Re: [TLS] Comments/Questions on draft-gutmann-tls-encrypt-then-mac-00.txt

"Paul Bakker" <p.j.bakker@offspark.com> Thu, 26 September 2013 06:58 UTC

Return-Path: <p.j.bakker@offspark.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8F72A21F98AC for <tls@ietfa.amsl.com>; Wed, 25 Sep 2013 23:58:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.504
X-Spam-Level:
X-Spam-Status: No, score=-0.504 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_EQ_NL=0.55, HOST_EQ_NL=1.545]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Enkq06XJ0U3a for <tls@ietfa.amsl.com>; Wed, 25 Sep 2013 23:58:07 -0700 (PDT)
Received: from vps2.brainspark.nl (vps2.brainspark.nl [141.138.204.106]) by ietfa.amsl.com (Postfix) with ESMTP id 3E72321F9767 for <tls@ietf.org>; Wed, 25 Sep 2013 23:58:06 -0700 (PDT)
Received: from a82-161-132-220.adsl.xs4all.nl ([82.161.132.220] helo=Slimpy) by vps2.brainspark.nl with esmtpsa (TLS1.0:RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <p.j.bakker@offspark.com>) id 1VP5Py-00040v-RF; Thu, 26 Sep 2013 08:51:24 +0200
From: "Paul Bakker" <p.j.bakker@offspark.com>
To: <mrex@sap.com>, "'Alfredo Pironti'" <alfredo@pironti.eu>
References: <CALR0uiJPZQZ9-RJUmy-GZ-16E4Q3QB_DY=fk_8wEtWio63Fgtw@mail.gmail.com> <20130925210954.825521A9A7@ld9781.wdf.sap.corp>
In-Reply-To: <20130925210954.825521A9A7@ld9781.wdf.sap.corp>
Date: Thu, 26 Sep 2013 08:57:32 +0200
Message-ID: <00b601ceba85$af76ac90$0e6405b0$@offspark.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 15.0
Thread-Index: AQIbqhsvkLjOsXMYuVkR6j4EVe9YzZk9tuyQ
Content-Language: nl
X-SA-Exim-Connect-IP: 82.161.132.220
X-SA-Exim-Mail-From: p.j.bakker@offspark.com
X-SA-Exim-Version: 4.2.1 (built Mon, 26 Dec 2011 16:24:06 +0000)
X-SA-Exim-Scanned: Yes (on vps2.brainspark.nl)
Cc: tls@ietf.org
Subject: Re: [TLS] Comments/Questions on draft-gutmann-tls-encrypt-then-mac-00.txt
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 26 Sep 2013 06:58:11 -0000

> Alfredo Pironti wrote:
> > Peter Gutmann <pgut001@cs.auckland.ac.nz> wrote:
> > > Eric Rescorla <ekr@rtfm.com> writes:
> > >
> > >> - Maybe I am misreading the draft, but I'm unclear on how you get
> > >>    the TLSCompressed.length for the MAC computation in Section 3.
> > >>    Does this have the same issue as was raised for McGrew's CBC AEAD
> > >>    draft?
> 
> Eric is correct, the definition of the MAC in Peter's draft is obviously
incorrect
> (and likely does not match Peter's implementation):
> 
> TLSv1.0:  https://tools.ietf.org/html/rfc2246#section-6.2.3.1
> 
>    The MAC is generated as:
> 
>        HMAC_hash(MAC_write_secret, seq_num + TLSCompressed.type +
>                      TLSCompressed.version + TLSCompressed.length +
>                      TLSCompressed.fragment));
> 
> When changing from mac-pad-encrypt to encrypt-mac, as suggested by
> Peter's draft, the MAC no longer operates on the TLSComressed PDU, but on
> the TLSCiphertext PDU -- which results in:
> 
>        HMAC_hash(MAC_write_secret, seq_num + TLSCiphertext.type +
>                      TLSCiphertext.version + TLSCiphertext.length +
>                      TLSCiphertext.fragment));
> 
>     The computation of TLSCompressed.length on receive changes slightly,
>     because there no longer is a MAC trailing the data after decrypt.

Please read my other reply on 'skipping' a layer somewhere in this thread.