Re: [TLS] Comments/Questions on draft-gutmann-tls-encrypt-then-mac-00.txt

mrex@sap.com (Martin Rex) Wed, 25 September 2013 21:25 UTC

Return-Path: <mrex@sap.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 485DF11E810F for <tls@ietfa.amsl.com>; Wed, 25 Sep 2013 14:25:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.163
X-Spam-Level:
X-Spam-Status: No, score=-10.163 tagged_above=-999 required=5 tests=[AWL=0.086, BAYES_00=-2.599, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tx4fu5E74NnQ for <tls@ietfa.amsl.com>; Wed, 25 Sep 2013 14:25:40 -0700 (PDT)
Received: from smtpde02.sap-ag.de (smtpde02.sap-ag.de [155.56.68.140]) by ietfa.amsl.com (Postfix) with ESMTP id 967C011E80DF for <tls@ietf.org>; Wed, 25 Sep 2013 14:25:33 -0700 (PDT)
Received: from mail05.wdf.sap.corp by smtpde02.sap-ag.de (26) with ESMTP id r8PLPWCX017452 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Wed, 25 Sep 2013 23:25:32 +0200 (MEST)
In-Reply-To: <20130925210954.825521A9A7@ld9781.wdf.sap.corp>
To: mrex@sap.com
Date: Wed, 25 Sep 2013 23:25:32 +0200 (CEST)
X-Mailer: ELM [version 2.4ME+ PL125 (25)]
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="US-ASCII"
Message-Id: <20130925212532.B3FB01A9A7@ld9781.wdf.sap.corp>
From: mrex@sap.com (Martin Rex)
X-SAP: out
Cc: "<tls@ietf.org>" <tls@ietf.org>, Alfredo Pironti <alfredo@pironti.eu>
Subject: Re: [TLS] Comments/Questions on draft-gutmann-tls-encrypt-then-mac-00.txt
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: mrex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 25 Sep 2013 21:25:45 -0000

Martin Rex wrote:
> Alfredo Pironti wrote:
> > Peter Gutmann <pgut001@cs.auckland.ac.nz> wrote:
> > > Eric Rescorla <ekr@rtfm.com> writes:
> > >
> > >> - Maybe I am misreading the draft, but I'm unclear on how you get
> > >>    the TLSCompressed.length for the MAC computation in Section 3.
> > >>    Does this have the same issue as was raised for McGrew's CBC AEAD
> > >>    draft?
> 
> Eric is correct, the definition of the MAC in Peter's draft is
> obviously incorrect (and likely does not match Peter's implementation):
> 
> TLSv1.0:  https://tools.ietf.org/html/rfc2246#section-6.2.3.1
> 
>    The MAC is generated as:
> 
>        HMAC_hash(MAC_write_secret, seq_num + TLSCompressed.type +
>                      TLSCompressed.version + TLSCompressed.length +
>                      TLSCompressed.fragment));
> 
> When changing from mac-pad-encrypt to encrypt-mac, as suggested
> by Peter's draft, the MAC no longer operates on the TLSComressed PDU,
> but on the TLSCiphertext PDU -- which results in:
> 
>        HMAC_hash(MAC_write_secret, seq_num + TLSCiphertext.type +
>                      TLSCiphertext.version + TLSCiphertext.length +
>                      TLSCiphertext.fragment));
> 
>     The computation of TLSCompressed.length on receive changes slightly,
>     because there no longer is a MAC trailing the data after decrypt.

I forgot:
Peter's proposal includes the CBC-IV in the MAC computation for TLSv1.0,
but this isn't technically necessary.  In TLSv1.1, the MAC _must_
include the IV, but the IV is already part of TLSCiphertext.

Curiously, for decrypt, the way the TLSv1.1 GenericBlockCipher PDU 
is specified, it uses a fixed zero IV and a block-sized "random confounder"
that is covered by the MAC, but ignored after decrypt (reminds me of Kerberos)

-Martin