IETF Logo Mail Archive

Re: [TLS] Encrypt-then-MAC again (was Re: padding bug)

Watson Ladd <watsonbladd@gmail.com> Sat, 30 November 2013 01:23 UTC

Return-Path: <watsonbladd@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F37411AE23D for <tls@ietfa.amsl.com>; Fri, 29 Nov 2013 17:23:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8GXFPgdwvVWp for <tls@ietfa.amsl.com>; Fri, 29 Nov 2013 17:23:04 -0800 (PST)
Received: from mail-we0-x232.google.com (mail-we0-x232.google.com [IPv6:2a00:1450:400c:c03::232]) by ietfa.amsl.com (Postfix) with ESMTP id 403DD1AE067 for <tls@ietf.org>; Fri, 29 Nov 2013 17:23:04 -0800 (PST)
Received: by mail-we0-f178.google.com with SMTP id u57so4180219wes.23 for <tls@ietf.org>; Fri, 29 Nov 2013 17:23:02 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=PnjaYv5XF4zGEq2lA1MX2QVFOOX//9aBpJet7MGvuds=; b=WFcAurp7Q6e//4U6YgbSanuUbRQkoLrfXYDrNZ0b01lVbwLU8QBX42OXkvLjIQtSLj M8exYMoj93JZJTPcAr2LhmNRf7crL9dFahdWwp48zZrAB0hHJcANZefFLgeJCeZaMvVh V0hH9sdUaLgT955gSRMKdpxmRHsKhDUcqHaMrQdO3imhLoOQRaS5TqmmiWTYIXwgrtGM 2Tiyp/Ofi8sKPNddWkt+yPoR2Edfj1iVLe45Qz2iNYqNF1i16oTdKQ3UkTS62nHtX7cZ IX5/O8mkG0mo3Co+Ho3H0Hprz5HK6iTvHH2TO9ZsJ06Mm9bSHJiMd+4LHY9fcMqmJuCV xvnQ==
MIME-Version: 1.0
X-Received: by 10.180.36.105 with SMTP id p9mr8908088wij.58.1385774582267; Fri, 29 Nov 2013 17:23:02 -0800 (PST)
Received: by 10.194.242.131 with HTTP; Fri, 29 Nov 2013 17:23:02 -0800 (PST)
In-Reply-To: <1385767358.5937.18.camel@aspire.lan>
References: <20131129201714.A6B031AB11@ld9781.wdf.sap.corp> <073259DE-D4EB-4229-945D-97CD5AF50A3C@iki.fi> <1385767358.5937.18.camel@aspire.lan>
Date: Fri, 29 Nov 2013 17:23:02 -0800
Message-ID: <CACsn0ckVhZV=JeQ10Uv9ESLvAO9C9V1or72-DqC6Vjh1cWm7aQ@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: Nikos Mavrogiannopoulos <nmav@redhat.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Cc: Peter Gutmann <p.gutmann@auckland.ac.nz>, "<tls@ietf.org>" <tls@ietf.org>
Subject: Re: [TLS] Encrypt-then-MAC again (was Re: padding bug)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 30 Nov 2013 01:23:06 -0000

On Fri, Nov 29, 2013 at 3:22 PM, Nikos Mavrogiannopoulos
<nmav@redhat.com> wrote:
> On Fri, 2013-11-29 at 23:38 +0200, Juho Vähä-Herttua wrote:
>
>> > I also dislike (a) making a change to SSLv3/TLSv1.0
>> GenericBlockCipher > processing, but (b) leaving the predictable IV
>> exploited by BEAST > unfixed, and essentially creating two seperate new
>> GenericBlockCipher PDUs, > rather than just a single one for all that
>> fixes all known problems.
>>
>> Ok, this is a valid point I have missed in the discussion. TLSv1.1 is a
>> very small update to TLSv1, so one could always ask why is it not
>> supported better. Is the version number change somehow scary to people?
>
> At the time of TLS 1.1, it was not known that a big number of TLS
> implementations were not able to properly do TLS version negotiation and
> handle gracefully a TLS version downgrade. In gnutls after we added TLS
> 1.1 we realized that enabling it would make the library unable to talk
> to several (prominent at the time) servers. So I presume that this
> compatibility issue and the fact that there was no popular demand (which
> occurred only after the media hype with the beast attack), very few
> bothered to implement it.
>
>> That being said, I would support adding explicit IV to the
>> encrypt-then-mac spec, unless we have reason to think it would slow
>> down adoption. Personally I don't see how a block of random numbers
>> would be too difficult.
>>
>> Nikos, do you think you should combine the pad and the IV in the
>> defined structs? It would fix the BEAST attack at the same time even in
>> SSLv3...
1/n-1 record splitting needs to be implemented anyway, thanks to the
installed base.
>
> Certainly the draft (or any other fix) could require that the TLS 1.1
> explicit IV in CBC ciphersuites is used when used with TLS 1.0 or
> earlier (although, that would make the protocol messier, it looks it
> provides quite some advantages).
>
>> > MAC in the clear is only safe when the MAC algorithm is sufficiently
>> > close to perfect.  We know painfully well that our hash algorithms >
>> are *not* perfect, so I'm against taking chances, in particular > for
>> the GenericBlockCipher PDU.
>> But in a VERY hypothetical case where attacks to some HMAC is found, we
>> would have no idea how it affects TLS without further analysis, using
>> it in a standard way would at least give more information about what is
>> broken. And of course HMAC is not just a hash.
>
> Contrary to popular opinion on this list AtE is a standard way of
> operation with no flaws known unless used with an unauthenticated pad
> (as in TLS). When SSL 3.0 was designed AtE was believed to be the
> conservative approach comparing to EtA.
The passive voice is doing a lot of work here. Bellare and Namparah
showed that EtA is generically secure,
AtE isn't. Rogaway sent out an email in 1995 pleading for EtA in TLS.
"no flaws known"!="proved to be secure"
AtE works only if the encryption and decryption functions are
bijective, as in stream cipher mode. Otherwise you have
an oracle. For CBC you restrict the message space to messages
multiples of the blocksize. But really, this is quibbling about
the color of a fence, rather than building it. Marsh Ray already
addressed these issues to the point where only the most blockheaded
would refuse to listen.

Furthermore, proliferating a mess of extensions and half-assed fixes
makes driving adoption of updates even harder.
The right to proceed is to provide something like a one round
protocol, that is secure, with no options, and sell adoption
on the new features. By making improved security contingent on TLS 1.2
adoption, we screwed ourselves over. But if what
results in a frankenprotocol on top of SSL 3.0, it might be better to
include a IM_OUTTA_HERE cipher which instructs the
recipient to do something sane instead.

Something needs to be done about the issues of TLS. It's clear there
is no consensus on this list, but doing nothing is not an option.
Personally, driving to TLS 1.2 avoids the need to deploy a long series
of patches, as well as design fixes and analyze them.
>
> regards,
> Nikos
Sincerely,
Watson Ladd
>
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls



-- 
"Those who would give up Essential Liberty to purchase a little
Temporary Safety deserve neither  Liberty nor Safety."
-- Benjamin Franklin

v2.23.0 | Report a Bug | By Email