IETF Logo Mail Archive

Re: [TLS] rfc7366: is encrypt-then-mac implemented?

Manuel Pégourié-Gonnard <mpg@polarssl.org> Wed, 29 October 2014 12:25 UTC

Return-Path: <mpg@polarssl.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B67641A00C2 for <tls@ietfa.amsl.com>; Wed, 29 Oct 2014 05:25:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 3.296
X-Spam-Level: ***
X-Spam-Status: No, score=3.296 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, GB_SUMOF=1, HELO_MISMATCH_COM=0.553, HOST_EQ_NL=1.545, MIME_8BIT_HEADER=0.3, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZvQNgshcPcNb for <tls@ietfa.amsl.com>; Wed, 29 Oct 2014 05:25:51 -0700 (PDT)
Received: from vps2.offspark.com (vps2.brainspark.nl [141.138.204.106]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A17091A00B0 for <tls@ietf.org>; Wed, 29 Oct 2014 05:25:51 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=polarssl.org; s=exim; h=Subject:Content-Transfer-Encoding:Content-Type:In-Reply-To:References:To:MIME-Version:From:Date:Message-ID; bh=IqfkpOF9DFgnw9WrKT2uoNuLalWdLuckdeE/+aaDXbU=; b=JPRHNAsJ0Gl7kaxYNQiyNJeBePzXDi7XxBwB/LExkYW7EyyMkWxFzyaYD87BsCyYpRwQIkQldNPsBlgiuCzVANPQdwOh64OK+qbpGj6JIEm+MwveBYRnOcUkeI0yUyAZYjDUU8lB6PtjU0AC4Qhu8QjCu2Ke3t3UAwDyqADiDZ0=;
Received: from thue.elzevir.fr ([88.165.216.11] helo=[192.168.0.124]) by vps2.offspark.com with esmtpsa (TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <mpg@polarssl.org>) id 1XjSJo-0001IY-Sf; Wed, 29 Oct 2014 13:25:41 +0100
Message-ID: <5450DCC9.3040307@polarssl.org>
Date: Wed, 29 Oct 2014 13:25:45 +0100
From: Manuel Pégourié-Gonnard <mpg@polarssl.org>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.2.0
MIME-Version: 1.0
To: Nikos Mavrogiannopoulos <nmav@redhat.com>, "tls@ietf.org" <tls@ietf.org>, Christian Kahlo <christian.kahlo@ageto.net>, Peter Gutmann <pgut001@cs.auckland.ac.nz>
References: <1414071393.2511.16.camel@dhcp-2-127.brq.redhat.com>
In-Reply-To: <1414071393.2511.16.camel@dhcp-2-127.brq.redhat.com>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: 7bit
X-SA-Exim-Connect-IP: 88.165.216.11
X-SA-Exim-Mail-From: mpg@polarssl.org
X-SA-Exim-Version: 4.2.1 (built Mon, 26 Dec 2011 16:24:06 +0000)
X-SA-Exim-Scanned: Yes (on vps2.offspark.com)
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/HDmurXk3Cs-e53FqwYw8LWEt5Fs
Subject: Re: [TLS] rfc7366: is encrypt-then-mac implemented?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 29 Oct 2014 12:25:52 -0000

Hi,

On 23/10/2014 15:36, Nikos Mavrogiannopoulos wrote:
>  Is there some public server implementing rfc7366? At some point the
> server at eid.vx4.net was sent as one, but it doesn't seem to implement
> the protocol in the published rfc (the NSS people seem to have noticed
> that [0], and my tests agree).
> 
I'm not aware of any other public server implementing RFC 7366, but I'd like to
mention I just implemented it and ran tests against your etm branch, and our
implementations interoperate fine with all the CBC suites we have in common, in
all versions of TLS (I didn't test DTLS yet, though).

My implementation does not interoperate with the one at eid.wx4.net either, when
I enable EtM (fails with a bad_record_mac alert).

I think the use of TLSCipherText.length in RFC 7366 is a bit confusing, since
TLSCipherText is defined in terms of GenericBlockCipher, the very structure that
this RFC is changing. It makes it unclear if the following sentence from RFC
5246 still applies:

   The encrypted data length (TLSCiphertext.length) is one more than the
   sum of SecurityParameters.block_length, TLSCompressed.length,
   SecurityParameters.mac_length, and padding_length.

IMO it should, since moving the MAC outside the encryption does not change the
definition of the final length (though it may change the actual length in case
mac_length is not a multiple of block_length).

I guess the author of the implementation at eid.vx4.net thought otherwise.

Manuel.

v2.23.0 | Report a Bug | By Email