IETF Logo Mail Archive

Re: [TLS] Encrypt-then-MAC again (was Re: padding bug)

"Paterson, Kenny" <Kenny.Paterson@rhul.ac.uk> Sun, 10 November 2013 20:40 UTC

Return-Path: <Kenny.Paterson@rhul.ac.uk>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5DD8B21E8147 for <tls@ietfa.amsl.com>; Sun, 10 Nov 2013 12:40:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.599
X-Spam-Level:
X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yzyRi-24-drr for <tls@ietfa.amsl.com>; Sun, 10 Nov 2013 12:40:19 -0800 (PST)
Received: from va3outboundpool.messaging.microsoft.com (va3ehsobe001.messaging.microsoft.com [216.32.180.11]) by ietfa.amsl.com (Postfix) with ESMTP id 7B0E321E809D for <tls@ietf.org>; Sun, 10 Nov 2013 12:40:18 -0800 (PST)
Received: from mail53-va3-R.bigfish.com (10.7.14.252) by VA3EHSOBE008.bigfish.com (10.7.40.28) with Microsoft SMTP Server id 14.1.225.22; Sun, 10 Nov 2013 20:39:59 +0000
Received: from mail53-va3 (localhost [127.0.0.1]) by mail53-va3-R.bigfish.com (Postfix) with ESMTP id CF3ED2E048B; Sun, 10 Nov 2013 20:39:59 +0000 (UTC)
X-Forefront-Antispam-Report: CIP:157.56.249.149; KIP:(null); UIP:(null); IPV:NLI; H:AM2PRD0311HT001.eurprd03.prod.outlook.com; RD:none; EFVD:NLI
X-SpamScore: -24
X-BigFish: PS-24(zzbb2dIdb82h98dI9371I1432Izz1f42h208ch1ee6h1de0h1d18h1fdah2073h2146h1202h1e76h1d1ah1d2ah1fc6hzz1de098h1033IL17326ah8275bh8275dh1de097h186068hz2dh109h2a8h839h944he5bhf0ah1220h1288h12a5h12a9h12bdh137ah13b6h1441h1504h1537h153bh162dh1631h1758h18e1h1946h19b5h19ceh1ad9h1b0ah2222h224fh1d0ch1d2eh1d3fh1dc1h1dfeh1dffh1e1dh1fe8h1ff5h209eh2216h1155h)
X-Forefront-Antispam-Report-Untrusted: SFV:NSPM; SFS:(51704005)(189002)(199002)(377454003)(24454002)(479174003)(56776001)(81542001)(59766001)(81816001)(81342001)(69226001)(76482001)(54316002)(561944002)(87936001)(2656002)(85306002)(74706001)(77982001)(74366001)(77096001)(83072001)(4396001)(19580405001)(50986001)(36756003)(81686001)(47736001)(47976001)(49866001)(53806001)(15202345003)(54356001)(76176001)(46102001)(19580395003)(51856001)(87266001)(76796001)(74502001)(83322001)(66066001)(74662001)(80022001)(74876001)(63696002)(31966008)(65816001)(56816003)(80976001)(74482001)(47446002)(76786001)(83506001)(15975445006)(79102001); DIR:OUT; SFP:; SCL:1; SRVR:DBXPR03MB288; H:DBXPR03MB287.eurprd03.prod.outlook.com; CLIP:80.42.233.244; FPR:; RD:InfoNoRecords; MX:1; A:1; LANG:en;
Received: from mail53-va3 (localhost.localdomain [127.0.0.1]) by mail53-va3 (MessageSwitch) id 1384115997480084_17328; Sun, 10 Nov 2013 20:39:57 +0000 (UTC)
Received: from VA3EHSMHS042.bigfish.com (unknown [10.7.14.232]) by mail53-va3.bigfish.com (Postfix) with ESMTP id 65BD62C01EE; Sun, 10 Nov 2013 20:39:57 +0000 (UTC)
Received: from AM2PRD0311HT001.eurprd03.prod.outlook.com (157.56.249.149) by VA3EHSMHS042.bigfish.com (10.7.99.52) with Microsoft SMTP Server (TLS) id 14.16.227.3; Sun, 10 Nov 2013 20:39:57 +0000
Received: from DBXPR03MB288.eurprd03.prod.outlook.com (10.242.142.153) by AM2PRD0311HT001.eurprd03.prod.outlook.com (10.255.162.36) with Microsoft SMTP Server (TLS) id 14.16.371.2; Sun, 10 Nov 2013 20:39:56 +0000
Received: from DBXPR03MB287.eurprd03.prod.outlook.com (10.242.142.150) by DBXPR03MB288.eurprd03.prod.outlook.com (10.242.142.153) with Microsoft SMTP Server (TLS) id 15.0.815.6; Sun, 10 Nov 2013 20:39:37 +0000
Received: from DBXPR03MB287.eurprd03.prod.outlook.com ([169.254.7.84]) by DBXPR03MB287.eurprd03.prod.outlook.com ([169.254.7.200]) with mapi id 15.00.0815.000; Sun, 10 Nov 2013 20:39:37 +0000
From: "Paterson, Kenny" <Kenny.Paterson@rhul.ac.uk>
To: Watson Ladd <watsonbladd@gmail.com>, Michael D'Errico <mike-list@pobox.com>
Thread-Topic: [TLS] Encrypt-then-MAC again (was Re: padding bug)
Thread-Index: AQHO3lQ7mnUaIIfFcEaCeS9k+sy2l5oe7UAA
Date: Sun, 10 Nov 2013 20:39:36 +0000
Message-ID: <CEA59E7E.E9C5%kenny.paterson@rhul.ac.uk>
In-Reply-To: <CACsn0c=up8rP39cHfbxe-HAyFUszW60i_5dvoVY8gdmD=T6dYg@mail.gmail.com>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.3.8.130913
x-originating-ip: [80.42.233.244]
x-forefront-prvs: 0026334A56
Content-Type: text/plain; charset="us-ascii"
Content-ID: <C04F8CE82E99794E821B28FDF04B6B6C@eurprd03.prod.outlook.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: rhul.ac.uk
X-FOPE-CONNECTOR: Id%0$Dn%*$RO%0$TLS%0$FQDN%$TlsDn%
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Encrypt-then-MAC again (was Re: padding bug)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 10 Nov 2013 20:40:25 -0000

Michael,

I posted on this back in September
(http://www.ietf.org/mail-archive/web/tls/current/msg09824.html). Let me
restate what I wrote then:

"I briefly reviewed the literature for the state-of-the-art on attacks
against HMAC-H for hash algorithm "H". (See for example
http://www.di.ens.fr/~fouque/pub/crypto07b.pdf, and later papers by L.
Wang et al. at Eurocrypt 2008, by X. Wang et al. at Eurocrypt 2009, plus
more recent work, e.g. Peyrin et al. at Asiacrypt 2012.)

In TLS, we essentially have H = MD5, SHA-1 or SHA-256.  In view of the
literature, of these, I'd recommend deprecating MD5 as the hash if
Approach #2 were to be adopted: current attacks do not seriously threaten
it, but taking a fairly conservative approach seems appropriate here."



To summarise: the currently known attacks on MD5 do not have significant
consequences for the security of HMAC-MD5 in the TLS context.

So the issue you raise should not be holding things up.

Cheers

Kenny 


On 10/11/2013 20:33, "Watson Ladd" <watsonbladd@gmail.com> wrote:

>On Sun, Nov 10, 2013 at 12:28 PM, Michael D'Errico <mike-list@pobox.com>
>wrote:
>> In trying to figure out what's stalling the encrypt-then-mac draft
>> I came across this old message (below).  The complaint against the
>> draft appears to be that since the MAC is no longer encrypted, there
>> may be a way to recover the secret HMAC key.  HMAC-MD5 is mentioned
>> as the problem, so I checked to see which cipher suites use it.
>Who thinks this is a real problem? If the MAC is weak it shouldn't be
>used,
>end of story. We have a real issue burning people now, and the
>argument against it is
>something that won't be an issue for a while, and only affects people
>with their head in the
>sand.
>I say we publish it.
>>
>> The 13 cipher suites using MD5 are:
>>
>>   A     0001    TLS_RSA_WITH_NULL_MD5
>>   B     0003    TLS_RSA_EXPORT_WITH_RC4_40_MD5
>>   C     0004    TLS_RSA_WITH_RC4_128_MD5
>>   D     0006    TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5
>>   E     0017    TLS_DH_anon_EXPORT_WITH_RC4_40_MD5
>>   F     0018    TLS_DH_anon_WITH_RC4_128_MD5
>>   G     0022    TLS_KRB5_WITH_DES_CBC_MD5
>>   H     0023    TLS_KRB5_WITH_3DES_EDE_CBC_MD5
>>   I     0024    TLS_KRB5_WITH_RC4_128_MD5
>>   J     0025    TLS_KRB5_WITH_IDEA_CBC_MD5
>>   K     0029    TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5
>>   L     002A    TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5
>>   M     002B    TLS_KRB5_EXPORT_WITH_RC4_40_MD5
>>
>> Eight of these (A, B, D, E, G, K, L, and M) are considered trivially
>> breakable; F allows for a MitM; J uses the deprecated IDEA cipher;
>> and C and I use RC4 which we now know is completely broken.
>>
>> That leaves only one cipher suite to possibly be concerned about:
>>
>>   H     0023    TLS_KRB5_WITH_3DES_EDE_CBC_MD5
>>
>> Do we really want to hold up the encrypt-then-mac draft any longer
>> because of this one Kerberos/triple-DES/MD5 cipher suite?
>No.
>>
>> Mike
>>
>Sincerely,
>Watson Ladd
>>
>>
>>
>> Nikos Mavrogiannopoulos wrote:
>>>
>>> On 09/08/2013 04:59 AM, Peter Saint-Andre wrote:
>>>
>>>>> As I recall there were three proposals for resolving the padding
>>>>> bug in TLS
>>>>> 1.       An extension for Pad First (i.e. padding before an
>>>>> otherwise standard TLS mode of operation)
>>>>> 2.       An extension for Encrypt-then-MAC (i.e. this draft)
>>>>> 3.       The replacement of each existing cipher suite with an
>>>>> equivalent AEAD one
>>>>> Was any consensus achieved as to the best approach?
>>>>
>>>> I never saw further discussion on this topic. Are there I-Ds for each
>>>> approach? #3 seems onerous to me (and doubling the number of cipher
>>>> suites doesn't seem like a desirable outcome), and as far as I can
>>>> tell there's no specification for #1. Although I am not a TLS expert,
>>>> the Encrypt-then-MAC I-D referenced above seems reasonable, it neatly
>>>> solves a real-world problem, and we have running code; thus IMHO
>>>> formalization of this approach deserves to be considered in the WG.
>>>
>>>
>>> It is important when trying to solve an issue not to introduce new
>>> issues. The current proposal for #2 unfortunately does not take into
>>> account known counter-measures for key recovery attacks in MACs (see
>>>[0]).
>>>
>>> regards,
>>> Nikos
>>>
>>> [0]. http://www.ietf.org/mail-archive/web/tls/current/msg09520.html
>>
>> _______________________________________________
>> TLS mailing list
>> TLS@ietf.org
>> https://www.ietf.org/mailman/listinfo/tls
>
>
>
>-- 
>"Those who would give up Essential Liberty to purchase a little
>Temporary Safety deserve neither  Liberty nor Safety."
>-- Benjamin Franklin
>_______________________________________________
>TLS mailing list
>TLS@ietf.org
>https://www.ietf.org/mailman/listinfo/tls
>

v2.23.0 | Report a Bug | By Email