Re: [TLS] Resolution AEAD Cipher length and padding

Eric Rescorla <ekr@rtfm.com> Mon, 21 July 2014 14:59 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4F9A21A0179 for <tls@ietfa.amsl.com>; Mon, 21 Jul 2014 07:59:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.977
X-Spam-Level:
X-Spam-Status: No, score=-1.977 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HfTpi_q2V6Tv for <tls@ietfa.amsl.com>; Mon, 21 Jul 2014 07:59:54 -0700 (PDT)
Received: from mail-wg0-f46.google.com (mail-wg0-f46.google.com [74.125.82.46]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 054541A000F for <tls@ietf.org>; Mon, 21 Jul 2014 07:59:53 -0700 (PDT)
Received: by mail-wg0-f46.google.com with SMTP id m15so6609220wgh.29 for <tls@ietf.org>; Mon, 21 Jul 2014 07:59:52 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=DVcu+WtY87y2sIIbTEdnPOCRryQHghLrfTx6Fpa/5Xc=; b=kwMPYLx8IqWu/ilJwlbXEphdFcN4//zsqKklfOJ+D8L7sgrBLlJzHc9RlhjXICYkiN dAHN0L++R0BpH6QJA+Dj1ZCTZFHi9DxV8Tm0CRqhQ1SvLZ9SzuQtlnD8HCVAGO7HzKke uUTZtQjaCNEM/c4UtXY+9sX88ilKykizGyfemHdxMEGZJUMmwjPb9g/uDRquTd8horpF XHkOES/RgvBJaOPKszwIee+r7lHatX6T8O+cmsgN6wMz+/W9BFvXiSJdWNEeVDByfNdJ fM7Ggp7gSm4q/mY7nu31w3s+VPD0aQDGbtc4melfdYzfLH1EpAjhsQwSvQr/57Q3dMRb ix/Q==
X-Gm-Message-State: ALoCoQlSRBnVac27+ZCYEIWV68C70PZyEX44dL2jj3cePNbYulHdLs0hOjqQI67gmGROtoERKj8S
X-Received: by 10.194.91.228 with SMTP id ch4mr24023801wjb.59.1405954792187; Mon, 21 Jul 2014 07:59:52 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.217.128.12 with HTTP; Mon, 21 Jul 2014 07:59:12 -0700 (PDT)
X-Originating-IP: [2001:67c:370:176:fd4c:933f:5f3e:943e]
In-Reply-To: <CALR0ui+Q+tk46Yef-OCGEX4z7y6duFfFb4xq=3t3aAE6eX8_CA@mail.gmail.com>
References: <2F856D8D-44B1-4319-8D61-556F3C3ADE01@cisco.com> <CALR0ui+Q+tk46Yef-OCGEX4z7y6duFfFb4xq=3t3aAE6eX8_CA@mail.gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Mon, 21 Jul 2014 07:59:12 -0700
Message-ID: <CABcZeBOym3EZYZ1qk0xq1fZ0kS=u4jO7Cqz-m0k5Mci1SKu7UQ@mail.gmail.com>
To: Alfredo Pironti <alfredo@pironti.eu>
Content-Type: multipart/alternative; boundary=047d7bd91d9ef56ec004feb55b93
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/QW1ttjArcgAMOyBrWHCpzVaLta4
Cc: "<tls@ietf.org>" <tls@ietf.org>
Subject: Re: [TLS] Resolution AEAD Cipher length and padding
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 21 Jul 2014 14:59:56 -0000

On Mon, Jul 21, 2014 at 7:54 AM, Alfredo Pironti <alfredo@pironti.eu> wrote:

> It's not clear to me what this resolution is about; could you please
> elaborate (or give pointers)?
> Is this about AEAD ciphers built on top of block-encrypt then mac? To some
> extent, current GCM and CCM ciphers are already expanding the cipher text
> length by the tag length, so I must be missing the point here. Thanks.
>

if you have a cipher mode (as you say, CBC is an example) which expands the
plaintext by a non-deterministic amount (specifically an amount which can't
be determined by the receiver prior to decryption) the  it doesn't work to
have
the length be part of additional data.

See:
https://github.com/tlswg/tls13-spec/issues/67

-Ekr


>
Best,
> Alfredo
>
>
> On Mon, Jul 21, 2014 at 4:41 PM, Joseph Salowey (jsalowey) <
> jsalowey@cisco.com> wrote:
>
>> At the interim meeting we decided to fix the specification of AEAD to
>> support ciphers that pad and expand the cipher text length.  Please respond
>> to this message by Friday, July 25 if you have an objection.
>>
>> Thanks,
>>
>> Joe
>> [for the chairs]
>> _______________________________________________
>> TLS mailing list
>> TLS@ietf.org
>> https://www.ietf.org/mailman/listinfo/tls
>>
>
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>
>