IETF Logo Mail Archive

Re: [TLS] TLS1.3

Peter Gutmann <pgut001@cs.auckland.ac.nz> Sun, 10 February 2013 02:52 UTC

Return-Path: <pgut001@cs.auckland.ac.nz>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 02BA521F8581 for <tls@ietfa.amsl.com>; Sat, 9 Feb 2013 18:52:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.053
X-Spam-Level:
X-Spam-Status: No, score=-2.053 tagged_above=-999 required=5 tests=[AWL=-0.054, BAYES_00=-2.599, J_CHICKENPOX_33=0.6]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id L4ogGYdfTE2d for <tls@ietfa.amsl.com>; Sat, 9 Feb 2013 18:52:02 -0800 (PST)
Received: from mx2.auckland.ac.nz (mx2.auckland.ac.nz [130.216.125.244]) by ietfa.amsl.com (Postfix) with ESMTP id 1CBAE21F8574 for <tls@ietf.org>; Sat, 9 Feb 2013 18:52:00 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=auckland.ac.nz; i=pgut001@cs.auckland.ac.nz; q=dns/txt; s=uoa; t=1360464722; x=1392000722; h=from:to:subject:date:message-id: content-transfer-encoding:mime-version; bh=sBNApKAnb/qXBpQd+XsGAWnInNfjUojUab4ABf8SOuM=; b=BtULKedNqEhFiUVER05L2N6faOubTqZh0kJsSHj5SyjjrTYW5dnua0ii 8T3pG9UTcWlaThvg5BQwt/H6v9Ofm+vZV2jkCRoQhBNdw8qpidjS2Scrs nZkv8JV8a25wSqoeICjlCgjU/7cmuedL2ez2l2LVTmgxJhG4dBCTi4z6+ s=;
X-IronPort-AV: E=Sophos;i="4.84,636,1355050800"; d="scan'208";a="169706841"
X-Ironport-HAT: MAIL-SERVERS - $RELAYED
X-Ironport-Source: 130.216.4.112 - Outgoing - Outgoing
Received: from uxchange10-fe1.uoa.auckland.ac.nz ([130.216.4.112]) by mx2-int.auckland.ac.nz with ESMTP/TLS/AES128-SHA; 10 Feb 2013 15:51:32 +1300
Received: from UXCN10-2.UoA.auckland.ac.nz ([169.254.2.181]) by uxchange10-fe1.UoA.auckland.ac.nz ([130.216.4.112]) with mapi id 14.02.0318.004; Sun, 10 Feb 2013 15:51:32 +1300
From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
To: "tls@ietf.org" <tls@ietf.org>
Thread-Topic: [TLS] TLS1.3
Thread-Index: Ac4HOYfom6WOGAD6TVephREdBcO15A==
Date: Sun, 10 Feb 2013 02:51:31 +0000
Message-ID: <9A043F3CF02CD34C8E74AC1594475C7333400716@uxcn10-2.UoA.auckland.ac.nz>
Accept-Language: en-GB, en-NZ, en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [130.216.158.4]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Subject: Re: [TLS] TLS1.3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 10 Feb 2013 02:52:04 -0000

Martin Rex <mrex@sap.com> writes:

>Personally, I also feel somewhat uncomfortable with a "radical" change to
>encrypt-then-MAC rather than the simply using the obvious pad-MAC-encrypt, as
>originally suggested by Serge Vaudenay.

It's hardly a radical change, in terms of code complexity (at least in my
code) it came down to (comments and error checking removed) this:

  checkMacTLS( sessionInfoPtr, data, length, length - sessionInfoPtr->authBlocksize, packetType );
  decryptData( sessionInfoPtr, data, length - sessionInfoPtr->authBlocksize, &length );

In other words I swapped two lines of code.

(See my earlier note about what it really entailed, which was creating a
separate code path that removed several hundred lines of kludging to try and
defend against side-channel attacks.  So really it's a two-line swap and
hundreds of lines removed, at least for the encrypt-then-MAC option).

>When the encryption scheme that is used is bijective, then it will not matter
>(to the confidentiality of the encryption) whether AtE or EtA is used, as
>long as authentication covers the exact same information in both cases, i.e.
>*ALL* of it, padding included.

However you do need to to MAC the IV.  If you treat it as part of the
ciphertext then it's trivial, MAC the entire packet in its bits-on-the-wire
form.  If you're MAC'ing the plaintext then you need to special-case the IV
vs. the plaintext and suddenly you're adding all sorts of kludgery to handle
that.  Authenticating the exact bits on the wire is both cleaner conceptually/
security-wise (you're authenticating the exact data that the attacker has
access to, not some bits as seen by the attacker and some bits as seen by you
after further processing), and implementation-wise (you just swap the bits of
code that do auth. vs. encrypt).  To quote Kenny Paterson's recent message:

  It fixes every problem I can conceive of.  And I've thought about the
  analysis of TLS's current MAC-pad-encrypt construction long and hard,
  believe me.

That's pretty unambiguous.

>However, in the EtA scheme, we would have a naked keyed hash.  And would an
>attack on the keyed hash become somehow feasible, that attack might be easier
>on a naked keyed hash than on an encrypted keyed hash.

That's going to be pretty unlikely, if someone can break HMAC then we've got
more serious things to worry about than forging of TLS packets.

Peter.

PS: Still keen to interop-test with anyone else who's made this change :-).

v2.23.0 | Report a Bug | By Email