Re: [TLS] Comments/Questions on draft-gutmann-tls-encrypt-then-mac-00.txt

Peter Gutmann <> Wed, 25 September 2013 10:30 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 0589711E80D2 for <>; Wed, 25 Sep 2013 03:30:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.582
X-Spam-Status: No, score=-2.582 tagged_above=-999 required=5 tests=[AWL=0.017, BAYES_00=-2.599]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 9SFnKxuDy9qr for <>; Wed, 25 Sep 2013 03:30:17 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 2425F21F9D9C for <>; Wed, 25 Sep 2013 03:30:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;;; q=dns/txt; s=uoa; t=1380105017; x=1411641017; h=from:to:subject:date:message-id: content-transfer-encoding:mime-version; bh=CPBKfnqRrN/Fnb5BMmjPLk+3DDv/2Pk2AThyGo1csKI=; b=HImZqnhHrI815WF6XBIrNHGoV1jq/wpR3TrbgRD/V2u886TFIuS/unSb R12gYlHrL+wCnjmrO5ounCxrlm5eK80prcmsHAABY1R9vBxghIvCpKJ7e o2124sNvuRBT+BW3LiGPFsGTlrvlZ6YYv0ON8xGn4ud1Cpyt//ZGLLxz9 w=;
X-IronPort-AV: E=Sophos;i="4.90,977,1371038400"; d="scan'208";a="214108723"
X-Ironport-Source: - Outgoing - Outgoing
Received: from ([]) by with ESMTP/TLS/AES128-SHA; 25 Sep 2013 22:30:14 +1200
Received: from ([]) by ([]) with mapi id 14.02.0318.004; Wed, 25 Sep 2013 22:30:13 +1200
From: Peter Gutmann <>
To: "<>" <>
Thread-Topic: [TLS] Comments/Questions on draft-gutmann-tls-encrypt-then-mac-00.txt
Thread-Index: Ac652jeTx133SxOpTE2eA3YPrgA5JA==
Date: Wed, 25 Sep 2013 10:30:12 +0000
Message-ID: <>
Accept-Language: en-NZ, en-GB, en-US
Content-Language: en-NZ
x-originating-ip: []
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Subject: Re: [TLS] Comments/Questions on draft-gutmann-tls-encrypt-then-mac-00.txt
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 25 Sep 2013 10:30:22 -0000

Eric Rescorla <> writes:

>Do you think you could address the questions I asked below?

Sorry, given the email avalanche recently and the fact that I wasn't sure what
the questions were getting at, I'd put them in the TODO list.

> - Because this draft relies on extensions, it seems not to resist
>   active attack when clients do insecure version fallback
>   (see for instance:

Right, but given that the problem is broken clients I'm not sure what the
issue is.  Anything that falls back to older, less secure versions of
protocols is going to be vulnerable to things that the newer protocols fix.

> - Maybe I am misreading the draft, but I'm unclear on how you get
>    the TLSCompressed.length for the MAC computation in Section 3.
>    Does this have the same issue as was raised for McGrew's CBC AEAD
>    draft?

What was the issue raised for the AEAD draft?  Since I'm not sure what the
question is asking, the only real response I can give is that there's a number
of implementations out there that interoperated without problems, so whatever
the perceived problem is, it doesn't seem to be much of an issue.