IETF Logo Mail Archive

Re: [TLS] AAED ciphers: AES-GCM vs AES-EAX/AES-CCM: a meta-analysis

"Paterson, Kenny" <Kenny.Paterson@rhul.ac.uk> Tue, 06 January 2015 10:37 UTC

Return-Path: <Kenny.Paterson@rhul.ac.uk>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DB94B1A912C for <tls@ietfa.amsl.com>; Tue, 6 Jan 2015 02:37:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id a5NcpvVx0pG2 for <tls@ietfa.amsl.com>; Tue, 6 Jan 2015 02:37:01 -0800 (PST)
Received: from emea01-am1-obe.outbound.protection.outlook.com (mail-am1on0670.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe00::670]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E3EBC1A1BDD for <tls@ietf.org>; Tue, 6 Jan 2015 02:37:00 -0800 (PST)
Received: from DBXPR03MB383.eurprd03.prod.outlook.com (10.141.10.15) by DBXPR03MB382.eurprd03.prod.outlook.com (10.141.10.12) with Microsoft SMTP Server (TLS) id 15.1.49.12; Tue, 6 Jan 2015 10:35:16 +0000
Received: from DBXPR03MB383.eurprd03.prod.outlook.com ([10.141.10.15]) by DBXPR03MB383.eurprd03.prod.outlook.com ([10.141.10.15]) with mapi id 15.01.0049.002; Tue, 6 Jan 2015 10:35:16 +0000
From: "Paterson, Kenny" <Kenny.Paterson@rhul.ac.uk>
To: Peter Gutmann <pgut001@cs.auckland.ac.nz>, "<tls@ietf.org>" <tls@ietf.org>
Thread-Topic: [TLS] AAED ciphers: AES-GCM vs AES-EAX/AES-CCM: a meta-analysis
Thread-Index: AdApm1DpFjNg+4muRmKsYOSI8dViWQAASE0A
Date: Tue, 06 Jan 2015 10:35:16 +0000
Message-ID: <D0D16976.3BD1D%kenny.paterson@rhul.ac.uk>
References: <9A043F3CF02CD34C8E74AC1594475C73AAF525B9@uxcn10-tdc05.UoA.auckland.ac.nz>
In-Reply-To: <9A043F3CF02CD34C8E74AC1594475C73AAF525B9@uxcn10-tdc05.UoA.auckland.ac.nz>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.4.7.141117
x-originating-ip: [134.219.227.30]
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Kenny.Paterson@rhul.ac.uk;
x-dmarcaction: None
x-microsoft-antispam: BCL:0;PCL:0;RULEID:(3005003);SRVR:DBXPR03MB382;
x-exchange-antispam-report-test: UriScan:;
x-exchange-antispam-report-cfa-test: BCL:0;PCL:0;RULEID:;SRVR:DBXPR03MB382;
x-forefront-prvs: 0448A97BF2
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(6009001)(479174004)(199003)(51704005)(243025005)(189002)(24454002)(4396001)(68736005)(50986999)(66066001)(40100003)(54356999)(102836002)(76176999)(15975445007)(77156002)(2950100001)(2900100001)(62966003)(99396003)(19580405001)(64706001)(77096005)(19580395003)(122556002)(20776003)(92566001)(120916001)(36756003)(97736003)(83506001)(86362001)(101416001)(87936001)(21056001)(2656002)(31966008)(105586002)(74482002)(46102003)(106356001)(107886001)(107046002); DIR:OUT; SFP:1101; SCL:1; SRVR:DBXPR03MB382; H:DBXPR03MB383.eurprd03.prod.outlook.com; FPR:; SPF:None; MLV:sfv; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
received-spf: None (protection.outlook.com: rhul.ac.uk does not designate permitted sender hosts)
Content-Type: text/plain; charset="us-ascii"
Content-ID: <A78FAA9129787B47A619AD8822551AD4@eurprd03.prod.outlook.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: rhul.ac.uk
X-MS-Exchange-CrossTenant-originalarrivaltime: 06 Jan 2015 10:35:16.4129 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 2efd699a-1922-4e69-b601-108008d28a2e
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DBXPR03MB382
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/SCVUY-E5173i-b-25MwsFmgQYvA
Subject: Re: [TLS] AAED ciphers: AES-GCM vs AES-EAX/AES-CCM: a meta-analysis
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Jan 2015 10:37:04 -0000

Hi

On 06/01/2015 10:27, "Peter Gutmann" <pgut001@cs.auckland.ac.nz> wrote:

>Michael Clark <michael@metaparadigm.com> writes:
>
>>Before I've read through can we do this with it?
>>
>>AES-256-GCM + hmac_null   = 128 bits authentication
>>AES-256-CBC + hmac_sha128 = 128 bits authentication
>>
>>AES-256-GCM + hmac_sha128 = 256 bits authentication
>>AES-256-CBC + hmac_sha256 = 256 bits authentication
>>
>>AES-256-GCM + hmac_sha256 = 384 bits authentication
>>AES-256-CBC + hmac_sha384 = 384 bits authentication
>
>The MAC is whatever is negotiated for the session, and if you want a
>shorter
>one you can send the truncated-MAC extension (which, however, nothing
>supports
>AFAIK).  

It's good that nothing supports the truncated-MAC extension, because, in
combination with TLS's support for variable length padding, it introduces
a security vulnerability. See:

http://www.isg.rhul.ac.uk/~kp/mee-comp.pdf


which shows that if the tag size (MAC length) is shorter than the CBC-mode
block size, then there's a distinguishing attack that can tell the
difference between the encryption of a short message and a longer message
(even though both are padded to the same size before encryption).

This is not an issue for any of the cihersuites proposed above, but it's
something to be kept in mind when considering "exotic" ciphersuites.

Regards

Kenny 


>Having said that, see my previous message about not needing a
>thousand options, we only need one that everyone uses.
>
>Peter.
>
>_______________________________________________
>TLS mailing list
>TLS@ietf.org
>https://www.ietf.org/mailman/listinfo/tls

v2.23.0 | Report a Bug | By Email