Re: [TLS] padding bug

Alfredo Pironti <alfredo@pironti.eu> Wed, 25 September 2013 10:49 UTC

Return-Path: <alfredo@pironti.eu>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C8B4E21F9CED for <tls@ietfa.amsl.com>; Wed, 25 Sep 2013 03:49:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.426
X-Spam-Level:
X-Spam-Status: No, score=-0.426 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FH_RELAY_NODNS=1.451, FM_FORGED_GMAIL=0.622, RDNS_NONE=0.1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wE1AAdM1xb7X for <tls@ietfa.amsl.com>; Wed, 25 Sep 2013 03:48:57 -0700 (PDT)
Received: from mail-qc0-x234.google.com (mail-qc0-x234.google.com [IPv6:2607:f8b0:400d:c01::234]) by ietfa.amsl.com (Postfix) with ESMTP id CDEA221F9CE9 for <tls@ietf.org>; Wed, 25 Sep 2013 03:48:55 -0700 (PDT)
Received: by mail-qc0-f180.google.com with SMTP id p19so3952516qcv.11 for <tls@ietf.org>; Wed, 25 Sep 2013 03:48:55 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pironti.eu; s=google; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=BaJv0HR75qiVoTeRPUY191hUM0Dsn3JScWLetEUFdi0=; b=MlXJpB3NwfA7/m25X5vhUVvCElks0rWV3Lo5MPHSvkXdF1xMnSoRnaoN8UeOxYzecl ObMTSdRAsrIMapw8Kp0klVaQ22ob0NvWeGaaOiUHeUmOQ+5etCp4GYW5/vT41DxSD0Ew zFe/2idMG5rWwGxx1UmTv40vWMg86tULBLf9Q=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=BaJv0HR75qiVoTeRPUY191hUM0Dsn3JScWLetEUFdi0=; b=bY2vhBNn4Jgs+L2t47nkvad8D2w7ZZJGe4TI28ZK+Edlnp+FEXqu/Ndz2bVIONr3Co aa7CtqLU5O0S/HVf8m7SNEpFstoEg1awt5+F9h2jpiVaC/UaSTTZTpvyLIUB5A6d3L9h /J6ls8bmUQnvIjgBteRi7yAVUzYl/X/LzJT+U3a7FxcCyJ9WgxzdkoTesf2WMxb5dL5y D74dbwc2+dzDR9YlXCEoKXr42sVaVoX2XvhelyOFPBLBMwvE1FuYp8I0gA2LMALM6mBB uRFKQtyP+cnI6X4n4SZFWtmFgE6bjbAEtshOnBMkQYrno+Vo2/wjIpvr1qlBIbZTMRDL QDBQ==
X-Gm-Message-State: ALoCoQmDMRhVzbnnJKLlwUXVVarhDgn6wXVWEkwrMXQqTKksLLcCA2EulR4gb+MjcHfQJUCwgsd9
MIME-Version: 1.0
X-Received: by 10.224.92.81 with SMTP id q17mr15413502qam.92.1380106135368; Wed, 25 Sep 2013 03:48:55 -0700 (PDT)
Received: by 10.49.108.103 with HTTP; Wed, 25 Sep 2013 03:48:55 -0700 (PDT)
X-Originating-IP: [128.93.188.195]
In-Reply-To: <AAE0766F5AF36B46BAB7E0EFB927320630E4A54283@GBTWK10E001.Technology.local>
References: <AAE0766F5AF36B46BAB7E0EFB927320630E4A54283@GBTWK10E001.Technology.local>
Date: Wed, 25 Sep 2013 12:48:55 +0200
Message-ID: <CALR0uiLmVn7XL6WFZ=nPpU00d32YVtvuGPWxj68HBnZo8zpX2A@mail.gmail.com>
From: Alfredo Pironti <alfredo@pironti.eu>
To: "Lewis, Nick" <nick.lewis@usa.g4s.com>
Content-Type: text/plain; charset="UTF-8"
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] padding bug
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 25 Sep 2013 10:49:00 -0000

On Wed, Sep 25, 2013 at 10:32 AM, Lewis, Nick <nick.lewis@usa.g4s.com> wrote:
> Martin Rex wrote:
>
>> Where I agree is that it would be preferable to limit any fix to the exact
>> problem that has been identified (already by Vaudenay), which is in how
>> SSLv3&TLS use a Blockcipher in CBC mode with "authenticate-pad-encrypt"
>> rather than "pad-authenticate-encrypt".
>
>
>
> I agree that the fix should be limited to the exact problem. The fix could
> be a change from AtPtE to PtAtE
> using a greatly simplified version of
> http://tools.ietf.org/html/draft-pironti-tls-length-hiding-00  without
> the length hiding features

Indeed, I confirm a strict subset of
http://tools.ietf.org/html/draft-pironti-tls-length-hiding-02
(pointing to the latest version)
fixes the padding bug.

Once the padding bug is fixed according to this draft, my experience
implementing it in GnuTLS and miTLS is that it costs almost nothing to
implement the length-hiding features for the remaining stream and AEAD
ciphers.

Best,
Alfredo

>
>
>
> --
>
>
>
>
> ________________________________
> The details of this company are as follows:
> G4S Technology Limited, Registered Office: Challenge House, International
> Drive, Tewkesbury, Gloucestershire GL20 8UQ, Registered in England No.
> 2382338.
>
> This communication may contain information which is confidential, personal
> and/or privileged.
>
> It is for the exclusive use of the intended recipient(s).
> If you are not the intended recipient(s), please note that any distribution,
> forwarding, copying or use of this communication or the information in it is
> strictly prohibited.
>
> Any personal views expressed in this e-mail are those of the individual
> sender and the company does not endorse or accept responsibility for them.
>
> Prior to taking any action based upon this e-mail message, you should seek
> appropriate confirmation of its authenticity.
>
> This e-mail has been scanned for all viruses by MessageLabs.
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>