IETF Logo Mail Archive

Re: [TLS] padding bug

Ben Laurie <benl@google.com> Mon, 09 September 2013 14:30 UTC

Return-Path: <benl@google.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 21F7C21F9D0C for <tls@ietfa.amsl.com>; Mon, 9 Sep 2013 07:30:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.977
X-Spam-Level:
X-Spam-Status: No, score=-1.977 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MmqFP5FREnnp for <tls@ietfa.amsl.com>; Mon, 9 Sep 2013 07:30:13 -0700 (PDT)
Received: from mail-ie0-x232.google.com (mail-ie0-x232.google.com [IPv6:2607:f8b0:4001:c03::232]) by ietfa.amsl.com (Postfix) with ESMTP id 763F421E81C8 for <tls@ietf.org>; Mon, 9 Sep 2013 07:19:34 -0700 (PDT)
Received: by mail-ie0-f178.google.com with SMTP id to1so2480042ieb.37 for <tls@ietf.org>; Mon, 09 Sep 2013 07:19:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=odEObAgFk4uyAAnD5T3+NEYvceWp+CFvUjdlRkQsF0U=; b=W6eGchWTTyproqdIE3JKawYSFeThkmI0VjbrUjeU+XSHfidMRlH00JEWbukZ7ZGRjU g0ogrdJrzVAO443lAvdSYDlMqgzpdgoi6NFL89f8uGQEMqqnIMlzIf38gh4nEYdgWBuo nAuqs1j2bCqAFHIfrlYzhokvLQK2zo0vr2FJViFvBgroB/mB9tTuCPP68/hKguxcCcVr jON/cZiIJN5kOqGZA3ujdyxr5hsSA7h5JJsF0j+c8f9Tzwx0+te7HSYPtiQxlGL+7QwQ T/W8Cg4z0vFBwmAE69YyTrFCKRpvgY5zLWJ2mnY5ACG5/MsYKygnjWHZl8eTXt0Ukz/Y Z7bg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=odEObAgFk4uyAAnD5T3+NEYvceWp+CFvUjdlRkQsF0U=; b=m7rH0sIUnQHDyN6iyDY9qciEoIAuA2hOrF7OPwJ2IF+3ucoNFtXep6sjC2bYwpqzey RHZ/YRhBvphC60Hvhedw9NOTqxTwpAK2GVmwhldu0QuDwwi+GLv6hfDy4d8svHk2nRCQ VKEXVZH1jwVjfRPP1J17ZoAd4/1xyrwVMGGa0WL6oAgXOH3Vyk3RCOLl7OZLUUGo33Hz +8SV+Jz/D+3bAeRDONZC7wyn3DqGwS7DqeGVvsM84gjL2Ga9lfj9XtfErm8+0R8zVRfg 2to7Sdi6aCcBhL3PC/2FFNPENLRE3CFwuPWfsqjdmwSzCLSZiIVutCcEGwP9kV/Gb9GY FxxA==
X-Gm-Message-State: ALoCoQl9cPgrEvw1Qis8DLVv5R86jRQeev66M4FaZcdJevQhFPvfTaEBH3MYUiq8JOQa4XD+hThnelQ6cqE88PPIDtgUELjX2TetzjUlP8sZTGW8+IHvvkGx1gqxDwOVHQ78qr2LOTCyHqu3FKlkybvIe/W5F4TITLxjXSkmcPEBkYo1vjMAeNr09E5Q8MIce36X4t7XpFL4
MIME-Version: 1.0
X-Received: by 10.42.214.202 with SMTP id hb10mr359124icb.76.1378736373957; Mon, 09 Sep 2013 07:19:33 -0700 (PDT)
Received: by 10.64.230.140 with HTTP; Mon, 9 Sep 2013 07:19:33 -0700 (PDT)
In-Reply-To: <CABrd9SSHzfFH03euDh1yP2AOxa7vQP2ds5EFyPrP-=BqJ7BOMA@mail.gmail.com>
References: <AAE0766F5AF36B46BAB7E0EFB927320630E4A54175@GBTWK10E001.Technology.local> <522BE808.4090405@stpeter.im> <522C6892.4020206@drh-consultancy.co.uk> <522C7FD8.1000301@drh-consultancy.co.uk> <CABrd9SSbv1owOq9RK-OY2YqfUHavpebYCdKUVd6MGSff_MiiWg@mail.gmail.com> <CABcZeBPcvB2i2Xo7ceiybgLUw8KgJz=aJaNWEfTekFY1RdYC7w@mail.gmail.com> <CABrd9SSHzfFH03euDh1yP2AOxa7vQP2ds5EFyPrP-=BqJ7BOMA@mail.gmail.com>
Date: Mon, 09 Sep 2013 15:19:33 +0100
Message-ID: <CABrd9SSZGitTh0s9MvLhe3rKLK97eP-HZriCcLyZkDAeHAqs6w@mail.gmail.com>
From: Ben Laurie <benl@google.com>
To: Eric Rescorla <ekr@rtfm.com>
Content-Type: multipart/alternative; boundary="20cf301cc3b2cf319e04e5f413c2"
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] padding bug
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Sep 2013 14:30:25 -0000

On 9 September 2013 14:31, Ben Laurie <benl@google.com> wrote:

>
>
>
> On 9 September 2013 14:01, Eric Rescorla <ekr@rtfm.com> wrote:
>
>> Ben,
>>
>> Generally, we're not doing advance code point assignments for documents
>> that haven't been accepted by the TLS WG.
>>
>> Of course, this naturally raises the question of whether this document
>> will
>> be accepted by the TLS WG. However, as I think recent discussion
>> indicates,
>> there are a number of proposed approaches and there isn't really consensus
>> to adopt this particular one (especially in view of the increased
>> adoption of existing
>> mechanisms such as GCM). If someone (Peter? You?) wants agenda time
>> to argue for this particular approach instead of others, we're happy to
>> have the
>> discussion in YVR. This of course also applies to proponents of other
>> approaches.
>>
>
> I'm not planning to be at YVR, what happened to using the mailing list for
> discussion?
>
> So, in favour of the WG adoption this I-D:
>
> 1. Nothing in this I-D prevents the adoption of other approaches.
>
> 2. If fixes the problem for all versions of TLS and SSLv3.
>
> 3. I've seen no objection that makes any sense. One objection I have seen
> was that it "may not protect from key-recovery in a weak MAC
> construction" - firstly, I am not aware of any such constructions in use in
> SSL/TLS, and secondly, if there are any, it would be trivial to deprecate
> their use in conjunction with this extension.
>
> How about we take a vote?
>

I am reminded that we don't vote - so I guess I should rephrase this as -
"so, should we adopt this I-D?".


>
> Note, BTW, that unless convinced otherwise, we intend to implement this in
> OpenSSL (it went into master yesterday), so you can consider that a vote in
> favour :-)
>
>
>> Best,
>> -Ekr
>>
>> [As Chair]
>>
>>
>>
>> On Sun, Sep 8, 2013 at 10:57 AM, Ben Laurie <benl@google.com> wrote:
>>
>>>
>>>
>>>
>>> On 8 September 2013 14:47, Dr Stephen Henson <
>>> lists@drh-consultancy.co.uk> wrote:
>>>
>>>> On 08/09/2013 13:07, Dr Stephen Henson wrote:
>>>> > On 08/09/2013 03:59, Peter Saint-Andre wrote:
>>>> >> [old thread alert!]
>>>> >>
>>>> >>
>>>> >>> 2.       An extension for Encrypt-then-MAC (i.e. this draft)
>>>> >>
>>>> >>> Was any consensus achieved as to the best approach?
>>>> >>
>>>> >
>>>> > I can add a data point to this. I spent an afternoon implementing
>>>> this (i.e.
>>>> > the encrypt then mac draft) a while ago in OpenSSL. It was pretty
>>>> easy to do
>>>> > and interoped fine with the test servers.
>>>> >
>>>> > I'll make it available as an experimental feature in OpenSSL master
>>>> branch.
>>>> >
>>>>
>>>> Well I've added this and spotted a problem. The draft extension value
>>>> (0x10)
>>>> clashes with the draft value used in the ALPN specification.
>>>>
>>>
>>> Given that the ALPN draft apparently has an allocated number, can we get
>>> one allocated to this I-D?
>>>
>>>
>>> _______________________________________________
>>> TLS mailing list
>>> TLS@ietf.org
>>> https://www.ietf.org/mailman/listinfo/tls
>>>
>>>
>>
>

v2.23.0 | Report a Bug | By Email