IETF Logo Mail Archive

Re: [TLS] rfc7366: is encrypt-then-mac implemented?

mrex@sap.com (Martin Rex) Thu, 06 November 2014 00:36 UTC

Return-Path: <mrex@sap.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 30B521A1A3D for <tls@ietfa.amsl.com>; Wed, 5 Nov 2014 16:36:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.251
X-Spam-Level:
X-Spam-Status: No, score=-6.251 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_DE=0.35, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id peLxtbidTtmz for <tls@ietfa.amsl.com>; Wed, 5 Nov 2014 16:36:06 -0800 (PST)
Received: from smtpde02.smtp.sap-ag.de (smtpde02.smtp.sap-ag.de [155.56.68.140]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6E3A81A1A33 for <tls@ietf.org>; Wed, 5 Nov 2014 16:36:06 -0800 (PST)
Received: from mail05.wdf.sap.corp (mail05.sap.corp [194.39.131.55]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtpde02.smtp.sap-ag.de (Postfix) with ESMTPS id EA6713A219; Thu, 6 Nov 2014 01:36:04 +0100 (CET)
Received: from ld9781.wdf.sap.corp (ld9781.wdf.sap.corp [10.21.82.193]) by mail05.wdf.sap.corp (Postfix) with ESMTP id 987DF41A4B; Thu, 6 Nov 2014 01:36:04 +0100 (CET)
Received: by ld9781.wdf.sap.corp (Postfix, from userid 10159) id 8E3081AF95; Thu, 6 Nov 2014 01:36:04 +0100 (CET)
In-Reply-To: <545ABDCB.2050305@polarssl.org>
To: Manuel Pégourié-Gonnard <mpg@polarssl.org>
Date: Thu, 06 Nov 2014 01:36:04 +0100
X-Mailer: ELM [version 2.4ME+ PL125 (25)]
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="ISO-8859-1"
Message-Id: <20141106003604.8E3081AF95@ld9781.wdf.sap.corp>
From: mrex@sap.com
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/3xXgVjkpp5m-rqmJsQo2kw9F0bo
Cc: tls@ietf.org
Subject: Re: [TLS] rfc7366: is encrypt-then-mac implemented?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: mrex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Nov 2014 00:36:08 -0000

Manuel Pégourié-Gonnard wrote:
[ Charset windows-1252 unsupported, converting... ]
> On 06/11/2014 00:58, Martin Rex wrote:
> > I agree with many parts of your root cause analysis why the content
> > of rfc7366 is a failure (beyond fixing through the errata process).
> > 
> Really? Could you please elaborate on why you think the proposed fixes in [1]
> (undoubling the doubled paragraph) and [2] are not correct fixes suitable for an
> erratum?
> 
> [1] http://mailarchive.ietf.org/arch/msg/tls/3NOHlIUShLo9AAzXx4t2u7QV8Sw
> [2] http://mailarchive.ietf.org/arch/msg/tls/zYBKe9L9n3tNZ_SBWn77ubLzNPs


I had included the rationale in the mail from which you quote above:

>>
>> It doesn't really matter whether the seriously misleading and
>> backwards-incompatible protocol in rfc7366 could be hacked to
>> produce the same "bits-on-the-wire" as what was actually intended
>> protocol-wise, by frobbing the semantics and content of the
>> length field of the redefined rfc7366 TLSCiphertext and frobbing
>> the MAC computation.

It would be like publishing

   2+2 = 5

and then posting an errata that says

   ...provided that the first instance of "2" is sufficiently close to "3".


I've seen a number of discussion where longterm IETF folks (including ADs)
were significantly opposed to adding a clarifying sentence through errata
(which indicates that a sender will have to include a certain element
in a list of elements or one specific scenario will fail interop),

and among the reasons for why such a one-line clarification would
go beyond the purpose of the errata process were:
  (1) not all implementors with read erratas (or notice that an errata exists)
  (2) this is a new requirement and changes the protocol

While (1) is certainly true, I believe that it didn't apply on the
specific errata.  (2) certainly was a bogus claim, because it did
not change any requirements at all (it's just one of several implied
requirements), and the purpose of the clarification was to make it
known to implementors ahead of time _why_ they will face interop
failures in specific scenarios if they didn't recognize or understand
this implied requirement.


The problem with rfc7366 is that what the published specification describes
is not what folks have (or want to implement), and an implementation of
what rfc7366 truely specifies will be entirely non-interoperable with
what folks want and do.  And rfc7366 is even more misleading about
the _real_ TLS protocol PDUs than the original SSLv3 and TLS documents.


-Martin

v2.23.0 | Report a Bug | By Email