Re: [TLS] Changes to draft-ietf-tls-dtls-heartbeat resulting from IESG review

Nikos Mavrogiannopoulos <nmav@gnutls.org> Tue, 06 December 2011 16:17 UTC

Return-Path: <n.mavrogiannopoulos@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 381E021F8BF3 for <tls@ietfa.amsl.com>; Tue, 6 Dec 2011 08:17:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.977
X-Spam-Level:
X-Spam-Status: No, score=-2.977 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QRoZ1KkI4nX8 for <tls@ietfa.amsl.com>; Tue, 6 Dec 2011 08:17:07 -0800 (PST)
Received: from mail-ww0-f44.google.com (mail-ww0-f44.google.com [74.125.82.44]) by ietfa.amsl.com (Postfix) with ESMTP id 80EC621F8BF0 for <tls@ietf.org>; Tue, 6 Dec 2011 08:17:07 -0800 (PST)
Received: by wgbdr13 with SMTP id dr13so5189819wgb.13 for <tls@ietf.org>; Tue, 06 Dec 2011 08:17:06 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=nQGRQKPv4F6tPvDu+d5/Qeu4UHX7k6og9nJnhwaa2ao=; b=Lvxg7iKqLYL78Qrw0laFTfcjU8CiXYZOkvVpOvtTdhaJcD0OcPrZ0x4J8oB9Q3zOkI xoZSg6drVNIF5ZZuviUEkwB86AY9zeCpS2lDIUz+uYitG/BSsGlVSEKvTO1mGCwagloq 7GFq17uJ3yhJ0M61FKhWxrCmsDTCW8WYngBM8=
MIME-Version: 1.0
Received: by 10.227.204.208 with SMTP id fn16mr2345409wbb.6.1323188226740; Tue, 06 Dec 2011 08:17:06 -0800 (PST)
Sender: n.mavrogiannopoulos@gmail.com
Received: by 10.180.4.72 with HTTP; Tue, 6 Dec 2011 08:17:06 -0800 (PST)
In-Reply-To: <cf07c3568cb7473f31a491e248ed9192.squirrel@www.trepanning.net>
References: <6D345690-D3F1-4A65-8314-D9A7E47D857E@cisco.com> <CAJU7zaJLH2L6W6CjSvAZ0OL6=hqMscqdx_gwg0J0jwOP3Sr=VA@mail.gmail.com> <cf07c3568cb7473f31a491e248ed9192.squirrel@www.trepanning.net>
Date: Tue, 6 Dec 2011 17:17:06 +0100
X-Google-Sender-Auth: sAHidVsJ258ezrZ7lJcRs2J3L7c
Message-ID: <CAJU7zaLZMOB1u9cOTQGyKKq7+dAfVgPoGMPbq2pXfrh8ABag2A@mail.gmail.com>
From: Nikos Mavrogiannopoulos <nmav@gnutls.org>
To: Dan Harkins <dharkins@lounge.org>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Cc: tls@ietf.org
Subject: Re: [TLS] Changes to draft-ietf-tls-dtls-heartbeat resulting from IESG review
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Dec 2011 16:17:08 -0000

On Mon, Dec 5, 2011 at 6:04 PM, Dan Harkins <dharkins@lounge.org>; wrote:

>>> One of the requested changes was to randomize to the data in the
>>> heartbeat message to attempt to head of any issues occurring from weak
>>> or flawed ciphers.   Since the change was relatively simple, the
>>> document was modified even though modern ciphers should not have a
>>> problem.  Flaws may be discovered in one of the many cipher suites in
>>> the future.
>> Are there any papers or cipher documentation discussing how using
>> randomized data in a packet would solve possible future cipher flaws?
>  Check out "Deterministic Authenticated Encryption"* by Rogaway and
> Shrimpton. It defines a cipher mode for key-wrapping but the proof of
> security (appendix C) is based on the notion of randomized data in the
> packet-- i.e. that part of the data (the key) being wrapped is random.

Indeed, but this is not a generic encryption mode like CBC or CTR. It
is specifically designed to encrypt random keys, and thus depends on
its randomness. Typical encryption modes are specifically designed to
prevent someone distinguishing a given plaintext encryption from a
random one.

Now, if one would like to use a subliminal channel in TLS, the
heartbeat extension now provides an unbounded channel.

regards,
Nikos