IETF Logo Mail Archive

Re: [TLS] TLS1.3

mrex@sap.com (Martin Rex) Fri, 08 February 2013 19:04 UTC

Return-Path: <mrex@sap.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F342021F88CA for <tls@ietfa.amsl.com>; Fri, 8 Feb 2013 11:04:16 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.307
X-Spam-Level:
X-Spam-Status: No, score=-10.307 tagged_above=-999 required=5 tests=[AWL=-0.058, BAYES_00=-2.599, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jhnxp-T0C9ec for <tls@ietfa.amsl.com>; Fri, 8 Feb 2013 11:04:16 -0800 (PST)
Received: from smtpde02.sap-ag.de (smtpde02.sap-ag.de [155.56.68.140]) by ietfa.amsl.com (Postfix) with ESMTP id D0CC621F882A for <tls@ietf.org>; Fri, 8 Feb 2013 11:04:14 -0800 (PST)
Received: from mail05.wdf.sap.corp by smtpde02.sap-ag.de (26) with ESMTP id r18J444l023992 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Fri, 8 Feb 2013 20:04:04 +0100 (MET)
In-Reply-To: <9A043F3CF02CD34C8E74AC1594475C73333FEAF0@uxcn10-2.UoA.auckland.ac.nz>
To: Peter Gutmann <pgut001@cs.auckland.ac.nz>
Date: Fri, 08 Feb 2013 20:04:04 +0100
X-Mailer: ELM [version 2.4ME+ PL125 (25)]
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="ISO-8859-1"
Message-Id: <20130208190404.9D00B1A52E@ld9781.wdf.sap.corp>
From: mrex@sap.com
X-SAP: out
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] TLS1.3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: mrex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 08 Feb 2013 19:04:17 -0000

Peter Gutmann wrote:
> "Lewis, Nick" <nick.lewis@usa.g4s.com> writes:
>> 
>>Padding the plain text up to a multiple of the cipher block size (minus the
>>hash size) ahead of doing the MAC is a more modest change that may be more
>>widely applicable to existing cipher suites - with a "pad-then MAC" client
>>hello
> 
> That won't help against the current attack.  The only proper fix for the
> various attacks that target the encryption is to protect everything with the
> MAC, i.e. switch to encrypt-then-MAC.  The definitive reference for this is
> Hugo Krawczyk's "The Order of Encryption and Authentication for Protecting
> Communications (Or: How Secure is SSL?)".

I disagree.  What you're saying is that the countermeasures that
are currently being adopted would not help against the current attack.


I do believe that pad, hash, encrypt would be sufficient (while still being
sensitive about ensuring the same codepath).


Looking at the original Paper from Sergey Vaudenay from 2001:

  http://infoscience.epfl.ch/record/52417/files/IC_TECH_REPORT_200150.pdf

  Section 5.1  SSL/TLS 2nd paragraph  (page 6):

  TLS v1.0 also provides an optional MAC which failed to thwart the attack:
  when the server ¯gures out that the MAC is wrong, it yields the bad_record_mac
  error. However, the message padding is performed after the MAC algorithm, so
  the MAC does not preclude our attack since it cannot be checked before the
  padding in the decryption.

explains that TLS has is susceptible to the timing attack due to
MAC-then-pad, and then describes in

  Section 6.5 CBC-PAD with Integrity Check

  One can propose to add a cryptographic checkable redundancy code
  (crypto-CRC) of the whole padded message (like a hashed value)
  in the plaintext and encrypt

                message|padding|h(message|padding)

  This way, any forged ciphertext will have a negligible probability
  to be accepted as a valid ciphertext. Basically, attackers are no
  longer able to forge valid cipher-texts, so the scheme is virtually
  resistant against chosen ciphertext attacks.

  Obviously it is important to pad before hashing: padding after
  hashing would lead to the a similar attack. The right enciphering
  sequence is thus

                pad, hash, encrypt

  Conversely, the right deciphering sequence consists of decrypting,
  checking the hashed value, then checking the padding value.
  Invalid hashed value must abort the decipherment.


Making the code use the same CPU cycles would definitely _much_ easier
with TLS doing pad-MAC-encrypt, then with the original MAC-pad-encrypt.

I'm actually slightly puzzled why this change was not made in TLSv1.1
along with backwards-incompatible change of the GenericBlockCipher PDU
that added an explicit IV.


-Martin

v2.23.0 | Report a Bug | By Email