Re: [TLS] Comments/Questions on draft-gutmann-tls-encrypt-then-mac-00.txt

mrex@sap.com (Martin Rex) Wed, 25 September 2013 21:10 UTC

Return-Path: <mrex@sap.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3479021F84EA for <tls@ietfa.amsl.com>; Wed, 25 Sep 2013 14:10:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.16
X-Spam-Level:
X-Spam-Status: No, score=-10.16 tagged_above=-999 required=5 tests=[AWL=0.089, BAYES_00=-2.599, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eBNx2i80cBHP for <tls@ietfa.amsl.com>; Wed, 25 Sep 2013 14:10:08 -0700 (PDT)
Received: from smtpde02.sap-ag.de (smtpde02.sap-ag.de [155.56.68.140]) by ietfa.amsl.com (Postfix) with ESMTP id 5D9D121F9C0D for <tls@ietf.org>; Wed, 25 Sep 2013 14:10:06 -0700 (PDT)
Received: from mail05.wdf.sap.corp by smtpde02.sap-ag.de (26) with ESMTP id r8PL9s7m013138 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Wed, 25 Sep 2013 23:09:54 +0200 (MEST)
In-Reply-To: <CALR0uiJPZQZ9-RJUmy-GZ-16E4Q3QB_DY=fk_8wEtWio63Fgtw@mail.gmail.com>
To: Alfredo Pironti <alfredo@pironti.eu>
Date: Wed, 25 Sep 2013 23:09:54 +0200 (CEST)
X-Mailer: ELM [version 2.4ME+ PL125 (25)]
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="US-ASCII"
Message-Id: <20130925210954.825521A9A7@ld9781.wdf.sap.corp>
From: mrex@sap.com (Martin Rex)
X-SAP: out
Cc: "<tls@ietf.org>" <tls@ietf.org>
Subject: Re: [TLS] Comments/Questions on draft-gutmann-tls-encrypt-then-mac-00.txt
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: mrex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 25 Sep 2013 21:10:12 -0000

Alfredo Pironti wrote:
> Peter Gutmann <pgut001@cs.auckland.ac.nz> wrote:
> > Eric Rescorla <ekr@rtfm.com> writes:
> >
> >> - Maybe I am misreading the draft, but I'm unclear on how you get
> >>    the TLSCompressed.length for the MAC computation in Section 3.
> >>    Does this have the same issue as was raised for McGrew's CBC AEAD
> >>    draft?

Eric is correct, the definition of the MAC in Peter's draft is
obviously incorrect (and likely does not match Peter's implementation):

TLSv1.0:  https://tools.ietf.org/html/rfc2246#section-6.2.3.1

   The MAC is generated as:

       HMAC_hash(MAC_write_secret, seq_num + TLSCompressed.type +
                     TLSCompressed.version + TLSCompressed.length +
                     TLSCompressed.fragment));

When changing from mac-pad-encrypt to encrypt-mac, as suggested
by Peter's draft, the MAC no longer operates on the TLSComressed PDU,
but on the TLSCiphertext PDU -- which results in:

       HMAC_hash(MAC_write_secret, seq_num + TLSCiphertext.type +
                     TLSCiphertext.version + TLSCiphertext.length +
                     TLSCiphertext.fragment));

    The computation of TLSCompressed.length on receive changes slightly,
    because there no longer is a MAC trailing the data after decrypt.


-Martin