IETF Logo Mail Archive

Re: [TLS] Would this fix RC4 again? (was Re: Encrypt-then-MAC again (was Re: padding bug))

"Paterson, Kenny" <Kenny.Paterson@rhul.ac.uk> Thu, 14 November 2013 09:48 UTC

Return-Path: <Kenny.Paterson@rhul.ac.uk>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2BD2D21E8092 for <tls@ietfa.amsl.com>; Thu, 14 Nov 2013 01:48:48 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.099
X-Spam-Level:
X-Spam-Status: No, score=-3.099 tagged_above=-999 required=5 tests=[AWL=-0.500, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bUZUkSw+Xqpr for <tls@ietfa.amsl.com>; Thu, 14 Nov 2013 01:48:33 -0800 (PST)
Received: from db8outboundpool.messaging.microsoft.com (mail-db8lp0188.outbound.messaging.microsoft.com [213.199.154.188]) by ietfa.amsl.com (Postfix) with ESMTP id 8475521E81E2 for <tls@ietf.org>; Thu, 14 Nov 2013 01:48:31 -0800 (PST)
Received: from mail163-db8-R.bigfish.com (10.174.8.238) by DB8EHSOBE019.bigfish.com (10.174.4.82) with Microsoft SMTP Server id 14.1.225.22; Thu, 14 Nov 2013 09:48:30 +0000
Received: from mail163-db8 (localhost [127.0.0.1]) by mail163-db8-R.bigfish.com (Postfix) with ESMTP id EA24920402; Thu, 14 Nov 2013 09:48:29 +0000 (UTC)
X-Forefront-Antispam-Report: CIP:157.56.249.149; KIP:(null); UIP:(null); IPV:NLI; H:AM2PRD0311HT004.eurprd03.prod.outlook.com; RD:none; EFVD:NLI
X-SpamScore: -12
X-BigFish: PS-12(z579ehzbb2dIdb82h98dI936eI1444M1432Izz1f42h208ch1ee6h1de0h1d18h1fdah2073h2146h1202h1e76h1d1ah1d2ah1fc6hzz1de098h17326ah8275bh1de097h186068h5eeeKz2dh109h2a8h839h944he5bhf0ah1220h1288h12a5h12a9h12bdh137ah13b6h1441h1504h1537h153bh162dh1631h1758h18e1h1946h19b5h19ceh1ad9h1b0ah2222h224fh1d0ch1d2eh1d3fh1dc1h1dfeh1dffh1e1dh1fe8h1ff5h209eh2216h1155h)
X-Forefront-Antispam-Report-Untrusted: SFV:NSPM; SFS:(199002)(189002)(377424004)(479174003)(243025003)(24454002)(51884002)(51704005)(81686001)(81342001)(561944002)(80976001)(74366001)(65816001)(80022001)(66066001)(19580395003)(83322001)(19580405001)(36756003)(63696002)(81542001)(83506001)(76176001)(74876001)(46102001)(15975445006)(4396001)(83072001)(51856001)(47736001)(54316002)(49866001)(47976001)(50986001)(74482001)(85306002)(87266001)(74662001)(31966008)(77096001)(56816003)(54356001)(47446002)(74502001)(56776001)(76482001)(81816001)(79102001)(53806001)(77982001)(59766001)(69226001)(74706001)(2656002)(76786001)(15202345003)(76796001)(87936001); DIR:OUT; SFP:; SCL:1; SRVR:AMXPR03MB277; H:AMXPR03MB277.eurprd03.prod.outlook.com; CLIP:80.42.233.244; FPR:; RD:InfoNoRecords; A:1; MX:1; LANG:en;
Received: from mail163-db8 (localhost.localdomain [127.0.0.1]) by mail163-db8 (MessageSwitch) id 1384422485514938_13838; Thu, 14 Nov 2013 09:48:05 +0000 (UTC)
Received: from DB8EHSMHS014.bigfish.com (unknown [10.174.8.236]) by mail163-db8.bigfish.com (Postfix) with ESMTP id 5DDB1B400A2; Thu, 14 Nov 2013 09:47:58 +0000 (UTC)
Received: from AM2PRD0311HT004.eurprd03.prod.outlook.com (157.56.249.149) by DB8EHSMHS014.bigfish.com (10.174.4.24) with Microsoft SMTP Server (TLS) id 14.16.227.3; Thu, 14 Nov 2013 09:47:58 +0000
Received: from AMXPR03MB277.eurprd03.prod.outlook.com (10.242.69.140) by AM2PRD0311HT004.eurprd03.prod.outlook.com (10.255.162.39) with Microsoft SMTP Server (TLS) id 14.16.371.2; Thu, 14 Nov 2013 09:47:47 +0000
Received: from AMXPR03MB277.eurprd03.prod.outlook.com (10.242.69.140) by AMXPR03MB277.eurprd03.prod.outlook.com (10.242.69.140) with Microsoft SMTP Server (TLS) id 15.0.820.5; Thu, 14 Nov 2013 09:47:47 +0000
Received: from AMXPR03MB277.eurprd03.prod.outlook.com ([169.254.16.247]) by AMXPR03MB277.eurprd03.prod.outlook.com ([169.254.16.247]) with mapi id 15.00.0820.005; Thu, 14 Nov 2013 09:47:47 +0000
From: "Paterson, Kenny" <Kenny.Paterson@rhul.ac.uk>
To: Michael D'Errico <mike-list@pobox.com>, Nikos Mavrogiannopoulos <nmav@gnutls.org>
Thread-Topic: [TLS] Would this fix RC4 again? (was Re: Encrypt-then-MAC again (was Re: padding bug))
Thread-Index: AQHO4PAxMRQ/mzXm60e0wr02WrBPbZokez6A
Date: Thu, 14 Nov 2013 09:47:46 +0000
Message-ID: <CEAA4BE3.EE7B%kenny.paterson@rhul.ac.uk>
In-Reply-To: <52844E54.8000606@pobox.com>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.3.8.130913
x-originating-ip: [80.42.233.244]
x-forefront-prvs: 0030839EEE
Content-Type: text/plain; charset="us-ascii"
Content-ID: <4EB9E47C9478214FAFAE0A6D83D7AFCD@eurprd03.prod.outlook.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: rhul.ac.uk
X-FOPE-CONNECTOR: Id%0$Dn%*$RO%0$TLS%0$FQDN%$TlsDn%
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Would this fix RC4 again? (was Re: Encrypt-then-MAC again (was Re: padding bug))
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Nov 2013 09:48:48 -0000

On 14/11/2013 04:15, "Michael D'Errico" <mike-list@pobox.com> wrote:

>Nikos Mavrogiannopoulos wrote:
>> On Tue, 2013-11-12 at 23:29 +0100, Martin Rex wrote:
>>> You proposal adds the padding at the beginning only.  Since the
>>> problem exhibited by RC4 is inherent to any XOR-encryption with
>>> a pseudo-random-pad, AES-CCM, AES-GCM, etc. I would make such an
>>> extension use random fraction, random content, authenticated padding
>>> on both sides of the plaintext, with a combined minimum padding length
>>>of
>>> at least 16 bytes, in order to mitigate statistical attacks on
>>> any bias that may be found in the pseudo-random-pad.
>> 
>> The above draft does:
>> 1. prevent padding oracle attacks
>> 2. hide the length of the plaintext
>> 
>> What you propose there is having the plaintext appear and finish in an
>> unpredictable position. That's an interesting approach, not handled by
>> the draft above.
>> 
>> In simple terms you're asking for more bells and whistles :)
>
>If I recall correctly from DJB's paper, the problem with RC4 is bias in
>the first 256 or so bytes of the key stream.

You recall incorrectly. Re-read sections 4.2, 5.2, 5.3.3 and 7 of the
paper:

http://www.isg.rhul.ac.uk/tls/RC4biases.pdf


>Would it be possible to
>"fix" RC4 using this extension? Simply insert a random amount (at
>least 256 bytes) of pseudo-random padding at the beginning of the first
>record sent using an RC4 cipher suite?

No.

Please read Section 7 of the paper. This idea, and variants of it, are
specifically addressed and dismissed.

Regards,

Kenny

v2.23.0 | Report a Bug | By Email