Re: [TLS] TLS1.2 vs TLS1.0
mrex@sap.com (Martin Rex) Thu, 23 May 2013 01:20 UTC
Return-Path: <mrex@sap.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F3C0B21F8FBA for <tls@ietfa.amsl.com>; Wed, 22 May 2013 18:20:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.249
X-Spam-Level:
X-Spam-Status: No, score=-10.249 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ncwVXRrNcLx7 for <tls@ietfa.amsl.com>; Wed, 22 May 2013 18:20:25 -0700 (PDT)
Received: from smtpde01.sap-ag.de (smtpde01.sap-ag.de [155.56.68.170]) by ietfa.amsl.com (Postfix) with ESMTP id 5A7E221F8F1E for <tls@ietf.org>; Wed, 22 May 2013 18:20:23 -0700 (PDT)
Received: from mail06.wdf.sap.corp by smtpde01.sap-ag.de (26) with ESMTP id r4N1KM0t000420 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Thu, 23 May 2013 03:20:22 +0200 (MEST)
In-Reply-To: <20130523005145.1C3DC1A76F@ld9781.wdf.sap.corp>
To: mrex@sap.com
Date: Thu, 23 May 2013 03:20:22 +0200
X-Mailer: ELM [version 2.4ME+ PL125 (25)]
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="US-ASCII"
Message-Id: <20130523012022.76C171A76F@ld9781.wdf.sap.corp>
From: mrex@sap.com
X-SAP: out
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] TLS1.2 vs TLS1.0
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: mrex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 May 2013 01:20:30 -0000
Martin Rex wrote: > Eric Rescorla wrote: > > Martin Rex <mrex@sap.com> wrote: > > > > > > Paterson, Kenny wrote: > > > > > > > > True. Though the spec for DTLS does allow DTLS implementations to > > > > terminate a connection in the event of errors. > > > > > > > > It's just that most (all?) implementations don't. > > > > > > Now that you mention it, I hadn't noticed that DTLS gives actual two > > > _different_ guidances (MAY abort on MAC error and MUST discard records > > > with MAC error are mutually exclusive) > > > > > > http://tools.ietf.org/html/rfc4347#section-4.1.2.1 > > > > > > 4.1.2.1 MAC (last paragraph): > > > > > > In general, DTLS implementations SHOULD silently discard data with > > > bad MACs. If a DTLS implementation chooses to generate an alert when > > > it receives a message with an invalid MAC, it MUST generate > > > bad_record_mac alert with level fatal and terminate its connection > > > state. > > > > > > http://tools.ietf.org/html/rfc4347#section-4.1.2.5 > > > > > > 4.1.2.5 Anti-replay (last paragraph): > > > > > > If the received record falls within the window and is new, or if the > > > packet is to the right of the window, then the receiver proceeds to > > > MAC verification. If the MAC validation fails, the receiver MUST > > > discard the received record as invalid. The receive window is > > > updated only if the MAC verification succeeds. > > > > > > > Hmm.... I'm not sure these are contradictory. > > > > If you get a packet with a MAC error you MUST discard the packet (i.e., > > not process it.) You may either *silently* discard it (i.e.., proceed as if > > you had not received it) or terminate the connection with an alert. > > Silently discarding it = proceed as if you had not received it > > non-silently discarding it = log an error and proceed as if you had not > not received it > > Terminating the connection with an alert means "processing it". > > So yes, there is a contradiction. For comparison, look at the more elaborate discussion in the successor DTLS document: http://tools.ietf.org/html/rfc6347#section-4.1.2.7 4.1.2.7. Handling Invalid Records Unlike TLS, DTLS is resilient in the face of invalid records (e.g., invalid formatting, length, MAC, etc.). In general, invalid records SHOULD be silently discarded, thus preserving the association; however, an error MAY be logged for diagnostic purposes. Implementations which choose to generate an alert instead, MUST generate fatal level alerts to avoid attacks where the attacker repeatedly probes the implementation to see how it responds to various types of error. Where you can see the two variants of discarding ("silently" and logging an error) that preserves the association, and the behaviour "Implementations which choose to generate an alert instead", being explicitly characterized as distinct to discarding. btw. there is another contradiction within rfc4347 section 4.1.2.1 MAC between paragraph 3 and 4 (which is reproduced in rfc6347): http://tools.ietf.org/html/rfc4347#section-4.1.2.1 http://tools.ietf.org/html/rfc6347#section-4.1.2.1 Note that one important difference between DTLS and TLS MAC handling is that in TLS MAC errors must result in connection termination. In DTLS, the receiving implementation MAY simply discard the offending record and continue with the connection. This change is possible because DTLS records are not dependent on each other in the way that TLS records are. In general, DTLS implementations SHOULD silently discard data with bad MACs. If a DTLS implementation chooses to generate an alert when it receives a message with an invalid MAC, it MUST generate bad_record_mac alert with level fatal and terminate its connection state. Paragraph 3 says "MAY simply discard the offending record and continue with the connection", whereas paragraph 4 says "DTLS implementations SHOULD silently discard data with bad MACs.". You can not use two distinct imperatives (MAY and SHOULD) for the very same behaviour, that is a contradiction. You can only use one or the other. Maybe the document (co-)authors should be using the "MAY WISH TO" http://tools.ietf.org/html/rfc6919#section-6 keyword instead of the rfc2119 SHOULD in paragraph 4 of rfc4347 section 4.1.2.1. ;-) There are some folks in the IETF security area (in particular over at PKIX) that feel very strongly about SHOULDs. -Martin
- Re: [TLS] TLS1.2 vs TLS1.0 Paul Duffy
- [TLS] TLS1.2 vs TLS1.0 Ulrich Herberg
- Re: [TLS] TLS1.2 vs TLS1.0 Robert Cragie
- Re: [TLS] TLS1.2 vs TLS1.0 Nikos Mavrogiannopoulos
- Re: [TLS] TLS1.2 vs TLS1.0 Hanno Böck
- Re: [TLS] TLS1.2 vs TLS1.0 David McGrew (mcgrew)
- Re: [TLS] TLS1.2 vs TLS1.0 Martin Rex
- Re: [TLS] TLS1.2 vs TLS1.0 Paterson, Kenny
- Re: [TLS] TLS1.2 vs TLS1.0 Martin Rex
- Re: [TLS] TLS1.2 vs TLS1.0 Ulrich Herberg
- Re: [TLS] TLS1.2 vs TLS1.0 Xiaoyong Wu
- Re: [TLS] TLS1.2 vs TLS1.0 Eric Rescorla
- Re: [TLS] TLS1.2 vs TLS1.0 Ulrich Herberg
- Re: [TLS] TLS1.2 vs TLS1.0 Ulrich Herberg
- Re: [TLS] TLS1.2 vs TLS1.0 Geoffrey Keating
- Re: [TLS] TLS1.2 vs TLS1.0 Martin Rex
- Re: [TLS] TLS1.2 vs TLS1.0 Martin Rex
- Re: [TLS] TLS1.2 vs TLS1.0 Martin Rex
- Re: [TLS] TLS1.2 vs TLS1.0 Eric Rescorla
- Re: [TLS] TLS1.2 vs TLS1.0 Kemp, David P.
- Re: [TLS] TLS1.2 vs TLS1.0 Peter Gutmann
- Re: [TLS] TLS1.2 vs TLS1.0 Simon Josefsson