Re: [TLS] padding bug (was: Re: Requesting feedback on TACK draft)

Bodo Moeller <bmoeller@acm.org> Tue, 24 September 2013 14:30 UTC

Return-Path: <SRS0=2RbL=TE=acm.org=bmoeller@srs.kundenserver.de>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2C1BF11E813A for <tls@ietfa.amsl.com>; Tue, 24 Sep 2013 07:30:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.266
X-Spam-Level:
X-Spam-Status: No, score=-1.266 tagged_above=-999 required=5 tests=[AWL=0.360, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HELO_EQ_DE=0.35, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WVT3qKQNMen2 for <tls@ietfa.amsl.com>; Tue, 24 Sep 2013 07:30:16 -0700 (PDT)
Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.171]) by ietfa.amsl.com (Postfix) with ESMTP id 71A1911E811E for <tls@ietf.org>; Tue, 24 Sep 2013 07:30:16 -0700 (PDT)
Received: from mail-ob0-f181.google.com (mail-ob0-f181.google.com [209.85.214.181]) by mrelayeu.kundenserver.de (node=mrbap0) with ESMTP (Nemesis) id 0MfjDI-1VCT350fVk-00NPzB; Tue, 24 Sep 2013 16:30:15 +0200
Received: by mail-ob0-f181.google.com with SMTP id gq1so4888629obb.26 for <tls@ietf.org>; Tue, 24 Sep 2013 07:30:13 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=k6nr7MacHSef9MzLzfiXlC2gzYzxtqJTnCK9K3+3V3w=; b=XDuNJfw1KR5Ce9R9CEmJbModcP6cEbbrXKvAPE6EX5ft/HpwYnElSFhCH1w4f8S0Co 8ZgU3Q//W5xZD8LUAVFXSPjE0UTm1e/xyRjqklqYWEn9/dcMyPr7T/wImRnPpLm/PVd1 Xldo2N3qovz+lsyfKRwuiwTy1/C88Jx0byDeCH+eXfzygzPHrhojrNvvlUJrW8shVQ3R r+2Akwt96IPG9spAnEUt2duRVMeyodGg4qTPd0i1jewK75TLACbthiknbyzUIuGo2PTi XzzP9d9nRaZfiWJQWTjjJRzardjQ+lAC3WEPjeV/rYxe3fFEjLeEVuYQmJfiAWnSw1gb YWhQ==
MIME-Version: 1.0
X-Received: by 10.182.49.166 with SMTP id v6mr25459783obn.13.1380033013752; Tue, 24 Sep 2013 07:30:13 -0700 (PDT)
Received: by 10.60.115.72 with HTTP; Tue, 24 Sep 2013 07:30:13 -0700 (PDT)
In-Reply-To: <CE538FA7.A524%kenny.paterson@rhul.ac.uk>
References: <CALR0uiKTySMMRBKC8pDAvg_Fy8m8SA+Gj-te6WnQvB9w=MLcfw@mail.gmail.com> <CE538FA7.A524%kenny.paterson@rhul.ac.uk>
Date: Tue, 24 Sep 2013 16:30:13 +0200
Message-ID: <CADMpkc+fErXMzB_g8M-PiR+s-94p1=kN=Zi8+1Oftppqe8Zv8g@mail.gmail.com>
From: Bodo Moeller <bmoeller@acm.org>
To: "Paterson, Kenny" <Kenny.Paterson@rhul.ac.uk>
Content-Type: multipart/alternative; boundary=047d7b5d2ea4902fbf04e721f9c7
X-Provags-ID: V02:K0:eFhKJaAWwb+/QzvjhibW3fiI6RtTbupubC5g0LwapxK FXIO7WXhBRZXSMzTcuIZfvJowIs7LI4LFDNQg4APZdbNvhnPpb ECOUSNW39ny4V6WQvnXOpSF+WdCZUGt5GxXkhNpg7hwFcAo3IY IpOnwo+niY/WfUyvaxFLJYdrxtR6DgcL6ScKj/yujwJQgBwfUx 0yeJMYBnR9flboQ3GQJjcDr/7mwk/Uon/xxdOFqbjMPJTosPBY dof5mIENZE4qYIY/WE8f9lGR7KTOC3Uh02Mvsg0bSBNgUqFELb FkQYI78yS2kh0Jb/llvD0xG3bb59Z2a0khs3vs8tU13K6/S1JA W9J+ImUVYyR5z2muwNfmpLc/heAOMhjn1IxsisuCjkbk6mEQ/u TkIb4qUHX4+O0NIc+8KkIpWI4DpwCpSco/6rB0EIpaxNBHeFrK bMqSu
Cc: Alfredo Pironti <alfredo@pironti.eu>, "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] padding bug (was: Re: Requesting feedback on TACK draft)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 24 Sep 2013 14:33:30 -0000

>
>
>
> 1. There is some formal support for the "Pad-then-encrypt-then-MAC"
> approach being used in the above Approach #1 in the following paper:
>

I think here you meant "Pad-then-MAC-then-encrypt".


>
> Kenneth G. Paterson and Gaven J. Watson
>
> Authenticated-Encryption with Padding: A Formal Security Treatment
> Cryptography and Security: From Theory to Applications
>
> Lecture Notes in Computer Science Volume 6805, 2012, pp 83-107.
>
> http://link.springer.com/book/10.1007/978-3-642-28368-0
>
>
>
> See in particular, Theorem 8 in the paper.
>
> Unfortunately, this paper is behind Springer's paywall. For those on the
> list without access, you can access the same content in Chapter 5 (Theorem
> 5.6, page 96) of Gaven Watson's Ph.D. Thesis, available here:
>
> http://www.isg.rhul.ac.uk/~kp/theses/GWthesis.pdf