Re: [TLS] Encrypt-then-HMAC is the only credible choice. Here's why:

Robert Ransom <rransom.8774@gmail.com> Fri, 15 November 2013 19:43 UTC

Return-Path: <rransom.8774@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E8D4611E81C4 for <tls@ietfa.amsl.com>; Fri, 15 Nov 2013 11:43:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xg3W178TIfmX for <tls@ietfa.amsl.com>; Fri, 15 Nov 2013 11:43:18 -0800 (PST)
Received: from mail-qa0-x236.google.com (mail-qa0-x236.google.com [IPv6:2607:f8b0:400d:c00::236]) by ietfa.amsl.com (Postfix) with ESMTP id 83F3D11E812F for <tls@ietf.org>; Fri, 15 Nov 2013 11:42:52 -0800 (PST)
Received: by mail-qa0-f54.google.com with SMTP id j7so812593qaq.13 for <tls@ietf.org>; Fri, 15 Nov 2013 11:42:52 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=Hr61sLhUaAXDCrlHHXMJCLH+rqcX7dkHEZGBVb7A0QU=; b=qBFJU4+SR62hba/mMFEvdrl9r0uay5VaTHmfzjxb5QHZo/4XuQWZz/2UgQ2392vi1o 9PNE2o0NWPrKpq1+uqrA/cm86EDTLlZlyDiR4Vkn2vABw/QXGVKAhAIAxRf9rMNgIx1s iSpUuT5lWaXpOtHfr2KEZgQdFRwPmCI1Zvqox5juUIIUZq9CCB9FmBiax7/3v/mHwLFI R3h5YJQTKDTtxlXbsrzRXxQ1GePFa0fTFUY5cHyOZ44Q8ujxBdP2mosWdkldktyy8i+m AKQqs5fwybQUlcJYql5KluOmCDtMW7q3wTC0y00RXdjBVgSmEYArixIP4d1JSviPhJ4t /bYQ==
MIME-Version: 1.0
X-Received: by 10.229.54.65 with SMTP id p1mr13546191qcg.18.1384544571988; Fri, 15 Nov 2013 11:42:51 -0800 (PST)
Received: by 10.229.8.3 with HTTP; Fri, 15 Nov 2013 11:42:51 -0800 (PST)
In-Reply-To: <c8943847aecd44c29540bd198794746b@BY2PR03MB074.namprd03.prod.outlook.com>
References: <c8943847aecd44c29540bd198794746b@BY2PR03MB074.namprd03.prod.outlook.com>
Date: Fri, 15 Nov 2013 11:42:51 -0800
Message-ID: <CABqy+spWjsgAbc+s7BsEcwJ9hd=qZ2SVO55e9mnW1z1ECTjf=w@mail.gmail.com>
From: Robert Ransom <rransom.8774@gmail.com>
To: Marsh Ray <maray@microsoft.com>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Encrypt-then-HMAC is the only credible choice. Here's why:
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 15 Nov 2013 19:43:19 -0000

On 11/14/13, Marsh Ray <maray@microsoft.com> wrote:

> HMAC uses a double invocation of the full hash function each of which is
> initialized with a secret key. There's some pretty well respected proven
> properties on the security of HMAC.

Are these properties proved for all iterative hash functions, or only
for hash functions with the same general structure (block cipher in
feedforward mode) as MD5 and the pre-SHA-3 NSA hash functions?


> Additionally, the concern (D) is raised that an attacker who completely
> succeeds with (C) may then be able to "reach back through" several
> additional layers of HMAC in the TLS PRF in order to derive one or both of
> the cipher keys allowing full decryption of the protocol stream.
>
> To be clear, I say "reach back through" because I don't think there is
> actually a name for this attack model. Even if we were just talking about a
> hash function instead of HMAC, this is an attack capability *beyond* primary
> preimage. Primary preimage is "given h(M), find M' such that h(M') = h(M)",
> whereas this attack is: "given h(M), find M"!

I call that a “preimage recovery attack”.  I don't think that name is
standard, but it is an accurate description of the attack.


> The thing to worry about is block cipher modes' propensity to turn into
> plaintext oracles. This has been demonstrated as a practical attack on over
> and over again.

This is the most important point, and it's already being ignored (again).


> * Use encrypt-then-HMAC. Seriously. Yes really. No other choice is
> defensible in this age. If you think "oh but GCM" look more closely into its
> design.

There are plenty of other defensible choices for a MAC.

GCM has some bad design features, but its MAC is the good part (at
least for implementations with hardware support for multiplication in
GF(2)[X]).

Poly1305 (as used in draft-agl-chacha20-poly1305-03) is faster than
HMAC, and almost as secure.

SipHash is faster than Poly1305, and as secure as an HMAC truncated to
64 bits.  I don't expect it to be used in TLS, but it's certainly good
enough for voice communication protocols over UDP.

With a good hash function (one which does not permit the
length-extension attack), such as any of the SHA-3 finalists, H(k, m)
is a good MAC.


Robert Ransom