Re: [TLS] Comments/Questions on draft-gutmann-tls-encrypt-then-mac-00.txt

Dr Stephen Henson <> Sun, 22 September 2013 18:34 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 5A19621F9C8E for <>; Sun, 22 Sep 2013 11:34:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: 0.001
X-Spam-Status: No, score=0.001 tagged_above=-999 required=5 tests=[BAYES_50=0.001]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 2BCgajLqOFh0 for <>; Sun, 22 Sep 2013 11:34:46 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id C215821F9C55 for <>; Sun, 22 Sep 2013 11:34:46 -0700 (PDT)
Received: from ([]:29915 helo=[]) by ( []:10465) with esmtpa (authdaemon_plain:drh) id 1VNoUQ-0004s0-4d for (return-path <>); Sun, 22 Sep 2013 18:34:38 +0000
Message-ID: <>
Date: Sun, 22 Sep 2013 19:34:34 +0100
From: Dr Stephen Henson <>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/20130801 Thunderbird/17.0.8
MIME-Version: 1.0
References: <> <>
In-Reply-To: <>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Subject: Re: [TLS] Comments/Questions on draft-gutmann-tls-encrypt-then-mac-00.txt
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sun, 22 Sep 2013 18:34:51 -0000

On 20/09/2013 17:10, Christian Kahlo wrote:
> Even some other standards bodies like ISO, CEN, BSI, etc. agreed on CBC-modes
> (with or without EtM) as a lowest common factor with TLS.
> So CBC WILL(!) exist regardless what you're specifying here. ;-)
> There also at least implementations in our Federal project, OpenSSL, Bouncy
> Castle and as I heard CyaSSL, too.

This has some interesting parallels with FIPS 140-2. Currently the only approved
symmetric algorithms for FIPS 140-2 and TLS are AES-GCM, AES-CBC and DES3-CBC.
If you can't deploy TLS 1.2 you're then stuck with CBC.

Getting new algorithms approved by a standards body wont happen overnight and
might not happen at all. Algorithms tests and implementation guidance,
discussion periods etc will be needed all of which takes time.

On top of that adding new algorithms to an existing module requires retesting,
typically on every platform affected. That is expensive and laborious but wont
dent larger corporations budgets much. What will hurt more is that getting a new
validation done might take 9 months to a year after submission (more in some
cases) to get final approval.

What that means in practice is that when ciphersuites using new algorithms are
approved for TLS expect a delay of 1-2 years before they can be deployed with
FIPS 140-2 and they may not even get approved at all.

By contrast Peter's ETM spec, as it doesn't need any new algorithms, could be
deployed as soon as it is approved.

I'm not saying that we don't approve new algorithms and ciphers suites. I'm
saying we need ETM as well.

Dr Stephen N. Henson.
Core developer of the   OpenSSL project:
Freelance consultant see:
Email:, PGP key: via homepage.