Re: [TLS] Are the AEAD cipher suites a security trade-off win with TLS1.2?

mrex@sap.com (Martin Rex) Fri, 18 March 2016 17:08 UTC

Return-Path: <mrex@sap.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E7BDF12D58B for <tls@ietfa.amsl.com>; Fri, 18 Mar 2016 10:08:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.521
X-Spam-Level:
X-Spam-Status: No, score=-5.521 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BPBb744hfT2F for <tls@ietfa.amsl.com>; Fri, 18 Mar 2016 10:08:58 -0700 (PDT)
Received: from smtpde02.smtp.sap-ag.de (smtpde02.smtp.sap-ag.de [155.56.68.140]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CDF7E12D61A for <tls@ietf.org>; Fri, 18 Mar 2016 10:08:57 -0700 (PDT)
Received: from mail05.wdf.sap.corp (mail05.sap.corp [194.39.131.55]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtpde02.smtp.sap-ag.de (Postfix) with ESMTPS id 8002144CF4; Fri, 18 Mar 2016 18:08:55 +0100 (CET)
X-purgate-ID: 152705::1458320935-00007292-50577E28/0/0
X-purgate-size: 738
X-purgate: clean
X-purgate: This mail is considered clean (visit http://www.eleven.de for further information)
X-purgate-Ad: Categorized by eleven eXpurgate (R) http://www.eleven.de
X-purgate-type: clean
X-SAP-SPAM-Status: clean
Received: from ld9781.wdf.sap.corp (ld9781.wdf.sap.corp [10.21.82.193]) by mail05.wdf.sap.corp (Postfix) with ESMTP id 1C4D140D2E; Fri, 18 Mar 2016 18:08:54 +0100 (CET)
Received: by ld9781.wdf.sap.corp (Postfix, from userid 10159) id CB0801A471; Fri, 18 Mar 2016 18:08:54 +0100 (CET)
In-Reply-To: <CAAF6GDfsMivA_LiWK2xJgyhMTf8ygFo17MN+YkAnTN2-HV8Ryw@mail.gmail.com>
To: =?UTF-8?Q?Colm_MacC=C3=A1rthaigh?= <colm@allcosts.net>
Date: Fri, 18 Mar 2016 18:08:54 +0100 (CET)
X-Mailer: ELM [version 2.4ME+ PL125 (25)]
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="ISO-8859-1"
Message-Id: <20160318170854.CB0801A471@ld9781.wdf.sap.corp>
From: mrex@sap.com (Martin Rex)
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/SELZ0r0eFrIb6U6EJhOt-yRi9u0>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Are the AEAD cipher suites a security trade-off win with TLS1.2?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
Reply-To: mrex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 18 Mar 2016 17:09:00 -0000

Colm MacCárthaigh wrote:
> 
> But I take the point that AEAD modes are harder for programmers to screw
> up; and that does have value.

Though it is a pretty flawed assumption.

I've seen an AEAD cipher implementation fail badly just recently (resulting
in corrupted plaintext that went unnoticed within TLS--MACing the ciphertext
is obviously a pretty dumb idea), something that is *MUCH* more unlikely
to happen to any cipher suites using GenericBlockCipher PDU.

Pretty much all of othe known crypto attacks are highly theoretical and
meaningless in practice, whereas corrupted plaintext is an immediate
real pain in the ass.

I'm glad that the problem was spotted before the affected code was shipped.

-Martin