Re: [TLS] TLS1.3

["Lewis, Nick" <nick.lewis@usa.g4s.com>]

>> There is nothing wrong with MAC-then-encrypt,

>
> I disagree. The paper by Bellare and Namprempre from Asiacrypt 2000
> and Hugo Krawczyk's paper from Crypto 2001 both demonstrate good
> reasons to be suspicious of MAC-then-encrypt from a theoretical
> perspective.

The focus of this work was showing that a secure crypt and secure mac could be combined in such a way that the combination was insecure unless Encrypt-then-Mac were used. The reality of TLS though is that there are many MACs in everyday use that are not secure (based on hashes of 80bits or even 64 bits). These are currently protected from attack by being behind strong (112bit or 128 bit) crypt. Flipping round crypt and mac for all of TLS would expose these currently "good enough" cipher suites and result in further bad press from collision attacks.

I would be more comfortable with a pre-padding fix for the side-channel attacks (via a TLS extension) and then leave any decisions on flipping of the crypt and mac to a cipher suite by cipher suite basis when porting each to the aead api

-- Nick



The details of this company are as follows:
G4S Technology Limited, Registered Office: Challenge House, International Drive, Tewkesbury, Gloucestershire GL20 8UQ, Registered in England No. 2382338.

This communication may contain information which is confidential, personal and/or privileged.

It is for the exclusive use of the intended recipient(s).
If you are not the intended recipient(s), please note that any distribution, forwarding, copying or use of this communication or the information in it is strictly prohibited.

Any personal views expressed in this e-mail are those of the individual sender and the company does not endorse or accept responsibility for them.

Prior to taking any action based upon this e-mail message, you should seek appropriate confirmation of its authenticity.

This e-mail has been scanned for all viruses by MessageLabs.