Re: [TLS] Are the AEAD cipher suites a security trade-off win with TLS1.2?

Colm MacCárthaigh <colm@allcosts.net> Wed, 16 March 2016 16:54 UTC

Return-Path: <colm@allcosts.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2DA1B12D62E for <tls@ietfa.amsl.com>; Wed, 16 Mar 2016 09:54:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=allcosts-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LJ5HCR3U59uN for <tls@ietfa.amsl.com>; Wed, 16 Mar 2016 09:54:06 -0700 (PDT)
Received: from mail-yw0-x22d.google.com (mail-yw0-x22d.google.com [IPv6:2607:f8b0:4002:c05::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5FED012D569 for <tls@ietf.org>; Wed, 16 Mar 2016 09:54:06 -0700 (PDT)
Received: by mail-yw0-x22d.google.com with SMTP id g3so69277737ywa.3 for <tls@ietf.org>; Wed, 16 Mar 2016 09:54:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=allcosts-net.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc; bh=SRN5wbPZdTFyXiztkgmnWU7uQjQ47GzxI9rK85Dkcww=; b=CBgiLCKDQdMQJdr0ftqdpfy+oBpaoWj79/4WHESjEgSB46VC8lLWdyBEEiw4jREG1k 1dkV3FfO/T/ULBegyD8Ex+bIWnrbNBBiqlsPs1QubM4SDHH8lG364sfS8U0vv7nOI72n q+7Fi37w2pc/4i8/Kap9X5JJift/Eb/910YAZVgTgMGSVlcPIVe73PjCi8G114zvJkev 1YTl7U043L5OvOfQKTuu6lspLl+IhAjPxqCgCFSgYPmIM3GylY2zf9g6E5trWr5FP4h7 /VhmCM6JXS/FLBImWkNka4lMp2URkR95/g7ODgPzPgat/syzWdKvGc4rlh50sgSXOO0j OjPQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc; bh=SRN5wbPZdTFyXiztkgmnWU7uQjQ47GzxI9rK85Dkcww=; b=SSgHNG+ybB2FugsIrChEF4oI9oKL1VKRoUBxyd0vHmnkzjIC3QTi6VWP2E7mbILyXm kWb95VhKtRW1eYmbgk2KPvMBY71zKInp3okHhCtlaWsyKaSJtasuk2rCA4NpMQ+Bo7JH 6aN3CUgOVXs90EfcdKmQygzLJX0OR8LwSuXV1HRU59ejVohotdUvyOXJGP2oG9tz6lqV iueWGr7iVz/ZVbA5bZo2rzjOx5xG1BiLikc0wSz8EEOmBaA8WyfX+LYTvdbCrTrHO0up tYZFtmmoJtMZTVkYsaBWpjT/B0GVH+HU7WVgZFE25YcBGbEMtCom2eAAyLYKrFu041Ee xbbA==
X-Gm-Message-State: AD7BkJJT4bmILP893HQOXUQ2/FIqAnp8Zc3h+7f2tD8ODuE2r20B1WCtAW3RaErW05j1VkkY8OwDqL0O01qlBw==
MIME-Version: 1.0
X-Received: by 10.13.192.5 with SMTP id b5mr2354332ywd.114.1458147245645; Wed, 16 Mar 2016 09:54:05 -0700 (PDT)
Received: by 10.129.32.196 with HTTP; Wed, 16 Mar 2016 09:54:05 -0700 (PDT)
In-Reply-To: <CA+cU71mRGgRqFvT85ascQ6FmSuubNSifVLpw131GHBO5qf2M7g@mail.gmail.com>
References: <CAAF6GDekw3stfYGd1q+Zzde--g5M0h9ZTWrVLVJxEwp+frQTHQ@mail.gmail.com> <CA+cU71mRGgRqFvT85ascQ6FmSuubNSifVLpw131GHBO5qf2M7g@mail.gmail.com>
Date: Wed, 16 Mar 2016 12:54:05 -0400
Message-ID: <CAAF6GDdzE8_uxtJ0TOmje4Uh2VdXEyiUDBmpaXZjwZUpeAQJxA@mail.gmail.com>
From: =?UTF-8?Q?Colm_MacC=C3=A1rthaigh?= <colm@allcosts.net>
To: Tom Ritter <tom@ritter.vg>
Content-Type: multipart/alternative; boundary=001a114e3f989b99b7052e2d5c7e
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/3L4JlDUlpEhfiSTbGwzUas_si38>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Are the AEAD cipher suites a security trade-off win with TLS1.2?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Mar 2016 16:54:08 -0000

On Wed, Mar 16, 2016 at 12:45 PM, Tom Ritter <tom@ritter.vg>; wrote:

> If a site wants to actively do something to make length-hiding harder
> - to the point where they're go in and prefer CBC ciphersuites - why
> not just add 5 lines of code to a header template, to insert some
> random data in a HTML comment?
>

Length hiding is a game of costs, doing more can always help. But one of
the benefits of being able to do it at the TLS layer  is that it also helps
you hide the length of the request.

I'm one of the biggest proponents for padding in TLS 1.3... and hope
> to see it used to make deployments of length-hiding and traffic
> analysis harder, so the HTML comment or similar tricks would be
> easier, more robust, and not require site modifications.  But I don't
> think going back to CBC mode is a good idea.
>

Why?

-- 
Colm