Re: [TLS] Comments/Questions on draft-gutmann-tls-encrypt-then-mac-00.txt
"Christian Kahlo" <christian.kahlo@ageto.net> Fri, 20 September 2013 16:11 UTC
Return-Path: <christian.kahlo@ageto.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix)
with ESMTP id DDAA621F9BDB for <tls@ietfa.amsl.com>;
Fri, 20 Sep 2013 09:11:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.739
X-Spam-Level:
X-Spam-Status: No,
score=-1.739 tagged_above=-999 required=5 tests=[BAYES_20=-0.74,
HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com
[127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uedGW8bgX04f for
<tls@ietfa.amsl.com>; Fri, 20 Sep 2013 09:10:57 -0700 (PDT)
Received: from mail-bk0-f47.google.com (mail-bk0-f47.google.com
[209.85.214.47]) by ietfa.amsl.com (Postfix) with ESMTP id AA0C921F9BD0 for
<tls@ietf.org>; Fri, 20 Sep 2013 09:10:56 -0700 (PDT)
Received: by mail-bk0-f47.google.com with SMTP id mx12so270520bkb.34 for
<tls@ietf.org>; Fri, 20 Sep 2013 09:10:55 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net;
s=20130820;
h=x-gm-message-state:reply-to:from:to:cc:references:in-reply-to
:subject:date:organization:message-id:mime-version:content-type
:thread-index:content-language;
bh=8dgAAa1Jk2nQYmHX4z/bsHlMs88tElB2XrnqhHSnGtE=;
b=YHhD6kIDiW9KZrL1T48kninyewQ0bP1IldKgiGSo+I2TG0HNA+v7+DAhMKKXD+zQ5O
xdq+7SToT5pAtFPQjn5UreUSy4i9XNbnRgoNvbC7FXYEKSYWhkP4Lq+QLyIa2ql+Olr0
WvieeC5aUldLTFP0AYKLduy+tKsiuoytwryBaKnx2ZljcNZEZxx/xG5eMsVL9yBfksNp
RQZd5wroGepVOqDcoN5ODSTkHPDAKDWvzlxBkG55A0RzcS1dmDCdkMpAEZq95Qco6G2Z
V8CGLsX5ydsN0E50TCtBAktPGEbwWD7/nVpb4cUG6uXRBZ2PA5X7oCieP6C2PxzjOcjf MLDQ==
X-Gm-Message-State: ALoCoQk9TEs0l3YqHQnWDGBX1eDZUg6Q0wQdjJXZxfk5V1x9AQi/7VfCiR+tYtq3ogzS/VFfLOX/
X-Received: by 10.204.78.8 with SMTP id i8mr6050015bkk.3.1379693455459;
Fri, 20 Sep 2013 09:10:55 -0700 (PDT)
Received: from THINK2 (cable-62-117-11-172.cust.telecolumbus.net.
[62.117.11.172]) by mx.google.com with ESMTPSA id
b7sm4871940bkg.1.1969.12.31.16.00.00 (version=TLSv1.2 cipher=RC4-SHA
bits=128/128); Fri, 20 Sep 2013 09:10:55 -0700 (PDT)
From: "Christian Kahlo" <christian.kahlo@ageto.net>
To: "'Eric Rescorla'" <ekr@rtfm.com>, <tls@ietf.org>
References: <CABcZeBN+0hX1-cb0V4AyaO3FrwaGrtjbRO3BGOV0KBSjRkNwkw@mail.gmail.com>
In-Reply-To: <CABcZeBN+0hX1-cb0V4AyaO3FrwaGrtjbRO3BGOV0KBSjRkNwkw@mail.gmail.com>
Date: Fri, 20 Sep 2013 18:10:56 +0200
Organization: AGETO Innovation GmbH
Message-ID: <523c738f.0733cc0a.41a0.3096@mx.google.com>
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_000F_01CEB62C.C1473A50"
X-Mailer: Microsoft Office Outlook 12.0
Thread-Index: Ac62GbeJWByUsfvQQOecd2O6aVfcqgAAI1lQ
Content-Language: de
X-Mailman-Approved-At: Sun, 22 Sep 2013 10:52:04 -0700
Subject: Re: [TLS] Comments/Questions on
draft-gutmann-tls-encrypt-then-mac-00.txt
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: c.kahlo@ageto.net
List-Id: "This is the mailing list for the Transport Layer Security working
group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>,
<mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>,
<mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 20 Sep 2013 16:13:56 -0000
Hi Eric, just as side note. The Germen Federal Office for Information Security also had a look on this. See BSI TR-03116-4. <https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/Technisch eRichtlinien/TR03116/BSI-TR-03116-4.pdf?__blob=publicationFile> https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/Technische Richtlinien/TR03116/BSI-TR-03116-4.pdf?__blob=publicationFile I'm sorry, there is no english translation yet. But it will be translated later. On page 8, chapter 2.3, "Weitere Vorgaben" / "More specifications", 4th bullet. It reads that Encrypt-then-Mac should be preferred instead of Mac-then-Encrypt. The reasons are rather simple: GCM is not yet available everywhere. One example are Java/JDK environments without additional crypto providers used with many application servers. Even some other standards bodies like ISO, CEN, BSI, etc. agreed on CBC-modes (with or without EtM) as a lowest common factor with TLS. So CBC WILL(!) exist regardless what you're specifying here. ;-) There also at least implementations in our Federal project, OpenSSL, Bouncy Castle and as I heard CyaSSL, too. The discussion isn't about AEAD or not, the discussion is about a protocol design flaw lasting now for more than FOURTEEN YEARS. Just compare it to ISO7816-4 secure messaging. EtM has been there from the beginning. Cheers, Christian -- Christian Kahlo, Research Manager IT-Security, <http://www.ageto.de/> http://www.ageto.de c.kahlo@ageto.de, Tel. +49-3641-3678-305, Fax +49-3641-3678-101 AGETO Innovation GmbH, Winzerlaer Straße 2, D-07745 Jena Geschäftsführung: P. Israel, S. Sauer, S. Scheppe HR: Amtsgericht Jena, HRB 210399 Von: tls-bounces@ietf.org [mailto:tls-bounces@ietf.org] Im Auftrag von Eric Rescorla Gesendet: Freitag, 20. September 2013 17:53 An: tls@ietf.org Betreff: [TLS] Comments/Questions on draft-gutmann-tls-encrypt-then-mac-00.txt Peter, After reviewing this document I have a few comments/questions: - Because this draft relies on extensions, it seems not to resist active attack when clients do insecure version fallback (see for instance: http://www.ietf.org/mail-archive/web/tls/current/msg09468.html) The existing attacks appear to principally be active attacks on the browser environment, which is where fallback tends to happen. - Maybe I am misreading the draft, but I'm unclear on how you get the TLSCompressed.length for the MAC computation in Section 3. Does this have the same issue as was raised for McGrew's CBC AEAD draft? Am I missing something here? Thanks, -Ekr
- [TLS] Comments/Questions on draft-gutmann-tls-enc… Eric Rescorla
- Re: [TLS] Comments/Questions on draft-gutmann-tls… Christian Kahlo
- Re: [TLS] Comments/Questions on draft-gutmann-tls… Dr Stephen Henson
- Re: [TLS] Comments/Questions on draft-gutmann-tls… Bill Frantz
- Re: [TLS] Comments/Questions on draft-gutmann-tls… Nikos Mavrogiannopoulos
- Re: [TLS] Comments/Questions on draft-gutmann-tls… Nikos Mavrogiannopoulos
- Re: [TLS] Comments/Questions on draft-gutmann-tls… Christian Kahlo
- Re: [TLS] Comments/Questions on draft-gutmann-tls… Peter Gutmann
- Re: [TLS] Comments/Questions on draft-gutmann-tls… Nikos Mavrogiannopoulos
- Re: [TLS] Comments/Questions on draft-gutmann-tls… Christian Kahlo
- Re: [TLS] Comments/Questions on draft-gutmann-tls… Blumenthal, Uri - 0558 - MITLL
- Re: [TLS] Comments/Questions on draft-gutmann-tls… Eric Rescorla
- Re: [TLS] Comments/Questions on draft-gutmann-tls… Peter Gutmann
- Re: [TLS] Comments/Questions on draft-gutmann-tls… Alfredo Pironti
- Re: [TLS] Comments/Questions on draft-gutmann-tls… Bodo Moeller
- Re: [TLS] Comments/Questions on draft-gutmann-tls… Ralph Holz
- Re: [TLS] Comments/Questions on draft-gutmann-tls… Peter Gutmann
- Re: [TLS] Comments/Questions on draft-gutmann-tls… Adam Langley
- Re: [TLS] Comments/Questions on draft-gutmann-tls… Bodo Moeller
- Re: [TLS] Comments/Questions on draft-gutmann-tls… Michael D'Errico
- Re: [TLS] Comments/Questions on draft-gutmann-tls… Yaron Sheffer
- Re: [TLS] Comments/Questions on draft-gutmann-tls… Michael D'Errico
- Re: [TLS] Comments/Questions on draft-gutmann-tls… Bodo Moeller
- Re: [TLS] Comments/Questions on draft-gutmann-tls… Bodo Moeller
- Re: [TLS] Comments/Questions on draft-gutmann-tls… Yaron Sheffer
- Re: [TLS] Comments/Questions on draft-gutmann-tls… Bodo Moeller
- Re: [TLS] Comments/Questions on draft-gutmann-tls… Martin Rex
- Re: [TLS] Comments/Questions on draft-gutmann-tls… Mohamad Badra
- Re: [TLS] Comments/Questions on draft-gutmann-tls… Martin Rex
- Re: [TLS] Comments/Questions on draft-gutmann-tls… Michael D'Errico
- Re: [TLS] Comments/Questions on draft-gutmann-tls… Martin Rex
- Re: [TLS] Comments/Questions on draft-gutmann-tls… Martin Rex
- Re: [TLS] Comments/Questions on draft-gutmann-tls… Peter Gutmann
- Re: [TLS] Comments/Questions on draft-gutmann-tls… Peter Gutmann
- Re: [TLS] Comments/Questions on draft-gutmann-tls… Peter Gutmann
- Re: [TLS] Comments/Questions on draft-gutmann-tls… Paul Bakker
- Re: [TLS] Comments/Questions on draft-gutmann-tls… Paul Bakker
- Re: [TLS] Comments/Questions on draft-gutmann-tls… Alfredo Pironti
- Re: [TLS] Comments/Questions on draft-gutmann-tls… Paul Bakker
- Re: [TLS] Comments/Questions on draft-gutmann-tls… Bodo Moeller
- Re: [TLS] Comments/Questions on draft-gutmann-tls… Bodo Moeller
- Re: [TLS] Comments/Questions on draft-gutmann-tls… Yoav Nir