Re: [TLS] Encrypt-then-MAC again (was Re: padding bug)
"Paterson, Kenny" <Kenny.Paterson@rhul.ac.uk> Sun, 10 November 2013 20:40 UTC
Return-Path: <Kenny.Paterson@rhul.ac.uk>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5DD8B21E8147 for <tls@ietfa.amsl.com>; Sun, 10 Nov 2013 12:40:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.599
X-Spam-Level:
X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yzyRi-24-drr for <tls@ietfa.amsl.com>; Sun, 10 Nov 2013 12:40:19 -0800 (PST)
Received: from va3outboundpool.messaging.microsoft.com (va3ehsobe001.messaging.microsoft.com [216.32.180.11]) by ietfa.amsl.com (Postfix) with ESMTP id 7B0E321E809D for <tls@ietf.org>; Sun, 10 Nov 2013 12:40:18 -0800 (PST)
Received: from mail53-va3-R.bigfish.com (10.7.14.252) by VA3EHSOBE008.bigfish.com (10.7.40.28) with Microsoft SMTP Server id 14.1.225.22; Sun, 10 Nov 2013 20:39:59 +0000
Received: from mail53-va3 (localhost [127.0.0.1]) by mail53-va3-R.bigfish.com (Postfix) with ESMTP id CF3ED2E048B; Sun, 10 Nov 2013 20:39:59 +0000 (UTC)
X-Forefront-Antispam-Report: CIP:157.56.249.149; KIP:(null); UIP:(null); IPV:NLI; H:AM2PRD0311HT001.eurprd03.prod.outlook.com; RD:none; EFVD:NLI
X-SpamScore: -24
X-BigFish: PS-24(zzbb2dIdb82h98dI9371I1432Izz1f42h208ch1ee6h1de0h1d18h1fdah2073h2146h1202h1e76h1d1ah1d2ah1fc6hzz1de098h1033IL17326ah8275bh8275dh1de097h186068hz2dh109h2a8h839h944he5bhf0ah1220h1288h12a5h12a9h12bdh137ah13b6h1441h1504h1537h153bh162dh1631h1758h18e1h1946h19b5h19ceh1ad9h1b0ah2222h224fh1d0ch1d2eh1d3fh1dc1h1dfeh1dffh1e1dh1fe8h1ff5h209eh2216h1155h)
X-Forefront-Antispam-Report-Untrusted: SFV:NSPM; SFS:(51704005)(189002)(199002)(377454003)(24454002)(479174003)(56776001)(81542001)(59766001)(81816001)(81342001)(69226001)(76482001)(54316002)(561944002)(87936001)(2656002)(85306002)(74706001)(77982001)(74366001)(77096001)(83072001)(4396001)(19580405001)(50986001)(36756003)(81686001)(47736001)(47976001)(49866001)(53806001)(15202345003)(54356001)(76176001)(46102001)(19580395003)(51856001)(87266001)(76796001)(74502001)(83322001)(66066001)(74662001)(80022001)(74876001)(63696002)(31966008)(65816001)(56816003)(80976001)(74482001)(47446002)(76786001)(83506001)(15975445006)(79102001); DIR:OUT; SFP:; SCL:1; SRVR:DBXPR03MB288; H:DBXPR03MB287.eurprd03.prod.outlook.com; CLIP:80.42.233.244; FPR:; RD:InfoNoRecords; MX:1; A:1; LANG:en;
Received: from mail53-va3 (localhost.localdomain [127.0.0.1]) by mail53-va3 (MessageSwitch) id 1384115997480084_17328; Sun, 10 Nov 2013 20:39:57 +0000 (UTC)
Received: from VA3EHSMHS042.bigfish.com (unknown [10.7.14.232]) by mail53-va3.bigfish.com (Postfix) with ESMTP id 65BD62C01EE; Sun, 10 Nov 2013 20:39:57 +0000 (UTC)
Received: from AM2PRD0311HT001.eurprd03.prod.outlook.com (157.56.249.149) by VA3EHSMHS042.bigfish.com (10.7.99.52) with Microsoft SMTP Server (TLS) id 14.16.227.3; Sun, 10 Nov 2013 20:39:57 +0000
Received: from DBXPR03MB288.eurprd03.prod.outlook.com (10.242.142.153) by AM2PRD0311HT001.eurprd03.prod.outlook.com (10.255.162.36) with Microsoft SMTP Server (TLS) id 14.16.371.2; Sun, 10 Nov 2013 20:39:56 +0000
Received: from DBXPR03MB287.eurprd03.prod.outlook.com (10.242.142.150) by DBXPR03MB288.eurprd03.prod.outlook.com (10.242.142.153) with Microsoft SMTP Server (TLS) id 15.0.815.6; Sun, 10 Nov 2013 20:39:37 +0000
Received: from DBXPR03MB287.eurprd03.prod.outlook.com ([169.254.7.84]) by DBXPR03MB287.eurprd03.prod.outlook.com ([169.254.7.200]) with mapi id 15.00.0815.000; Sun, 10 Nov 2013 20:39:37 +0000
From: "Paterson, Kenny" <Kenny.Paterson@rhul.ac.uk>
To: Watson Ladd <watsonbladd@gmail.com>, Michael D'Errico <mike-list@pobox.com>
Thread-Topic: [TLS] Encrypt-then-MAC again (was Re: padding bug)
Thread-Index: AQHO3lQ7mnUaIIfFcEaCeS9k+sy2l5oe7UAA
Date: Sun, 10 Nov 2013 20:39:36 +0000
Message-ID: <CEA59E7E.E9C5%kenny.paterson@rhul.ac.uk>
In-Reply-To: <CACsn0c=up8rP39cHfbxe-HAyFUszW60i_5dvoVY8gdmD=T6dYg@mail.gmail.com>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.3.8.130913
x-originating-ip: [80.42.233.244]
x-forefront-prvs: 0026334A56
Content-Type: text/plain; charset="us-ascii"
Content-ID: <C04F8CE82E99794E821B28FDF04B6B6C@eurprd03.prod.outlook.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: rhul.ac.uk
X-FOPE-CONNECTOR: Id%0$Dn%*$RO%0$TLS%0$FQDN%$TlsDn%
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Encrypt-then-MAC again (was Re: padding bug)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 10 Nov 2013 20:40:25 -0000
Michael, I posted on this back in September (http://www.ietf.org/mail-archive/web/tls/current/msg09824.html). Let me restate what I wrote then: "I briefly reviewed the literature for the state-of-the-art on attacks against HMAC-H for hash algorithm "H". (See for example http://www.di.ens.fr/~fouque/pub/crypto07b.pdf, and later papers by L. Wang et al. at Eurocrypt 2008, by X. Wang et al. at Eurocrypt 2009, plus more recent work, e.g. Peyrin et al. at Asiacrypt 2012.) In TLS, we essentially have H = MD5, SHA-1 or SHA-256. In view of the literature, of these, I'd recommend deprecating MD5 as the hash if Approach #2 were to be adopted: current attacks do not seriously threaten it, but taking a fairly conservative approach seems appropriate here." To summarise: the currently known attacks on MD5 do not have significant consequences for the security of HMAC-MD5 in the TLS context. So the issue you raise should not be holding things up. Cheers Kenny On 10/11/2013 20:33, "Watson Ladd" <watsonbladd@gmail.com> wrote: >On Sun, Nov 10, 2013 at 12:28 PM, Michael D'Errico <mike-list@pobox.com> >wrote: >> In trying to figure out what's stalling the encrypt-then-mac draft >> I came across this old message (below). The complaint against the >> draft appears to be that since the MAC is no longer encrypted, there >> may be a way to recover the secret HMAC key. HMAC-MD5 is mentioned >> as the problem, so I checked to see which cipher suites use it. >Who thinks this is a real problem? If the MAC is weak it shouldn't be >used, >end of story. We have a real issue burning people now, and the >argument against it is >something that won't be an issue for a while, and only affects people >with their head in the >sand. >I say we publish it. >> >> The 13 cipher suites using MD5 are: >> >> A 0001 TLS_RSA_WITH_NULL_MD5 >> B 0003 TLS_RSA_EXPORT_WITH_RC4_40_MD5 >> C 0004 TLS_RSA_WITH_RC4_128_MD5 >> D 0006 TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 >> E 0017 TLS_DH_anon_EXPORT_WITH_RC4_40_MD5 >> F 0018 TLS_DH_anon_WITH_RC4_128_MD5 >> G 0022 TLS_KRB5_WITH_DES_CBC_MD5 >> H 0023 TLS_KRB5_WITH_3DES_EDE_CBC_MD5 >> I 0024 TLS_KRB5_WITH_RC4_128_MD5 >> J 0025 TLS_KRB5_WITH_IDEA_CBC_MD5 >> K 0029 TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5 >> L 002A TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5 >> M 002B TLS_KRB5_EXPORT_WITH_RC4_40_MD5 >> >> Eight of these (A, B, D, E, G, K, L, and M) are considered trivially >> breakable; F allows for a MitM; J uses the deprecated IDEA cipher; >> and C and I use RC4 which we now know is completely broken. >> >> That leaves only one cipher suite to possibly be concerned about: >> >> H 0023 TLS_KRB5_WITH_3DES_EDE_CBC_MD5 >> >> Do we really want to hold up the encrypt-then-mac draft any longer >> because of this one Kerberos/triple-DES/MD5 cipher suite? >No. >> >> Mike >> >Sincerely, >Watson Ladd >> >> >> >> Nikos Mavrogiannopoulos wrote: >>> >>> On 09/08/2013 04:59 AM, Peter Saint-Andre wrote: >>> >>>>> As I recall there were three proposals for resolving the padding >>>>> bug in TLS >>>>> 1. An extension for Pad First (i.e. padding before an >>>>> otherwise standard TLS mode of operation) >>>>> 2. An extension for Encrypt-then-MAC (i.e. this draft) >>>>> 3. The replacement of each existing cipher suite with an >>>>> equivalent AEAD one >>>>> Was any consensus achieved as to the best approach? >>>> >>>> I never saw further discussion on this topic. Are there I-Ds for each >>>> approach? #3 seems onerous to me (and doubling the number of cipher >>>> suites doesn't seem like a desirable outcome), and as far as I can >>>> tell there's no specification for #1. Although I am not a TLS expert, >>>> the Encrypt-then-MAC I-D referenced above seems reasonable, it neatly >>>> solves a real-world problem, and we have running code; thus IMHO >>>> formalization of this approach deserves to be considered in the WG. >>> >>> >>> It is important when trying to solve an issue not to introduce new >>> issues. The current proposal for #2 unfortunately does not take into >>> account known counter-measures for key recovery attacks in MACs (see >>>[0]). >>> >>> regards, >>> Nikos >>> >>> [0]. http://www.ietf.org/mail-archive/web/tls/current/msg09520.html >> >> _______________________________________________ >> TLS mailing list >> TLS@ietf.org >> https://www.ietf.org/mailman/listinfo/tls > > > >-- >"Those who would give up Essential Liberty to purchase a little >Temporary Safety deserve neither Liberty nor Safety." >-- Benjamin Franklin >_______________________________________________ >TLS mailing list >TLS@ietf.org >https://www.ietf.org/mailman/listinfo/tls >
- [TLS] Requesting feedback on TACK draft Trevor Perrin
- Re: [TLS] Requesting feedback on TACK draft Peter Gutmann
- Re: [TLS] Requesting feedback on TACK draft Lewis, Nick
- [TLS] padding bug (was: Re: Requesting feedback o… Peter Saint-Andre
- Re: [TLS] padding bug Dr Stephen Henson
- Re: [TLS] padding bug Dr Stephen Henson
- Re: [TLS] padding bug Nikos Mavrogiannopoulos
- Re: [TLS] padding bug Ben Laurie
- Re: [TLS] padding bug Eric Rescorla
- Re: [TLS] padding bug (was: Re: Requesting feedba… Alfredo Pironti
- Re: [TLS] padding bug Ben Laurie
- Re: [TLS] padding bug Yaron Sheffer
- Re: [TLS] padding bug (was: Re: Requesting feedba… Paterson, Kenny
- Re: [TLS] padding bug Ben Laurie
- Re: [TLS] padding bug Adam Langley
- Re: [TLS] padding bug Ben Laurie
- Re: [TLS] padding bug Dr Stephen Henson
- Re: [TLS] padding bug Nico Williams
- Re: [TLS] padding bug Nikos Mavrogiannopoulos
- Re: [TLS] padding bug Blumenthal, Uri - 0558 - MITLL
- Re: [TLS] padding bug (was: Re: Requesting feedba… Bodo Moeller
- Re: [TLS] padding bug (was: Re: Requesting feedba… Paterson, Kenny
- Re: [TLS] padding bug Brian Smith
- Re: [TLS] padding bug Martin Rex
- [TLS] Encrypt-then-MAC again (was Re: padding bug) Michael D'Errico
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Watson Ladd
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Paterson, Kenny
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Michael D'Errico
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Martin Rex
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Nikos Mavrogiannopoulos
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Ralf Skyper Kaiser
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Martin Rex
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Martin Rex
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Ben Laurie
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Bryan C. Geraghty
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Nikos Mavrogiannopoulos
- [TLS] Would this fix RC4 again? (was Re: Encrypt-… Michael D'Errico
- Re: [TLS] Would this fix RC4 again? (was Re: Encr… Watson Ladd
- Re: [TLS] Would this fix RC4 again? (was Re: Encr… Paterson, Kenny
- Re: [TLS] Would this fix RC4 again? (was Re: Encr… Nikos Mavrogiannopoulos
- Re: [TLS] Would this fix RC4 again? (was Re: Encr… Jacob Appelbaum
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Martin Rex
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Ralf Skyper Kaiser
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Nikos Mavrogiannopoulos
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Ralf Skyper Kaiser
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Martin Rex
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Martin Rex
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Ralf Skyper Kaiser
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Alex Elsayed
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Paterson, Kenny
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Martin Rex
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Martin Rex
- [TLS] draft-mavrogiannopoulos-new-tls-padding-00 Martin Rex
- Re: [TLS] draft-mavrogiannopoulos-new-tls-padding… Nikos Mavrogiannopoulos