  writes:
>
>> >As written supporting this draft requires adopting the encrypt-then-MAC
>> >extension. But there already is a widely implemented secure way to use MACs
>> >in TLS: AES-GCM.
> This is there as an option if you want it.  Since it offers no length hiding,
> it's completely unacceptable to some users, for example one protocol uses TLS
> to communicate monitoring commands to remote gear, they're very short and
> fixed-length, different for each command, so if you use GCM you may as well be
> sending plaintext.  In addition GCM is incredibly brittle, get the IV handling
> wrong and you get a complete, catastrophic loss of both integrity and
> confidentiality.  The worst that happens with CBC, even with a complete abuse
> like using an all-zero IV, is that you drop back to ECB mode.

Indeed. For instance, if VM reset attacks are a concern, GCM is arguably 
a worse option than CBC, in particular if the CBC record IV generation 
can be made to be random even in the case of a VM reset attack.

http://crypto.stackexchange.com/questions/32203/is-tls-secure-against-vm-reset-attacks