Re: [TLS] Encrypt-then-MAC again (was Re: padding bug)
Watson Ladd <watsonbladd@gmail.com> Thu, 05 December 2013 16:15 UTC
Return-Path: <watsonbladd@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 63BB81AE0D0 for <tls@ietfa.amsl.com>; Thu, 5 Dec 2013 08:15:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JaiBKI348LMq for <tls@ietfa.amsl.com>; Thu, 5 Dec 2013 08:15:55 -0800 (PST)
Received: from mail-we0-x22e.google.com (mail-we0-x22e.google.com [IPv6:2a00:1450:400c:c03::22e]) by ietfa.amsl.com (Postfix) with ESMTP id A7A981AE0C9 for <tls@ietf.org>; Thu, 5 Dec 2013 08:15:54 -0800 (PST)
Received: by mail-we0-f174.google.com with SMTP id q58so16618752wes.5 for <tls@ietf.org>; Thu, 05 Dec 2013 08:15:50 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=3icOF1xPxomjfEkvlgPXlWuMlT1SbKF1NWlYaBA0ucY=; b=UOBGUqYvp3KnQPnz07K8/aETs4KQZDeu8lByQMMx8Zz9tWypQbDZ+/cQGVDg/Rjpz2 SLdsX+jOy8GXTtTCE3HGWN4u8oJjBD7v//d2rBaTclslXLlk4splYcpKYMSyMOzZO7u4 FgB8pFPI3OoxA+/S7ofmMN7USr1pDzOsTHKc338MXBlJE6Lr4X2S9HJAMyEqV19OAqjX VXYNFdLXyEPOQihiO7bnCx5jI14dZYl/uLKGHzVav4IZWdYSEMTH4cQtjnyYlg13Hk4Z TnBJOkBuKaLSaMlNWB9KK+B+3kHxrCnPihTlnkQjYjYmleyvlV3CRP0gGcmqEWA+JPoe zLng==
MIME-Version: 1.0
X-Received: by 10.180.10.138 with SMTP id i10mr12791334wib.44.1386260150800; Thu, 05 Dec 2013 08:15:50 -0800 (PST)
Received: by 10.194.242.131 with HTTP; Thu, 5 Dec 2013 08:15:50 -0800 (PST)
In-Reply-To: <20131205060621.F23521AB26@ld9781.wdf.sap.corp>
References: <9A043F3CF02CD34C8E74AC1594475C7365423EC2@uxcn10-6.UoA.auckland.ac.nz> <20131205060621.F23521AB26@ld9781.wdf.sap.corp>
Date: Thu, 05 Dec 2013 08:15:50 -0800
Message-ID: <CACsn0cmbYz7uXMDARGwMT0jO4EaZrRSmRhJVBO+_TFQo1sBRLw@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: mrex@sap.com
Content-Type: text/plain; charset="UTF-8"
Cc: "<tls@ietf.org>" <tls@ietf.org>, Peter Gutmann <p.gutmann@auckland.ac.nz>
Subject: Re: [TLS] Encrypt-then-MAC again (was Re: padding bug)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Dec 2013 16:15:56 -0000
On Wed, Dec 4, 2013 at 10:06 PM, Martin Rex <mrex@sap.com> wrote: <snip> > > The fragility of GCM worries me personally much more than the > attack surface of mac-pad-encrypt, e.g. > > Cycling Attacks on GCM, GHASH and Other Polynomial MACs and Hashes > Markku-Juhani O. Saarinen > http://eprint.iacr.org/2011/202.pdf What on earth convinced you this paper presented an interesting result? Why is this forgery more interesting than all the other forgeries? If you had bothered to do more research you would see that in the GCM standardization process this came up, and was appropriately responded to with "that doesn't change the security claim, and isn't interesting at all" (paraphrasing). Mac-pad-encrypt reveals plaintext data. The above doesn't do anything because if you pick a key uniformly at random the probability a forgery succeeds is the probability q(x) has a root at k, which is bounded by things like being in a field. (Figure it out as an exercise in elementary algebra) It doesn't matter what form q(x) has. If you think the above is more worrying than mac-pad-encrypt, you shouldn't be commenting on cryptography. Sincerely, Watson Ladd > > > -Martin > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls -- "Those who would give up Essential Liberty to purchase a little Temporary Safety deserve neither Liberty nor Safety." -- Benjamin Franklin
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Martin Rex
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Peter Gutmann
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Eric Rescorla
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Watson Ladd
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Juho Vähä-Herttua
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Bodo Moeller
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Nikos Mavrogiannopoulos
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Bodo Moeller
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Martin Rex
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Juho Vähä-Herttua
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Robert Ransom
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Nikos Mavrogiannopoulos
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Watson Ladd
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Juho Vähä-Herttua
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Martin Rex
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Taylor Hornby
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Martin Rex
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Nikos Mavrogiannopoulos
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Watson Ladd
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Martin Rex
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Nikos Mavrogiannopoulos
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Alfredo Pironti
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Paterson, Kenny
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Alfredo Pironti
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Watson Ladd
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Alfredo Pironti
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Martin Rex
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Wan-Teh Chang
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Paterson, Kenny
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Nikos Mavrogiannopoulos
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Paterson, Kenny
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Watson Ladd
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Martin Rex
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Peter Gutmann
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Peter Gutmann
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Peter Gutmann
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Peter Gutmann
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Trevor Perrin
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Watson Ladd