Re: [TLS] padding bug
"Brian Smith" <brian@briansmith.org> Wed, 25 September 2013 15:29 UTC
Return-Path: <brian@briansmith.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 70EF411E8119 for <tls@ietfa.amsl.com>; Wed, 25 Sep 2013 08:29:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.599
X-Spam-Level:
X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HveteCaUtOpu for <tls@ietfa.amsl.com>; Wed, 25 Sep 2013 08:29:18 -0700 (PDT)
Received: from mail-pb0-f51.google.com (mail-pb0-f51.google.com [209.85.160.51]) by ietfa.amsl.com (Postfix) with ESMTP id DF2A721F9D94 for <tls@ietf.org>; Wed, 25 Sep 2013 08:29:05 -0700 (PDT)
Received: by mail-pb0-f51.google.com with SMTP id jt11so6143325pbb.24 for <tls@ietf.org>; Wed, 25 Sep 2013 08:29:04 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:cc:references:in-reply-to:subject:date :message-id:mime-version:content-type:content-transfer-encoding :thread-index:content-language; bh=19nJyesbwYa9ZF7Bi7PjX+243k9U0hxOXpsCmNik2nI=; b=f+zuIWntJZ8CrMJldyidMH2+uNJt2ViHUNNzCATfZJiy6cjSGsGBHH2I3FSvJCrj17 UNqlvP3faYbSfHHPM2eM0H35AANzsw6Cq57gYTlxYn6gsCcdmRs018l9du2F4uZeei+w kMJdrVhXhgWih5WbfGeyaUs3ykuIzx4KhhGexBfuwqiWpXFXsVVTLFjGTtKw/w/3n6rQ E99pxFk9HDmustOjdQOoshiwhhZWLH7FQyhyF0TbP/zrhjq9zzYIkn+daGRVdvD9piDr KG90q/D3Mdnnu91GgkkazbNgWSGjA06pIwNIflY24obxJJAQlGmDHfHC7k35Tcnc9x5t 6iHw==
X-Gm-Message-State: ALoCoQkbTzAJctrmfhaWcx7d7H08IYhFB3KknaDjldmeajQDn2f9I3UcvedJ/EYVCggVdr6aqDLl
X-Received: by 10.67.24.7 with SMTP id ie7mr34419095pad.112.1380122944162; Wed, 25 Sep 2013 08:29:04 -0700 (PDT)
Received: from l7 (v-1045.fw1.sfo1.mozilla.net. [63.245.219.50]) by mx.google.com with ESMTPSA id qw8sm33629508pbb.27.1969.12.31.16.00.00 (version=TLSv1 cipher=RC4-SHA bits=128/128); Wed, 25 Sep 2013 08:29:03 -0700 (PDT)
From: Brian Smith <brian@briansmith.org>
To: 'Adam Langley' <agl@google.com>, 'Ben Laurie' <benl@google.com>
References: <AAE0766F5AF36B46BAB7E0EFB927320630E4A54175@GBTWK10E001.Technology.local> <522BE808.4090405@stpeter.im> <522C6892.4020206@drh-consultancy.co.uk> <522C7FD8.1000301@drh-consultancy.co.uk> <CABrd9SSbv1owOq9RK-OY2YqfUHavpebYCdKUVd6MGSff_MiiWg@mail.gmail.com> <CABcZeBPcvB2i2Xo7ceiybgLUw8KgJz=aJaNWEfTekFY1RdYC7w@mail.gmail.com> <CABrd9SSHzfFH03euDh1yP2AOxa7vQP2ds5EFyPrP-=BqJ7BOMA@mail.gmail.com> <CAL9PXLwXNVusi6n_QwDmLpFL+AtVE41LL0bCOU28BSKWnEMayA@mail.gmail.com>
In-Reply-To: <CAL9PXLwXNVusi6n_QwDmLpFL+AtVE41LL0bCOU28BSKWnEMayA@mail.gmail.com>
Date: Wed, 25 Sep 2013 08:28:59 -0700
Message-ID: <424e01ceba03$f7d7b420$e7871c60$@briansmith.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="Windows-1252"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 15.0
Thread-Index: AQCsycyqT0jdzFuUDdBKrUAKAOZvRQHLhofAAO/2YMYA5kMVQAJ0iIFoAgJcbdwCQv2oRgIN6y9nm7cYb2A=
Content-Language: en-us
Cc: tls@ietf.org
Subject: Re: [TLS] padding bug
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 25 Sep 2013 15:29:31 -0000
Adam Langley wrote: > The cost of making any change to TLS is mostly equal to any other, > since the bulk of the cost is in deployment. Using an extension to > negotiate encrypt-then-MAC is a simple change, but it still leaves us > with CBC mode. On the other hand, AES-GCM left the station some years > ago and has a clear head start. > > AES-GCM does, currently, depend on TLS 1.2, which is proving to be a > pain to deploy on the public Internet as a client, but we'll get there > soon. > > I don't believe that this change solves the problem for SSLv3 as SSLv3 > doesn't have extensions and so cannot negotiate it. Once AES-GCM is > running I'm hoping to simply define those ciphersuites all the way > down the versions in order to solve version downgrade issues. > > Having an alternative to AES-GCM is certainly valuable, but I don't > want it to be AES-CBC. I think the prior discussion around > Salsa20/Chacha20 and a polynomial MAC is the most promising direction > for that. All of the above matches my position as well. I don't see a lot of long-term future in CBC-based cipher suites within browsers except as a legacy mechanism. For example, we (Mozilla) have already decided not to offer any SHA2- or SHA3- HMAC CBC cipher suites in Firefox, even when we enable TLS 1.2 and even though our TLS implementation already implements SHA256-HMAC cipher suites. Adam's recent changes to NSS and OpenSSL have demonstrated how to implement the existing encrypt-then-MAC construction in a way that addresses the most acute known issues with the current CBC construct in TLS. AES-GCM and soon new side-channel-free AEAD cipher suites (probably based on Salsa/ChaCha) provide alternatives for implementations to avoid the CBC construct altogether. The downgrade issue only affects incorrect implementations of TLS like ours (Firefox and other browsers); I think that the implementers of these problematic products are best off working on a more general solution to the downgrade issue, instead of encouraging more one-off workarounds for it. We should focus our effort in this area to standardizing the side-channel-free AEAD cipher suites and on verifying interoperability of AEAD cipher suites (AES-GCM and new constant-time ones) even when the protocol version negotiated on the wire is less than TLS 1.2. If we can't make that work then we can re-consider our options. > I've no objection to this ID, but nor am I esp excited by it. Though I don't have any intentions to deploy it in Firefox at the current time, I also have no objections to this ID, and in particular I encourage the assignment of an extension ID for it if work is going to continue on it. More generally, I think we should lower the bar for getting an extension ID to "somebody has written a document describing what it means that isn't completely crazy." I am not even sure that the "that isn't completely crazy" qualifier is necessary. WHATWG asks that people register link relations (e.g. "foo" in "<a rel=foo>") by simply editing a wiki, and that hasn't caused any problems in practice. I know there exist TLS implementations that aren't browsers and I am biased towards considering browsers' needs over others. But, I think it is worth considering how likely it is that this will be adopted by browsers when considering if/how to move forward with it. Regarding the particulars of the ID: Section 3.1. (Rehandshake Issues) seems overly complex. I think this extension should be connection-level, not session-level. Imagine a browser that contains a preference that controls whether we support the extension. It would be best if we could create a session with that preference set to one value and then resume that session with the preference set to the opposite value. Also, the Chromium team experienced interop issues due to the negotiated compression algorithm being part of the session state. Based on that experience, I would expect interop similar issues if this were made part of the session state. Section 4 (Security Considerations) would be better if it listed specific ways that the encrypt-then-MAC construct is currently known to be better than state-of-the-art (i.e. Adam's constant time) implementations of the MAC-then-encrypt construct, in the context of TLS's CBC cipher suites. The draft cites Krawczyk's paper for motivation but Krawczyk's paper says that there is nothing to worry about as long as the encryption mode is CBC, right? Cheers, Brian -- Mozilla Networking/Crypto/Security (Necko/NSS/PSM)
- [TLS] Requesting feedback on TACK draft Trevor Perrin
- Re: [TLS] Requesting feedback on TACK draft Peter Gutmann
- Re: [TLS] Requesting feedback on TACK draft Lewis, Nick
- [TLS] padding bug (was: Re: Requesting feedback o… Peter Saint-Andre
- Re: [TLS] padding bug Dr Stephen Henson
- Re: [TLS] padding bug Dr Stephen Henson
- Re: [TLS] padding bug Nikos Mavrogiannopoulos
- Re: [TLS] padding bug Ben Laurie
- Re: [TLS] padding bug Eric Rescorla
- Re: [TLS] padding bug (was: Re: Requesting feedba… Alfredo Pironti
- Re: [TLS] padding bug Ben Laurie
- Re: [TLS] padding bug Yaron Sheffer
- Re: [TLS] padding bug (was: Re: Requesting feedba… Paterson, Kenny
- Re: [TLS] padding bug Ben Laurie
- Re: [TLS] padding bug Adam Langley
- Re: [TLS] padding bug Ben Laurie
- Re: [TLS] padding bug Dr Stephen Henson
- Re: [TLS] padding bug Nico Williams
- Re: [TLS] padding bug Nikos Mavrogiannopoulos
- Re: [TLS] padding bug Blumenthal, Uri - 0558 - MITLL
- Re: [TLS] padding bug (was: Re: Requesting feedba… Bodo Moeller
- Re: [TLS] padding bug (was: Re: Requesting feedba… Paterson, Kenny
- Re: [TLS] padding bug Brian Smith
- Re: [TLS] padding bug Martin Rex
- [TLS] Encrypt-then-MAC again (was Re: padding bug) Michael D'Errico
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Watson Ladd
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Paterson, Kenny
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Michael D'Errico
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Martin Rex
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Nikos Mavrogiannopoulos
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Ralf Skyper Kaiser
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Martin Rex
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Martin Rex
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Ben Laurie
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Bryan C. Geraghty
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Nikos Mavrogiannopoulos
- [TLS] Would this fix RC4 again? (was Re: Encrypt-… Michael D'Errico
- Re: [TLS] Would this fix RC4 again? (was Re: Encr… Watson Ladd
- Re: [TLS] Would this fix RC4 again? (was Re: Encr… Paterson, Kenny
- Re: [TLS] Would this fix RC4 again? (was Re: Encr… Nikos Mavrogiannopoulos
- Re: [TLS] Would this fix RC4 again? (was Re: Encr… Jacob Appelbaum
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Martin Rex
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Ralf Skyper Kaiser
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Nikos Mavrogiannopoulos
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Ralf Skyper Kaiser
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Martin Rex
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Martin Rex
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Ralf Skyper Kaiser
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Alex Elsayed
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Paterson, Kenny
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Martin Rex
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Martin Rex
- [TLS] draft-mavrogiannopoulos-new-tls-padding-00 Martin Rex
- Re: [TLS] draft-mavrogiannopoulos-new-tls-padding… Nikos Mavrogiannopoulos