Re: [TLS] Are the AEAD cipher suites a security trade-off win with TLS1.2?

Peter Gutmann <> Fri, 18 March 2016 23:54 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id C73E212D5AA for <>; Fri, 18 Mar 2016 16:54:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.201
X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id aQqQa4kNzV2s for <>; Fri, 18 Mar 2016 16:53:59 -0700 (PDT)
Received: from ( []) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 2D35912D557 for <>; Fri, 18 Mar 2016 16:53:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;;; q=dns/txt; s=mail; t=1458345239; x=1489881239; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=e2VFj6QZrEu2M19bk//PloYphrOBPdaZ07IpSPlXUJE=; b=wMub1vT1fMRkm/LPBAWrm44d8YPvixCwNNgMiELFy2hXonulq0GINA5Y m54lvM7vZ9wjWMTfFdyGhsnPIloMP9swX2f1IEqC0SnpiH0bhLhNmjCsf 6lRRRpMDfp7kjSQYq3m6wsRS5xIQroLVwfCNMig9/vOc5p5u3d2yrc9aY 0fJeycM0crNzwwildO1SfTKZrCEBOb7itMgO2tMpJ5dszoOW8XnL2+RBz P6FLbm/gshIWulvUGTxDU5OLsk8dDWUTCBJNzvFSeYgOyNPwqKJrMKYEN 5h6xX9vGxZzjn79dpKSbHTQ2Zt2/1idahnXJCisU7zKyp/qEvKIbaovJT A==;
X-IronPort-AV: E=Sophos;i="5.24,357,1454929200"; d="scan'208";a="75145243"
X-Ironport-Source: - Outgoing - Outgoing
Received: from ([]) by with ESMTP/TLS/AES256-SHA; 19 Mar 2016 12:53:45 +1300
Received: from ([]) by ([]) with mapi id 14.03.0266.001; Sat, 19 Mar 2016 12:53:44 +1300
From: Peter Gutmann <>
To: "" <>, =?iso-8859-1?Q?Colm_MacC=E1rthaigh?= <>
Thread-Topic: [TLS] Are the AEAD cipher suites a security trade-off win with TLS1.2?
Thread-Index: AQHRf6/SV1Ay+QdHmEWVtQKTdggsTJ9bixwAgAMNSQCAAUr1TA==
Date: Fri, 18 Mar 2016 23:53:44 +0000
Message-ID: <>
References: <>, <>
In-Reply-To: <>
Accept-Language: en-NZ, en-GB, en-US
Content-Language: en-NZ
x-originating-ip: []
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <>
Cc: "" <>
Subject: Re: [TLS] Are the AEAD cipher suites a security trade-off win with TLS1.2?
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 18 Mar 2016 23:54:01 -0000

Martin Rex <> writes:

>Though it is a pretty flawed assumption.
>I've seen an AEAD cipher implementation fail badly just recently (resulting
>in corrupted plaintext that went unnoticed within TLS--MACing the ciphertext
>is obviously a pretty dumb idea), something that is *MUCH* more unlikely to
>happen to any cipher suites using GenericBlockCipher PDU.

There have been many more failures with GCM, the most notorious being Colin
Percival's tarsnap, where a single missed operation (increment the IV)
resulted in a total loss of security.  Colin is a very experienced crypto
developer, so its not like this was some beginner mistake.  This is why I
referred to GCM as "brittle", you can be about as abusive as you like with CBC
and the worst you get is degradation to ECB, while with GCM you make one
mistake and you get a catastrophic loss of security.