Re: [TLS] TLS1.3
Nikos Mavrogiannopoulos <nmav@gnutls.org> Fri, 08 February 2013 12:50 UTC
Return-Path: <n.mavrogiannopoulos@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5FE0B21F8815 for <tls@ietfa.amsl.com>; Fri, 8 Feb 2013 04:50:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.727
X-Spam-Level:
X-Spam-Status: No, score=-2.727 tagged_above=-999 required=5 tests=[AWL=0.250, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id E8DY9xh+5d4g for <tls@ietfa.amsl.com>; Fri, 8 Feb 2013 04:50:02 -0800 (PST)
Received: from mail-qc0-f174.google.com (mail-qc0-f174.google.com [209.85.216.174]) by ietfa.amsl.com (Postfix) with ESMTP id 2962821F88BE for <tls@ietf.org>; Fri, 8 Feb 2013 04:50:02 -0800 (PST)
Received: by mail-qc0-f174.google.com with SMTP id z24so1398702qcq.19 for <tls@ietf.org>; Fri, 08 Feb 2013 04:50:01 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:x-received:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:content-type; bh=PuuGA7mIv2XOiAQPPQfmHdGTCQuRW67wBgVktckd530=; b=TtV6SgTs0CoryUtJZP9uFzZa/8LoIVKt0Zf6PVmw3M9sTWfFIN3KRe4ZELrpfiuOIA oH/r66IXcKOf2hj4RfVt6ROlcvvabeogTDxdZ4IxG0Hzf0IkSshopsyQLlZC7+M6ShZT +T6SBTG/D9kfKjy36nZDkdky2ITvV0EWm+3rend4/8gkq1p94VSPJCCDgkCj/3i4h6Q+ SJmpubI0+rqidc8Z3atMJUDvTT/hP3HcNyFzT3Txx5yKOWlEZX3faL9FzsBpOvmufGFN cwJbqWoob2RZsyaqYPV2YVnlvPCTAboF+dLRr4/VDk6z8JfvvtWLaMkq9sTuJ72JQh2i +pWg==
MIME-Version: 1.0
X-Received: by 10.229.171.84 with SMTP id g20mr439969qcz.73.1360327801523; Fri, 08 Feb 2013 04:50:01 -0800 (PST)
Sender: n.mavrogiannopoulos@gmail.com
Received: by 10.229.78.204 with HTTP; Fri, 8 Feb 2013 04:50:01 -0800 (PST)
In-Reply-To: <9A043F3CF02CD34C8E74AC1594475C73333FEAF0@uxcn10-2.UoA.auckland.ac.nz>
References: <9A043F3CF02CD34C8E74AC1594475C73333FEAF0@uxcn10-2.UoA.auckland.ac.nz>
Date: Fri, 08 Feb 2013 13:50:01 +0100
X-Google-Sender-Auth: LKSA1WjRM7qcHvRSWKajDFdpZC4
Message-ID: <CAJU7za+NPT03YoJc=xKkA23=aw6kq2DSgs3Tpj_cA_dP2xCf6w@mail.gmail.com>
From: Nikos Mavrogiannopoulos <nmav@gnutls.org>
To: "tls@ietf.org" <tls@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Subject: Re: [TLS] TLS1.3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 08 Feb 2013 12:50:03 -0000
On Fri, Feb 8, 2013 at 11:48 AM, Peter Gutmann <pgut001@cs.auckland.ac.nz> wrote: >>Padding the plain text up to a multiple of the cipher block size (minus the >>hash size) ahead of doing the MAC is a more modest change that may be more >>widely applicable to existing cipher suites - with a "pad-then MAC" client >>hello > That won't help against the current attack. This family of attacks relies on the fact that padding isn't authenticated, i.e, you can play with it without being detected. If pad is part of the MAC there is no issue. > The only proper fix for the > various attacks that target the encryption is to protect everything with the > MAC, i.e. switch to encrypt-then-MAC. The definitive reference for this is > Hugo Krawczyk's "The Order of Encryption and Authentication for Protecting > Communications (Or: How Secure is SSL?)". Using encrypt-then-MAC to counter the attack is as radical change as using the GCM or CCM modes. This isn't a small fix, it is an upgrade which changes the protocol semantics (e.g. MAC is no longer encrypted - whatever that may mean). Moreover, encrypt-then-MAC isn't a panacea. There is nothing wrong with MAC-then-encrypt, it is TLS that applied it incorrectly by keeping the pad unauthenticated. I'd prefer a fix that keeps the current protocol semantics. regards, Nikos
- Re: [TLS] TLS1.3 Peter Gutmann
- [TLS] TLS1.3 Lewis, Nick
- Re: [TLS] TLS1.3 Lewis, Nick
- Re: [TLS] TLS1.3 Nikos Mavrogiannopoulos
- Re: [TLS] TLS1.3 Eric Rescorla
- Re: [TLS] TLS1.3 Lewis, Nick
- Re: [TLS] TLS1.3 Nikos Mavrogiannopoulos
- Re: [TLS] TLS1.3 Paterson, Kenny
- Re: [TLS] TLS1.3 Lewis, Nick
- Re: [TLS] TLS1.3 Lewis, Nick
- Re: [TLS] TLS1.3 Eric Rescorla
- Re: [TLS] TLS1.3 Lewis, Nick
- Re: [TLS] TLS1.3 Dan Harkins
- Re: [TLS] TLS1.3 Lewis, Nick
- Re: [TLS] TLS1.3 Peter Gutmann
- Re: [TLS] TLS1.3 Peter Gutmann
- Re: [TLS] TLS1.3 Peter Gutmann
- Re: [TLS] TLS1.3 Peter Gutmann
- Re: [TLS] TLS1.3 Yoav Nir
- Re: [TLS] TLS1.3 Lewis, Nick
- Re: [TLS] TLS1.3 David McGrew (mcgrew)
- Re: [TLS] TLS1.3 Nikos Mavrogiannopoulos
- Re: [TLS] TLS1.3 Paterson, Kenny
- Re: [TLS] TLS1.3 Martin Rex
- Re: [TLS] TLS1.3 Nikos Mavrogiannopoulos
- Re: [TLS] TLS1.3 Peter Gutmann
- Re: [TLS] TLS1.3 Martin Rex
- Re: [TLS] TLS1.3 Peter Gutmann
- Re: [TLS] TLS1.3 Blumenthal, Uri - 0558 - MITLL
- Re: [TLS] TLS1.3 Lewis, Nick
- Re: [TLS] TLS1.3 Paterson, Kenny
- Re: [TLS] TLS1.3 Lewis, Nick
- Re: [TLS] TLS1.3 Paterson, Kenny
- Re: [TLS] TLS1.3 Yoav Nir
- Re: [TLS] TLS1.3 Lewis, Nick
- Re: [TLS] TLS1.3 Lewis, Nick
- Re: [TLS] TLS1.3 Yoav Nir
- Re: [TLS] TLS1.3 Nikos Mavrogiannopoulos
- Re: [TLS] TLS1.3 Martin Rex
- Re: [TLS] TLS1.3 Nico Williams
- Re: [TLS] TLS1.3 Martin Rex
- Re: [TLS] TLS1.3 Russ Housley
- Re: [TLS] TLS1.3 Wan-Teh Chang
- Re: [TLS] TLS1.3 Scott Schmit
- Re: [TLS] TLS1.3 Martin Rex
- Re: [TLS] TLS1.3 Scott Schmit
- Re: [TLS] TLS1.3 Peter Gutmann