Re: [TLS] [Technical Errata Reported] RFC5288 (4694)
Aaron Zauner <azet@azet.org> Mon, 16 May 2016 10:17 UTC
Return-Path: <azet@azet.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 156C412D10B for <tls@ietfa.amsl.com>; Mon, 16 May 2016 03:17:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=azet.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8Cg9rWBiN9Cd for <tls@ietfa.amsl.com>; Mon, 16 May 2016 03:17:09 -0700 (PDT)
Received: from mail-pf0-x22e.google.com (mail-pf0-x22e.google.com [IPv6:2607:f8b0:400e:c00::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CBD5B12D0DD for <tls@ietf.org>; Mon, 16 May 2016 03:17:09 -0700 (PDT)
Received: by mail-pf0-x22e.google.com with SMTP id 77so66014935pfv.2 for <tls@ietf.org>; Mon, 16 May 2016 03:17:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=azet.org; s=gmail; h=subject:mime-version:from:in-reply-to:date:cc:message-id:references :to; bh=S6kWIO4Pr5mXghyO7iXc2fuQ/QhyH0GbtaFAPOh2EQo=; b=MLo7dp9docFoFtzXcZ3ccDvRhyfY1h/AUloGicqzld9SemrUJojeFOP5KD5dWCq9u8 YhPpyLnsQTnaWTDBrc+Lo9ZW+ZoKQn6Dh571Pyux2I7auSxCif27euOkfYxGdE6AQwpj VZauy9FLk8fBx8O3j4AECAIkAXD2gucVJZ6SE=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:subject:mime-version:from:in-reply-to:date:cc :message-id:references:to; bh=S6kWIO4Pr5mXghyO7iXc2fuQ/QhyH0GbtaFAPOh2EQo=; b=eOnBE6Jn4vmyoYz+hHCSWtBk3MGM9yOhwwbXq7wCP4g0oV8MVRKAF//dUpXpzJQwie 4PntvaZqLdbxuduP9+3jwiq5vpJ/49onOGF9/0QrphUFuwi17Bff/6+ir9eixboabeKN cTbcO3tSWJmc6FLhGb7PmEGUwtB2j8XsDhYfY3D7VV0OofftFFBLCTrqwsRPtokAYNmp gYTz9uKSlyZDj4Y1FIYuoyTZwBCfjqzFkEpsNDKt+d/N/cTNbq4/HnMluC5zrKCxQxKs iVNgfn02Na6HFLm7EZWujny+5YeXbpsHdwGJroEK6WDmr/ipdfx9tLOgNPTIHNhzTlaX TKKw==
X-Gm-Message-State: AOPr4FXdG0Uog4PJgsQm/yO8gVU672KXuuEOSxAyg24Dk/Ra1ovWv78t0ar9REQ5I0J1Ug==
X-Received: by 10.98.71.80 with SMTP id u77mr44262263pfa.119.1463393829290; Mon, 16 May 2016 03:17:09 -0700 (PDT)
Received: from [192.168.1.234] (ppp-49-237-229-67.revip6.asianet.co.th. [49.237.229.67]) by smtp.gmail.com with ESMTPSA id q186sm46174036pfq.96.2016.05.16.03.17.06 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Mon, 16 May 2016 03:17:08 -0700 (PDT)
Mime-Version: 1.0 (Mac OS X Mail 9.2 \(3112\))
Content-Type: multipart/signed; boundary="Apple-Mail=_1BB6933F-351D-43DC-97F0-E4763286E6C5"; protocol="application/pgp-signature"; micalg="pgp-sha512"
X-Pgp-Agent: GPGMail 2.6b2
From: Aaron Zauner <azet@azet.org>
In-Reply-To: <D35F5460.6C5D0%kenny.paterson@rhul.ac.uk>
Date: Mon, 16 May 2016 17:15:05 +0700
Message-Id: <3B2C6D5A-939E-4539-B902-D4502EB9739C@azet.org>
References: <20160514082717.7997D180004@rfc-editor.org> <9A043F3CF02CD34C8E74AC1594475C73F4C80CD0@uxcn10-5.UoA.auckland.ac.nz> <CAN8NK9EaDQ-Pugi2j=3KcXrn5G-8mcXVs4O2HGCkH7h7GSKbbA@mail.gmail.com> <9A043F3CF02CD34C8E74AC1594475C73F4C80F76@uxcn10-5.UoA.auckland.ac.nz> <CAN8NK9Gn9iK72dBq3opQ2E_HEZyVB+ysCqo5JxMH8vHhy4gEEg@mail.gmail.com> <9A043F3CF02CD34C8E74AC1594475C73F4C817BE@uxcn10-5.UoA.auckland.ac.nz> <a05f1e9d02a96721479a0de75e335cc4@esat.kuleuven.be> <A1FEF4A5-AC64-4832-904A-47768E5D5AF9@gmail.com> <54302B87-4730-4B8E-9F55-B33B89425A51@azet.org> <D35F4D97.6C5B2%kenny.paterson@rhul.ac.uk> <53384A13-5F80-4CF0-BD8F-F68E304ADF15@azet.org> <D35F5460.6C5D0%kenny.paterson@rhul.ac.uk>
To: "Paterson, Kenny" <Kenny.Paterson@rhul.ac.uk>
X-Mailer: Apple Mail (2.3112)
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/NEwY3ifV0kkiglvxdpOR6nSMgo0>
Cc: "mcgrew@cisco.com" <mcgrew@cisco.com>, "tls@ietf.org" <tls@ietf.org>, RFC Errata System <rfc-editor@rfc-editor.org>
Subject: Re: [TLS] [Technical Errata Reported] RFC5288 (4694)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 16 May 2016 10:17:11 -0000
Hi Kenny, > On 16 May 2016, at 16:48, Paterson, Kenny <Kenny.Paterson@rhul.ac.uk> wrote: > > Maybe the confusion is this: in your authenticity attack, you do recover > the GHASH key, and the effect is catastrophic. In the confidentiality > attack, one can recover plaintexts for the records with repeated nonces, > but not the encryption key. The effect may be bad - but it's perhaps not > as catastrophic in practice as the authenticity attack. Ah, I see. Yes and we do not consider this in our paper at all. Maybe we should? Not sure how practical this is. > Think about it this way: for your injection attack, you need to recover > the CTR keystream - otherwise you couldn't properly AES-GCM-encrypt your > chosen plaintext record for the injection. But if you recovered the > keystream as part of your attack, then you've also recovered the plaintext > for the original record. > > Or maybe in your injection attack you were assuming you already *knew* the > plaintext? That would make sense, I guess - a lot easier then to recover > the keystream than doing the "undoing the XOR" attack needed to recover > P_1 and P_2 from P_1 XOR P_2. The first step of our attack involves attacker controlled content. So yes (phishing, unauthenticated HTTP, selective company DPI etc.). In our example we use a local proxy to carry out the attack. I hope I can post a full version of the actual paper and PoC to this thread soon. Aaron
- Re: [TLS] [Technical Errata Reported] RFC5288 (46… Aaron Zauner
- [TLS] [Technical Errata Reported] RFC5288 (4694) RFC Errata System
- Re: [TLS] [Technical Errata Reported] RFC5288 (46… Peter Gutmann
- Re: [TLS] [Technical Errata Reported] RFC5288 (46… Rick van Rein
- Re: [TLS] [Technical Errata Reported] RFC5288 (46… Peter Gutmann
- Re: [TLS] [Technical Errata Reported] RFC5288 (46… Aaron Zauner
- Re: [TLS] [Technical Errata Reported] RFC5288 (46… Aaron Zauner
- Re: [TLS] [Technical Errata Reported] RFC5288 (46… Tony Arcieri
- Re: [TLS] [Technical Errata Reported] RFC5288 (46… Joseph Salowey
- Re: [TLS] [Technical Errata Reported] RFC5288 (46… Judson Wilson
- Re: [TLS] [Technical Errata Reported] RFC5288 (46… Peter Gutmann
- Re: [TLS] [Technical Errata Reported] RFC5288 (46… Atul Luykx
- Re: [TLS] [Technical Errata Reported] RFC5288 (46… Peter Gutmann
- Re: [TLS] [Technical Errata Reported] RFC5288 (46… Yoav Nir
- Re: [TLS] [Technical Errata Reported] RFC5288 (46… Aaron Zauner
- Re: [TLS] [Technical Errata Reported] RFC5288 (46… Paterson, Kenny
- Re: [TLS] [Technical Errata Reported] RFC5288 (46… Aaron Zauner
- Re: [TLS] [Technical Errata Reported] RFC5288 (46… Paterson, Kenny
- Re: [TLS] [Technical Errata Reported] RFC5288 (46… Aaron Zauner
- Re: [TLS] [Technical Errata Reported] RFC5288 (46… Paterson, Kenny
- Re: [TLS] [Technical Errata Reported] RFC5288 (46… Aaron Zauner
- Re: [TLS] [Technical Errata Reported] RFC5288 (46… Aaron Zauner
- Re: [TLS] [Technical Errata Reported] RFC5288 (46… Aaron Zauner
- Re: [TLS] [Technical Errata Reported] RFC5288 (46… Joseph Lorenzo Hall
- Re: [TLS] [Technical Errata Reported] RFC5288 (46… Megan Ferguson
- [TLS] [Errata Verified] RFC5288 (4694) RFC Errata System
- Re: [TLS] [Errata Verified] RFC5288 (4694) Peter Gutmann