Re: [TLS] Encrypt-then-MAC again (was Re: padding bug)

mrex@sap.com (Martin Rex) Fri, 29 November 2013 23:08 UTC

Return-Path: <mrex@sap.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 896FD1AE04D for <tls@ietfa.amsl.com>; Fri, 29 Nov 2013 15:08:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.252
X-Spam-Level:
X-Spam-Status: No, score=-6.252 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_DE=0.35, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_HI=-5, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GY1iwzaWvvET for <tls@ietfa.amsl.com>; Fri, 29 Nov 2013 15:08:03 -0800 (PST)
Received: from smtpde02.sap-ag.de (smtpde02.sap-ag.de [155.56.68.140]) by ietfa.amsl.com (Postfix) with ESMTP id 47ADB1AD937 for <tls@ietf.org>; Fri, 29 Nov 2013 15:08:03 -0800 (PST)
Received: from mail05.wdf.sap.corp by smtpde02.sap-ag.de (26) with ESMTP id rATN7osS013930 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Sat, 30 Nov 2013 00:07:50 +0100 (MET)
In-Reply-To: <073259DE-D4EB-4229-945D-97CD5AF50A3C@iki.fi>
To: =?UTF-8?Q?Juho_V=C3=A4h=C3=A4-Herttua?= <juhovh@iki.fi>
Date: Sat, 30 Nov 2013 00:07:49 +0100 (CET)
X-Mailer: ELM [version 2.4ME+ PL125 (25)]
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="ISO-8859-1"
Message-Id: <20131129230749.E124B1AB10@ld9781.wdf.sap.corp>
From: mrex@sap.com (Martin Rex)
X-SAP: out
Cc: "<tls@ietf.org>" <tls@ietf.org>, Nikos Mavrogiannopoulos <nmav@gnutls.org>, Peter Gutmann <p.gutmann@auckland.ac.nz>
Subject: Re: [TLS] Encrypt-then-MAC again (was Re: padding bug)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: mrex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 29 Nov 2013 23:08:05 -0000

Juho Vähä-Herttua wrote:
> 
> mrex@sap.com (Martin Rex) wrote:
> > 
> > I'm from the "don't-fix-it-if-it-ain't-broken" camp.
> > And the less code needs to be changed to adopt some useful feature,
> > the more likely you will see it being adopted for patches/maintenance.
> > I have seen *ZERO* compelling reason for switching to encrypt-then-mac
> > in TLS.  And I'm not aware of *ANY* reason why we should touch/change
> > the GenericStreamCipher processing (which Peter's proposal does).
> 
> I'm trying to explain my reasoning.  First of all HMACs are designed
> to authenticate data safely, but encrypting them adds an unknown
> factor to the calculation.  Why not just use them as they are
> supposed to be used.

There is nothing "unknown" about encryption, and certainly it will not
dillute the MAC (unless you come up with a bogus encryption scheme that
is not bijective--i.e. expands the data during encryption.

Keep in mind that encrypted MAC is what SSL&TLS have always been doing,
and what a number of implementations will continue to be doing for many
years to come.

If this had been the other way round, i.e. SSLv3 and TLS had been using
encrypt-then-mac, then I would not be asking to change it _unless_
a _real_ problem was demonstrated, and for the very same reasons
(don't fix it if it ain't broken, smaller code changes are more likely
to get adopted during maintenance).


> 
> For me it is much more intuitive to do pad-encrypt-mac compared to attack
> resistant pad-mac-encrypt. In current TLS spec you can give the
> plaintext+HMAC to the encryptor as is and let it handle the padding.

In current TLS, you pass the plaintext to the record layer, and the
record layer will pipe it thorugh the compression function and
pass it to the pad+mac+encrypt function.

>
> The same is true for encrypt-then-mac, just give the plaintext to the
> encryptor (either CBC or stream) and let it handle the padding.
> But in pad-mac-encrypt you have to know the length of the MAC before
> you actually calculate the MAC and add it manually! This is counter
> intuitive.

Actually, in TLS you have to _know_ the size of the MAC long before you
process the first record, because it is part of the Connection state:

  http://tools.ietf.org/html/rfc2246#section-6.1

   MAC algorithm
       An algorithm to be used for message authentication. This
       specification includes the size of the hash which is returned by
       the MAC algorithm.

Since compression algorithms other than the null compression will
usually have an output size different from the plaintext input size,
the size of the mac and the exact amount of padding is something
internal to the TLS record layer.  The caller above the record
layer doesn't need to know and doesn't need to care.


> 
> Finally, encrypt-then-mac allows detection of tampering in an earlier
> stage, which is a plus in my books.

This is entirely irrelevant in the real world (for TLS).
You have to successfully go through a full TLS handshake before you can
mess around here, and the public key stuff during the full handshake
is so much harder on the honest server, that this is a lame argument.


> 
> > The fact that GHASH must be encrypted is sufficient proof that an
> > encrypted MAC provides a better safety margin than a plaintext MAC.
> 
> I don't think GHASH behaviour proves anything about HMACs,
> but please prove me wrong.

It does.  Why do you think that HMAC is better than a simple keyed hash?
because it doesn't make the output of the keyed hash directly accessible
to the attacker.  This immediately transcends from the definition of HMAC,

  http://tools.ietf.org/html/rfc2104#section-2

  H(K XOR opad, H(K XOR ipad, text))

and the rationale behind HMAC:

  http://tools.ietf.org/html/rfc2104#section-6

   6. Security

   The security of the message authentication mechanism presented here
   depends on cryptographic properties of the hash function H: the
   resistance to collision finding (limited to the case where the
   initial value is secret and random, and where the output of the
   function is not explicitly available to the attacker)

The "output of the function that is not explicitly available to the attacker"
is the output of the inner Hash function of the HMAC function.

It has the exact same output size as the output of the outer hash function.
Under given the assumption that H is "collision resistant", the outer
Hash-function of HMAC is equivalent to a symmetric encryption of
a block cipher with the blocksize of the hash size and the key "K".

Encrypting this the HMAC output again with a symmetric block cipher
is not going to weaken the resulting strength, but may strengthen it
when the properties of H are not as good as one might like.


> 
> > MAC in the clear is only safe when the MAC algorithm is sufficiently
> > close to perfect.  We know painfully well that our hash algorithms
> > are *not* perfect, so I'm against taking chances, in particular
> > for the GenericBlockCipher PDU.
> 
> But in a VERY hypothetical case where attacks to some HMAC is found,
> we would have no idea how it affects TLS without further analysis,
> using it in a standard way would at least give more information about
> what is broken. And of course HMAC is not just a hash.

The security of HMAC is vitally dependent on the security of the underlying
hash function.

IIRC, The first weakness demonstrated for MD5 (by Dobbertin) were
modifications of two bits that cancelled each other out for a
specific internal state of the MD5 hash.  Later, methods were discovered
to compute two plaintexts that will have the same hash result for
arbitrary internal state.

What would be devastating for pad-encrypt-hmac is when a method was found
to find bit modifications that cancel each other out with little or no
dependence on the internal state of the hash.  This would immediately
and seriously affect all pad-encrypt-hmac schemes with that hash, the AEAD
and GenericStreamCipher schemes independent of encrypt-mac or mac-encrypt.

GenericBlockCipher with pad-mac-encrypt will be significantly less
impacted, because flipping specific bits on the plaintext (the data
that is mac'ed in pad-mac-encrypt) will only be possible if the
BlockCipher is broken as well.


-Martin