Re: [TLS] Are the AEAD cipher suites a security trade-off win with TLS1.2?

Harlan Lieberman-Berg <hlieberman@setec.io> Sun, 20 March 2016 19:53 UTC

Return-Path: <hlieberman@setec.io>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9D5FB12D546 for <tls@ietfa.amsl.com>; Sun, 20 Mar 2016 12:53:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.601
X-Spam-Level:
X-Spam-Status: No, score=-0.601 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=setec.io header.b=j017a2ST; dkim=pass (1024-bit key) header.d=setec.io header.b=o18XGo8m
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7rxVz1a0LE7V for <tls@ietfa.amsl.com>; Sun, 20 Mar 2016 12:53:33 -0700 (PDT)
Received: from xmenrevolution.com (xmenrevolution.com [97.107.134.16]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3388412D55C for <tls@ietf.org>; Sun, 20 Mar 2016 12:53:33 -0700 (PDT)
Received: by xmenrevolution.com (Postfix, from userid 113) id 949A916D76; Sun, 20 Mar 2016 15:53:32 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=setec.io; s=mail; t=1458503612; bh=gq5yzmBFlS5o0V1LpAsXE+2U85ZfToiDLvbdKWYNqqQ=; h=From:To:Cc:Subject:In-Reply-To:References:Date:From; b=j017a2STLhTf1iT9VTemhj4i0J2RkYAo3q7YdzQgXyBBaSyQLD3lfoSqqmrqtb58w WzQ+plIXj6nKwUrNi4LT9U2R3ro5rVky89uWGfGAmZZhIEfKVK7gaMFSZT1xt9++2t qbyi3JW7kzLzYcxUI9VhEHR5SFS2KJE2PBrwwI6k=
Received: from agartha (static-155-212-141-65.mas.onecommunications.net [155.212.141.65]) by xmenrevolution.com (Postfix) with ESMTPSA id 68A8B16CA8; Sun, 20 Mar 2016 15:53:31 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=setec.io; s=mail; t=1458503611; bh=gq5yzmBFlS5o0V1LpAsXE+2U85ZfToiDLvbdKWYNqqQ=; h=From:To:Cc:Subject:In-Reply-To:References:Date:From; b=o18XGo8moGcsBfzPDDs0ZcNfgpxx2Wd96+VSPLW+0F3KrrbgpyKZmKFYbVvVQpvcy SRbaSzVo2NtvDjD7HUNe405fPUIvd1fZeRmoaCQFGmROTG7bgfJwd/qYVE60l7N5dw jlTxgxQJtYyYJLYIn7kq74iTny3UHo1cZWM7k5es=
From: Harlan Lieberman-Berg <hlieberman@setec.io>
To: Peter Gutmann <pgut001@cs.auckland.ac.nz>, "mrex\@sap.com" <mrex@sap.com>, Colm =?utf-8?Q?MacC=C3=A1rthaigh?= <colm@allcosts.net>
In-Reply-To: <9A043F3CF02CD34C8E74AC1594475C73F4C2687E@uxcn10-tdc05.UoA.auckland.ac.nz>
References: <CAAF6GDfsMivA_LiWK2xJgyhMTf8ygFo17MN+YkAnTN2-HV8Ryw@mail.gmail.com> <20160318170854.CB0801A471@ld9781.wdf.sap.corp> <9A043F3CF02CD34C8E74AC1594475C73F4C2687E@uxcn10-tdc05.UoA.auckland.ac.nz>
User-Agent: Notmuch/0.21 (http://notmuchmail.org) Emacs/24.5.1 (x86_64-pc-linux-gnu)
Date: Sun, 20 Mar 2016 15:53:30 -0400
Message-ID: <87zitt2af9.fsf@setec.io>
MIME-Version: 1.0
Content-Type: text/plain
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/SvSlCtsKHr9iMKZ8kP_mf76UVCI>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Are the AEAD cipher suites a security trade-off win with TLS1.2?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 20 Mar 2016 19:53:34 -0000

Peter Gutmann <pgut001@cs.auckland.ac.nz>; writes:
> This is why I referred to GCM as "brittle", you can be about as
> abusive as you like with CBC and the worst you get is degradation to
> ECB, while with GCM you make one mistake and you get a catastrophic
> loss of security.

Couldn't you say the same about CTR mode, or stream ciphers themselves?
Sure -- it's definitely a lot harder to screw up "incrementing a
counter" than it is all the stuff GCM requires you to do, but....

Sincerely,

-- 
Harlan Lieberman-Berg
~hlieberman