Re: [TLS] Comments/Questions on draft-gutmann-tls-encrypt-then-mac-00.txt
Nikos Mavrogiannopoulos <nmav@gnutls.org> Tue, 24 September 2013 08:06 UTC
Return-Path: <n.mavrogiannopoulos@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B239021F9CCA for <tls@ietfa.amsl.com>; Tue, 24 Sep 2013 01:06:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.422
X-Spam-Level:
X-Spam-Status: No, score=-2.422 tagged_above=-999 required=5 tests=[AWL=0.177, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zSpyDO1wVSt1 for <tls@ietfa.amsl.com>; Tue, 24 Sep 2013 01:06:27 -0700 (PDT)
Received: from mail-ea0-x22f.google.com (mail-ea0-x22f.google.com [IPv6:2a00:1450:4013:c01::22f]) by ietfa.amsl.com (Postfix) with ESMTP id AAAB621F9C33 for <tls@ietf.org>; Tue, 24 Sep 2013 01:06:17 -0700 (PDT)
Received: by mail-ea0-f175.google.com with SMTP id m14so2249561eaj.6 for <tls@ietf.org>; Tue, 24 Sep 2013 01:06:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=sender:message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:openpgp:content-type :content-transfer-encoding; bh=jtY8CLX/7lRkYEpRoRr6MEH15/BUJcrCYxz3dFUZMsY=; b=c8mhxqoaT+KkkRxHtFOCUCkAhI2MyIWRh/sO7UVPknVfdXD0wW+woO0jfsegvitqOS OWwyqjyDSdgVhrRSHanNGRvc0lDzhb1g0qmC4aq2Ru+cp47n4JGjK/ep+18ceHJ/pHV2 lteV+RX+F7RoFvCXHxp1GPg0Sy1+x1guLSW9iFfh7u7FOYqd8w9scBNPAmn8NkDUVUlj fSOQr+oT5qwRW6Q7v93EBzFF2yvMhMHhfjGC6LQ998IDCK0QJa2BnzANy5GchhYFp/zu mhJN9E0p5CQYvkWtCT0nI0Q0IE9DZZMquoWujobFWWVGbAE+XJNAoWPPB/qsXjlWziLB iOIQ==
X-Received: by 10.15.42.70 with SMTP id t46mr1892844eev.58.1380009975025; Tue, 24 Sep 2013 01:06:15 -0700 (PDT)
Received: from [10.100.2.17] (94-224-103-174.access.telenet.be. [94.224.103.174]) by mx.google.com with ESMTPSA id a1sm50555602eem.1.1969.12.31.16.00.00 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Tue, 24 Sep 2013 01:06:14 -0700 (PDT)
Sender: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
Message-ID: <524147F0.1040507@gnutls.org>
Date: Tue, 24 Sep 2013 10:06:08 +0200
From: Nikos Mavrogiannopoulos <nmav@gnutls.org>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130630 Icedove/17.0.7
MIME-Version: 1.0
To: Peter Gutmann <pgut001@cs.auckland.ac.nz>
References: <9A043F3CF02CD34C8E74AC1594475C7355676092@uxcn10-6.UoA.auckland.ac.nz>
In-Reply-To: <9A043F3CF02CD34C8E74AC1594475C7355676092@uxcn10-6.UoA.auckland.ac.nz>
X-Enigmail-Version: 1.5.1
OpenPGP: id=96865171
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Cc: "<tls@ietf.org>" <tls@ietf.org>
Subject: Re: [TLS] Comments/Questions on draft-gutmann-tls-encrypt-then-mac-00.txt
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 24 Sep 2013 08:06:36 -0000
On 09/24/2013 06:52 AM, Peter Gutmann wrote: >> The innovate refers to how the current EtA proposal by Peter >> ignores all best practices in implementing EtA in protocols. > You seem to be saying there that HMAC has security problems unless > it's truncated, which is something that AFAIK no other cryptographer > has ever noticed. Perhaps you could clarify the weakness for the > list, and then consider publishing a conference paper on it. It > sounds like an amazing breakthrough in the cryptanalysis of HMAC. No I am not saying that and please do not twist my words to make a point. I say that best current practice in protocols is to follow the Preneel-van-Oorschot advice and do a truncation on the hash-based-mac to prevent certain attacks (described in their paper). You do not follow this advice on your proposal and you give no reasons why. The only reason I've heard against truncation is some story you repeat about IP headers space. Both the IPSec RFCs and people who participated in the discussions say otherwise, and thus make your claim not convincing. I may be wrong and truncation may not be needed, but you give not convincing reasons why. >> Existing EtA protocols like IPSec truncate the HMAC to avoid >> revealing the whole internal state of the hash algorithm. > S/MIME doesn't truncate it. TLS doesn't truncate it. PGP (although > that doesn't really use a MAC, but still...) doesn't truncate it. TLS doesn't truncate it because it uses the AtE mode which means it is encrypted (and thus the simple hash-based-MAC attacks don't directly apply). S/MIME and PGP aren't online protocols and use the MAC key for a single message, thus several attacks don't apply to them. regards, Nikos
- Re: [TLS] Comments/Questions on draft-gutmann-tls… Peter Gutmann
- [TLS] Comments/Questions on draft-gutmann-tls-enc… Eric Rescorla
- Re: [TLS] Comments/Questions on draft-gutmann-tls… Christian Kahlo
- Re: [TLS] Comments/Questions on draft-gutmann-tls… Dr Stephen Henson
- Re: [TLS] Comments/Questions on draft-gutmann-tls… Bill Frantz
- Re: [TLS] Comments/Questions on draft-gutmann-tls… Nikos Mavrogiannopoulos
- Re: [TLS] Comments/Questions on draft-gutmann-tls… Nikos Mavrogiannopoulos
- Re: [TLS] Comments/Questions on draft-gutmann-tls… Christian Kahlo
- Re: [TLS] Comments/Questions on draft-gutmann-tls… Peter Gutmann
- Re: [TLS] Comments/Questions on draft-gutmann-tls… Nikos Mavrogiannopoulos
- Re: [TLS] Comments/Questions on draft-gutmann-tls… Peter Gutmann
- Re: [TLS] Comments/Questions on draft-gutmann-tls… Christian Kahlo
- Re: [TLS] Comments/Questions on draft-gutmann-tls… Blumenthal, Uri - 0558 - MITLL
- Re: [TLS] Comments/Questions on draft-gutmann-tls… Eric Rescorla
- Re: [TLS] Comments/Questions on draft-gutmann-tls… Peter Gutmann
- Re: [TLS] Comments/Questions on draft-gutmann-tls… Alfredo Pironti
- Re: [TLS] Comments/Questions on draft-gutmann-tls… Bodo Moeller
- Re: [TLS] Comments/Questions on draft-gutmann-tls… Ralph Holz
- Re: [TLS] Comments/Questions on draft-gutmann-tls… Peter Gutmann
- Re: [TLS] Comments/Questions on draft-gutmann-tls… Adam Langley
- Re: [TLS] Comments/Questions on draft-gutmann-tls… Bodo Moeller
- Re: [TLS] Comments/Questions on draft-gutmann-tls… Michael D'Errico
- Re: [TLS] Comments/Questions on draft-gutmann-tls… Yaron Sheffer
- Re: [TLS] Comments/Questions on draft-gutmann-tls… Michael D'Errico
- Re: [TLS] Comments/Questions on draft-gutmann-tls… Bodo Moeller
- Re: [TLS] Comments/Questions on draft-gutmann-tls… Bodo Moeller
- Re: [TLS] Comments/Questions on draft-gutmann-tls… Yaron Sheffer
- Re: [TLS] Comments/Questions on draft-gutmann-tls… Bodo Moeller
- Re: [TLS] Comments/Questions on draft-gutmann-tls… Martin Rex
- Re: [TLS] Comments/Questions on draft-gutmann-tls… Mohamad Badra
- Re: [TLS] Comments/Questions on draft-gutmann-tls… Martin Rex
- Re: [TLS] Comments/Questions on draft-gutmann-tls… Michael D'Errico
- Re: [TLS] Comments/Questions on draft-gutmann-tls… Martin Rex
- Re: [TLS] Comments/Questions on draft-gutmann-tls… Martin Rex
- Re: [TLS] Comments/Questions on draft-gutmann-tls… Peter Gutmann
- Re: [TLS] Comments/Questions on draft-gutmann-tls… Paul Bakker
- Re: [TLS] Comments/Questions on draft-gutmann-tls… Paul Bakker
- Re: [TLS] Comments/Questions on draft-gutmann-tls… Alfredo Pironti
- Re: [TLS] Comments/Questions on draft-gutmann-tls… Paul Bakker
- Re: [TLS] Comments/Questions on draft-gutmann-tls… Bodo Moeller
- Re: [TLS] Comments/Questions on draft-gutmann-tls… Bodo Moeller
- Re: [TLS] Comments/Questions on draft-gutmann-tls… Yoav Nir