Re: [TLS] Encrypt-then-MAC again (was Re: padding bug)

Watson Ladd <watsonbladd@gmail.com> Thu, 05 December 2013 16:15 UTC

Return-Path: <watsonbladd@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 63BB81AE0D0 for <tls@ietfa.amsl.com>; Thu, 5 Dec 2013 08:15:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JaiBKI348LMq for <tls@ietfa.amsl.com>; Thu, 5 Dec 2013 08:15:55 -0800 (PST)
Received: from mail-we0-x22e.google.com (mail-we0-x22e.google.com [IPv6:2a00:1450:400c:c03::22e]) by ietfa.amsl.com (Postfix) with ESMTP id A7A981AE0C9 for <tls@ietf.org>; Thu, 5 Dec 2013 08:15:54 -0800 (PST)
Received: by mail-we0-f174.google.com with SMTP id q58so16618752wes.5 for <tls@ietf.org>; Thu, 05 Dec 2013 08:15:50 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=3icOF1xPxomjfEkvlgPXlWuMlT1SbKF1NWlYaBA0ucY=; b=UOBGUqYvp3KnQPnz07K8/aETs4KQZDeu8lByQMMx8Zz9tWypQbDZ+/cQGVDg/Rjpz2 SLdsX+jOy8GXTtTCE3HGWN4u8oJjBD7v//d2rBaTclslXLlk4splYcpKYMSyMOzZO7u4 FgB8pFPI3OoxA+/S7ofmMN7USr1pDzOsTHKc338MXBlJE6Lr4X2S9HJAMyEqV19OAqjX VXYNFdLXyEPOQihiO7bnCx5jI14dZYl/uLKGHzVav4IZWdYSEMTH4cQtjnyYlg13Hk4Z TnBJOkBuKaLSaMlNWB9KK+B+3kHxrCnPihTlnkQjYjYmleyvlV3CRP0gGcmqEWA+JPoe zLng==
MIME-Version: 1.0
X-Received: by 10.180.10.138 with SMTP id i10mr12791334wib.44.1386260150800; Thu, 05 Dec 2013 08:15:50 -0800 (PST)
Received: by 10.194.242.131 with HTTP; Thu, 5 Dec 2013 08:15:50 -0800 (PST)
In-Reply-To: <20131205060621.F23521AB26@ld9781.wdf.sap.corp>
References: <9A043F3CF02CD34C8E74AC1594475C7365423EC2@uxcn10-6.UoA.auckland.ac.nz> <20131205060621.F23521AB26@ld9781.wdf.sap.corp>
Date: Thu, 5 Dec 2013 08:15:50 -0800
Message-ID: <CACsn0cmbYz7uXMDARGwMT0jO4EaZrRSmRhJVBO+_TFQo1sBRLw@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: mrex@sap.com
Content-Type: text/plain; charset=UTF-8
Cc: "<tls@ietf.org>" <tls@ietf.org>, Peter Gutmann <p.gutmann@auckland.ac.nz>
Subject: Re: [TLS] Encrypt-then-MAC again (was Re: padding bug)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Dec 2013 16:15:56 -0000

On Wed, Dec 4, 2013 at 10:06 PM, Martin Rex <mrex@sap.com> wrote:
<snip>
>
> The fragility of GCM worries me personally much more than the
> attack surface of mac-pad-encrypt, e.g.
>
>   Cycling Attacks on GCM, GHASH and Other Polynomial MACs and Hashes
>   Markku-Juhani O. Saarinen
>   http://eprint.iacr.org/2011/202.pdf
What on earth convinced you this paper presented an interesting
result? Why is this forgery more
interesting than all the other forgeries? If you had bothered to do
more research you would see that in the
GCM standardization process this came up, and was appropriately
responded to with "that doesn't change
the security claim, and isn't interesting at all" (paraphrasing).
Mac-pad-encrypt reveals plaintext data. The above doesn't do anything
because if you pick a key uniformly at
random the probability a forgery succeeds is the probability q(x) has
a root at k, which is bounded by things like
being in a field. (Figure it out as an exercise in elementary algebra)
It doesn't matter what form q(x) has.
If you think the above is more worrying than mac-pad-encrypt, you
shouldn't be commenting on cryptography.
Sincerely,
Watson Ladd
>
>
> -Martin
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls



-- 
"Those who would give up Essential Liberty to purchase a little
Temporary Safety deserve neither  Liberty nor Safety."
-- Benjamin Franklin