[TLS] Decryption_failed alert in TLS 1.1

<Pasi.Eronen@nokia.com> Thu, 30 April 2009 09:41 UTC

Return-Path: <Pasi.Eronen@nokia.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 21AB73A68C3 for <tls@core3.amsl.com>; Thu, 30 Apr 2009 02:41:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.466
X-Spam-Level:
X-Spam-Status: No, score=-6.466 tagged_above=-999 required=5 tests=[AWL=0.133, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jyjaxy0jBr8P for <tls@core3.amsl.com>; Thu, 30 Apr 2009 02:41:18 -0700 (PDT)
Received: from mgw-mx09.nokia.com (smtp.nokia.com [192.100.105.134]) by core3.amsl.com (Postfix) with ESMTP id 39A3B3A6F45 for <tls@ietf.org>; Thu, 30 Apr 2009 02:40:57 -0700 (PDT)
Received: from vaebh106.NOE.Nokia.com (vaebh106.europe.nokia.com [10.160.244.32]) by mgw-mx09.nokia.com (Switch-3.2.6/Switch-3.2.6) with ESMTP id n3U9gBlS001437 for <tls@ietf.org>; Thu, 30 Apr 2009 04:42:21 -0500
Received: from vaebh104.NOE.Nokia.com ([10.160.244.30]) by vaebh106.NOE.Nokia.com with Microsoft SMTPSVC(6.0.3790.3959); Thu, 30 Apr 2009 12:41:56 +0300
Received: from vaebh101.NOE.Nokia.com ([10.160.244.22]) by vaebh104.NOE.Nokia.com with Microsoft SMTPSVC(6.0.3790.3959); Thu, 30 Apr 2009 12:41:51 +0300
Received: from smtp.mgd.nokia.com ([65.54.30.6]) by vaebh101.NOE.Nokia.com over TLS secured channel with Microsoft SMTPSVC(6.0.3790.3959); Thu, 30 Apr 2009 12:41:46 +0300
Received: from nok-am1mhub-07.mgdnok.nokia.com (65.54.30.14) by NOK-am1MHUB-02.mgdnok.nokia.com (65.54.30.6) with Microsoft SMTP Server (TLS) id 8.1.340.0; Thu, 30 Apr 2009 11:41:46 +0200
Received: from NOK-EUMSG-01.mgdnok.nokia.com ([65.54.30.86]) by nok-am1mhub-07.mgdnok.nokia.com ([65.54.30.14]) with mapi; Thu, 30 Apr 2009 11:41:46 +0200
From: <Pasi.Eronen@nokia.com>
To: <tls@ietf.org>
Date: Thu, 30 Apr 2009 11:41:45 +0200
Thread-Topic: Decryption_failed alert in TLS 1.1
Thread-Index: AcnJd9/x9Jkejm7KQJi1qtPRd3WAYw==
Message-ID: <808FD6E27AD4884E94820BC333B2DB7727F24D50BE@NOK-EUMSG-01.mgdnok.nokia.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginalArrivalTime: 30 Apr 2009 09:41:46.0799 (UTC) FILETIME=[E0E253F0:01C9C977]
X-Nokia-AV: Clean
Subject: [TLS] Decryption_failed alert in TLS 1.1
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 30 Apr 2009 09:41:19 -0000

Hi,

I'm going through unverified errata for various SEC area RFCs,
and came to errata ID 117 for RFC 4346 (TLS 1.1), available
from here:

http://www.rfc-editor.org/errata_search.php?rfc=4346

Currently, Section 7.2.2 of RFC 4346 says:

   bad_record_mac
      This alert is returned if a record is received with an incorrect
      MAC.  This alert also MUST be returned if an alert is sent because
      a TLSCiphertext decrypted in an invalid way: either it wasn't an
      even multiple of the block length, or its padding values, when
      checked, weren't correct.  This message is always fatal.

and then continues:

   decryption_failed
      This alert MAY be returned if a TLSCiphertext decrypted in an
      invalid way: either it wasn't an even multiple of the block
      length, or its padding values, when checked, weren't correct.
      This message is always fatal.

   Note: Differentiating between bad_record_mac and decryption_failed
         alerts may permit certain attacks against CBC mode as used in
         TLS [CBCATT].  It is preferable to uniformly use the
         bad_record_mac alert to hide the specific type of the error.

These two contradict each other; it first says "bad_record_mac MUST be
sent", but then says decryption_failed "MAY be returned", and using
bad_record_mac is "preferable".

Does anyone recall what the intent here was? Early drafts (until -09) 
said "bad_record_mac SHOULD be returned", but that was later changed 
to "MUST". Should the errata fix this to something like this?

   decryption_failed
      This alert was used in TLS 1.0 if a TLSCiphertext decrypted
      in an invalid way. It MUST NOT be sent in TLS 1.1.

(TLS 1.2 is very clear about this; decryption_failed MUST NOT
be sent.)

Best regards,
Pasi