Re: [TLS] Encrypt-then-MAC again (was Re: padding bug)

Watson Ladd <> Fri, 29 November 2013 18:23 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id D0A381AD948 for <>; Fri, 29 Nov 2013 10:23:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id zwkALMHdGFAc for <>; Fri, 29 Nov 2013 10:23:45 -0800 (PST)
Received: from ( [IPv6:2a00:1450:400c:c03::235]) by (Postfix) with ESMTP id 7CC911AD8F6 for <>; Fri, 29 Nov 2013 10:23:45 -0800 (PST)
Received: by with SMTP id x55so9384016wes.26 for <>; Fri, 29 Nov 2013 10:23:43 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=5cJhoYs7JYWeAFZ7v92WnIE5nuKIxu/1emxd7c9TH/s=; b=dveQBYSzryr3yvD3xTH8iIrXW/77yXgPVPyPh1KP0+LlYhhQloS5edKiOVwEAqXijh w+ZwZvDKBP5hUEKKYs/bFf5v634qj3tjIBMFj+3KD9RMUWjLNE8poJfpDaVKugYZqtvp 8bhaQlIU//LkbPN3MuOrh7e0pDipDacYzv385FWB6nrDQBQ5A+HSEaKXVF5sqEieAApo K8/NDlQd0XO3dZYXKJWQAbsUe2fNpGWIf/qMtZ87zusKVCJZYuchR7TyhpU9Q/O7z0AO 7/Mc+FKq5gb7IOl80kF6VogiQb9RZiD2eu4ZeF1eHpaBL8z8Tz9WWL14cAE6w9enLaR+ Po5w==
MIME-Version: 1.0
X-Received: by with SMTP id p9mr7875375wij.58.1385749423804; Fri, 29 Nov 2013 10:23:43 -0800 (PST)
Received: by with HTTP; Fri, 29 Nov 2013 10:23:43 -0800 (PST)
In-Reply-To: <1385748814.5805.4.camel@aspire.lan>
References: <> <> <> <1385748814.5805.4.camel@aspire.lan>
Date: Fri, 29 Nov 2013 10:23:43 -0800
Message-ID: <>
From: Watson Ladd <>
To: Nikos Mavrogiannopoulos <>
Content-Type: text/plain; charset=UTF-8
Cc: "" <>
Subject: Re: [TLS] Encrypt-then-MAC again (was Re: padding bug)
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 29 Nov 2013 18:23:48 -0000

On Fri, Nov 29, 2013 at 10:13 AM, Nikos Mavrogiannopoulos
<> wrote:
> On Fri, 2013-11-29 at 09:26 -0800, Robert Ransom wrote:
>> > You have been quite clear about that, and I've got the impression that you
>> > are the only but very vocal opponent of encrypt-then-mac on this list.
>> Nikos Mavrogiannopoulos has also been opposed to encrypt-then-HMAC.  I
>> don't know of any others.
> It seems I'll have to repeat that. I don't oppose this draft. I prefer
> an alternative [1], which was not mentioned in the IETF88 meeting. So if
> the question would be AEAD (i.e, not a fix) or encrypt-then-mac, I'd go
> with the latter. If the question is [1] or encrypt-then-mac I'd go with
> the former.
Why do you prefer this alternative?
AEAD is a fix, provided we deploy it. But that isn't happening for
whatever reason.
I suspect that we will soon learn that all fixes do not get deployed
for mysterious reasons.
Solution: get it right the first time.
>> > I'm sure you have good reasons for this opposition, so could you
>> please
>> > explain them in one or two sentences. This excluding the "encrypting
>> the
>> > HMAC makes it safer" argument, which might be true but as I
>> understand is
>> > not well proven.
>> "not well proven" is the wrong phrase here.  Marsh Ray solidly
>> debunked it.
> I don't quite understand that. No-one questioned his observations in any
> point at any previous discussion. Please review them to understand where
> I stand.
So if HMAC is only a universal hash then HMAC followed by counter mode
is secure, but
HMAC followed by CBC is secure up to a collision of the chaining
value. This analysis assumes
the HMAC falls in a block.

But remember HMAC is essentially H(k||H(k||m)). In particular if the
H(k||m) is a universal hash function,
and H(k||..) satisfies some sort of keyed security assumption (PRF for
fixed length?) HMAC is secure.

So the only way HMAC followed by encrypt is more secure than encrypt
followed by HMAC is if things
break in a really weird way.
Watson Ladd
> regards,
> Nikos
> [1].
> _______________________________________________
> TLS mailing list

"Those who would give up Essential Liberty to purchase a little
Temporary Safety deserve neither  Liberty nor Safety."
-- Benjamin Franklin