IETF Logo Mail Archive

Re: [TLS] [Technical Errata Reported] RFC7905 (5251)

Adam Langley <agl@google.com> Mon, 12 February 2018 23:30 UTC

Return-Path: <agl@google.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 90AA2126C25 for <tls@ietfa.amsl.com>; Mon, 12 Feb 2018 15:30:36 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.01
X-Spam-Level:
X-Spam-Status: No, score=-2.01 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FLia1G4et_ns for <tls@ietfa.amsl.com>; Mon, 12 Feb 2018 15:30:34 -0800 (PST)
Received: from mail-wr0-x236.google.com (mail-wr0-x236.google.com [IPv6:2a00:1450:400c:c0c::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E3E1E120726 for <tls@ietf.org>; Mon, 12 Feb 2018 15:30:33 -0800 (PST)
Received: by mail-wr0-x236.google.com with SMTP id o76so13767561wrb.7 for <tls@ietf.org>; Mon, 12 Feb 2018 15:30:33 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=Lj2MPvSpuchtLt84rsQ9KEiBATDzxjS0retrkYwazck=; b=trea1CFI7GNBuU187mmSEgbS14PIwC8sikHhH5TdgGL9McPxuimJ1xzy2rD7WHUKXq fWoacCIj3iU1wYajxVu5qJhW0AHY149n2KPry7SF9e3PLoOu5aAgOAmYGazpkHT8kI6Q dM9VmWTNAWi9v88aeLf3HWKBqbVaxsDW2qma+FTC8PQaB6t7KYYE6b6YKJi6aXmPUM94 LN83sGEFUjqnnjHP3mRa8CdXWhcdSxrfrbtiWkCYGCvjNu870Ref5gvpwWnyt2VnMf81 wanfgaFAV1weV5iMiIxAoyQqo0WVJq33wy1Ne+gy1MMNg/6BAaEmh2bI+5EVFLTGF3Dk Gpbw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=Lj2MPvSpuchtLt84rsQ9KEiBATDzxjS0retrkYwazck=; b=MG1R+6VhoVqwCveq3Chqq7BCQZw/ZQTmWbAVUsVdaU+AJeb7XEjhsbj4tFW09g/qCd vgvQF5Gvxb4V2a8UPWA5iJAHlBIs1b6nPpBeXX5/iNW2hYQ1XxF2gTJygk5fxXpQ3/e2 juJAQZlZaclGW91qM3tpHZsUKAFD1VhbNa6oQkSkTe/QqUUTzrFe4hUwqoKYz3xzRFyF fi8c+OtjTn+mKE3yRXFRtNuZ6Agpw294JcI6sPUel3qB1TUIJ/8LyhXErS5pHpElRG+w nd50K6CvnLKXIEdq+/DFpqz3NzYIhUb6uPLG+Y2FFYbes6YA8PQt8ZT8SOmIAW6da19Q Ou3g==
X-Gm-Message-State: APf1xPBH0/CcGIs4p7B8QGvyYlypNPaNw0xWwL2R54EN0myx9Ed8jtPI 64NnjFwAFD1bIMloul/qojtqS4lHAjJa8TpxW1h+OQ==
X-Google-Smtp-Source: AH8x227JH14He+5NCHNOmxS/GvVzSYlQQj7Szz1YyCSsX5U8QIq0SKSedWypsg2dMRLMQzjHRrb+b8ACAN4EYtcOHR0=
X-Received: by 10.223.150.65 with SMTP id c1mr3200613wra.167.1518478232269; Mon, 12 Feb 2018 15:30:32 -0800 (PST)
MIME-Version: 1.0
Received: by 10.28.114.9 with HTTP; Mon, 12 Feb 2018 15:30:11 -0800 (PST)
In-Reply-To: <20180201135947.77809B819EE@rfc-editor.org>
References: <20180201135947.77809B819EE@rfc-editor.org>
From: Adam Langley <agl@google.com>
Date: Mon, 12 Feb 2018 15:30:11 -0800
Message-ID: <CAL9PXLxUNZHeMZYUSEsmT5YBOg6AReFbqxPozOmStY_+L1VUSg@mail.gmail.com>
To: RFC Errata System <rfc-editor@rfc-editor.org>
Cc: Wan-Teh Chang <wtc@google.com>, Nikos Mavrogiannopoulos <nmav@redhat.com>, Joachim Strömbergson <joachim@secworks.se>, Simon Josefsson <simon@josefsson.org>, Kathleen Moriarty <Kathleen.Moriarty.ietf@gmail.com>, Eric Rescorla <ekr@rtfm.com>, Joseph Salowey <joe@salowey.net>, sean+ietf@sn3rd.com, xavier.bonnetain@inria.fr, tls@ietf.org
Content-Type: multipart/alternative; boundary="001a1145a244a2a07005650c435c"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/PDXQGGFvkPZFRamdj93as-QqGAQ>
Subject: Re: [TLS] [Technical Errata Reported] RFC7905 (5251)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 12 Feb 2018 23:30:37 -0000

On Thu, Feb 1, 2018 at 5:59 AM, RFC Errata System <rfc-editor@rfc-editor.org
> wrote:

> Original Text
> -------------
>    Poly1305 is designed to ensure that forged messages are rejected with
>    a probability of 1-(n/2^107), where n is the maximum length of the
>    input to Poly1305.  In the case of (D)TLS, this means a maximum
>    forgery probability of about 1 in 2^93.
>
> Corrected Text
> --------------
>    Poly1305 is designed to ensure that forged messages are rejected with
>    a probability of 1-(n/2^106), where n is the maximum length of the
>    input to Poly1305.  In the case of (D)TLS, this means a maximum
>    forgery probability of about 1 in 2^92.
>

I'm not sure that this errata report is correct.

The full formula is beyond email HTML to express, but see the "Security
Guarantee" section of  https://cr.yp.to/mac/poly1305-20050329.pdf

The section seems to be talking about blind forgeries, so C = 0. D = 1
because this is a per-attempt measure. Then we have 8*L/16 on the top of
the fraction, which is 1/2 * L (where L = byte length of a message). If we
multiply top and bottom by two, we get L / 2^107. For (D)TLS, with a
maximum encrypted plaintext length of ~2^14, that gives 2^{-93}.


Cheers

AGL

v2.23.0 | Report a Bug | By Email