Re: [TLS] Encrypt-then-MAC again (was Re: padding bug)
mrex@sap.com (Martin Rex) Fri, 29 November 2013 23:08 UTC
Return-Path: <mrex@sap.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 896FD1AE04D for <tls@ietfa.amsl.com>; Fri, 29 Nov 2013 15:08:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.252
X-Spam-Level:
X-Spam-Status: No, score=-6.252 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_DE=0.35, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_HI=-5, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GY1iwzaWvvET for <tls@ietfa.amsl.com>; Fri, 29 Nov 2013 15:08:03 -0800 (PST)
Received: from smtpde02.sap-ag.de (smtpde02.sap-ag.de [155.56.68.140]) by ietfa.amsl.com (Postfix) with ESMTP id 47ADB1AD937 for <tls@ietf.org>; Fri, 29 Nov 2013 15:08:03 -0800 (PST)
Received: from mail05.wdf.sap.corp by smtpde02.sap-ag.de (26) with ESMTP id rATN7osS013930 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Sat, 30 Nov 2013 00:07:50 +0100 (MET)
In-Reply-To: <073259DE-D4EB-4229-945D-97CD5AF50A3C@iki.fi>
To: Juho Vähä-Herttua <juhovh@iki.fi>
Date: Sat, 30 Nov 2013 00:07:49 +0100
X-Mailer: ELM [version 2.4ME+ PL125 (25)]
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="ISO-8859-1"
Message-Id: <20131129230749.E124B1AB10@ld9781.wdf.sap.corp>
From: mrex@sap.com
X-SAP: out
Cc: "<tls@ietf.org>" <tls@ietf.org>, Nikos Mavrogiannopoulos <nmav@gnutls.org>, Peter Gutmann <p.gutmann@auckland.ac.nz>
Subject: Re: [TLS] Encrypt-then-MAC again (was Re: padding bug)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: mrex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 29 Nov 2013 23:08:05 -0000
Juho Vähä-Herttua wrote: > > mrex@sap.com (Martin Rex) wrote: > > > > I'm from the "don't-fix-it-if-it-ain't-broken" camp. > > And the less code needs to be changed to adopt some useful feature, > > the more likely you will see it being adopted for patches/maintenance. > > I have seen *ZERO* compelling reason for switching to encrypt-then-mac > > in TLS. And I'm not aware of *ANY* reason why we should touch/change > > the GenericStreamCipher processing (which Peter's proposal does). > > I'm trying to explain my reasoning. First of all HMACs are designed > to authenticate data safely, but encrypting them adds an unknown > factor to the calculation. Why not just use them as they are > supposed to be used. There is nothing "unknown" about encryption, and certainly it will not dillute the MAC (unless you come up with a bogus encryption scheme that is not bijective--i.e. expands the data during encryption. Keep in mind that encrypted MAC is what SSL&TLS have always been doing, and what a number of implementations will continue to be doing for many years to come. If this had been the other way round, i.e. SSLv3 and TLS had been using encrypt-then-mac, then I would not be asking to change it _unless_ a _real_ problem was demonstrated, and for the very same reasons (don't fix it if it ain't broken, smaller code changes are more likely to get adopted during maintenance). > > For me it is much more intuitive to do pad-encrypt-mac compared to attack > resistant pad-mac-encrypt. In current TLS spec you can give the > plaintext+HMAC to the encryptor as is and let it handle the padding. In current TLS, you pass the plaintext to the record layer, and the record layer will pipe it thorugh the compression function and pass it to the pad+mac+encrypt function. > > The same is true for encrypt-then-mac, just give the plaintext to the > encryptor (either CBC or stream) and let it handle the padding. > But in pad-mac-encrypt you have to know the length of the MAC before > you actually calculate the MAC and add it manually! This is counter > intuitive. Actually, in TLS you have to _know_ the size of the MAC long before you process the first record, because it is part of the Connection state: http://tools.ietf.org/html/rfc2246#section-6.1 MAC algorithm An algorithm to be used for message authentication. This specification includes the size of the hash which is returned by the MAC algorithm. Since compression algorithms other than the null compression will usually have an output size different from the plaintext input size, the size of the mac and the exact amount of padding is something internal to the TLS record layer. The caller above the record layer doesn't need to know and doesn't need to care. > > Finally, encrypt-then-mac allows detection of tampering in an earlier > stage, which is a plus in my books. This is entirely irrelevant in the real world (for TLS). You have to successfully go through a full TLS handshake before you can mess around here, and the public key stuff during the full handshake is so much harder on the honest server, that this is a lame argument. > > > The fact that GHASH must be encrypted is sufficient proof that an > > encrypted MAC provides a better safety margin than a plaintext MAC. > > I don't think GHASH behaviour proves anything about HMACs, > but please prove me wrong. It does. Why do you think that HMAC is better than a simple keyed hash? because it doesn't make the output of the keyed hash directly accessible to the attacker. This immediately transcends from the definition of HMAC, http://tools.ietf.org/html/rfc2104#section-2 H(K XOR opad, H(K XOR ipad, text)) and the rationale behind HMAC: http://tools.ietf.org/html/rfc2104#section-6 6. Security The security of the message authentication mechanism presented here depends on cryptographic properties of the hash function H: the resistance to collision finding (limited to the case where the initial value is secret and random, and where the output of the function is not explicitly available to the attacker) The "output of the function that is not explicitly available to the attacker" is the output of the inner Hash function of the HMAC function. It has the exact same output size as the output of the outer hash function. Under given the assumption that H is "collision resistant", the outer Hash-function of HMAC is equivalent to a symmetric encryption of a block cipher with the blocksize of the hash size and the key "K". Encrypting this the HMAC output again with a symmetric block cipher is not going to weaken the resulting strength, but may strengthen it when the properties of H are not as good as one might like. > > > MAC in the clear is only safe when the MAC algorithm is sufficiently > > close to perfect. We know painfully well that our hash algorithms > > are *not* perfect, so I'm against taking chances, in particular > > for the GenericBlockCipher PDU. > > But in a VERY hypothetical case where attacks to some HMAC is found, > we would have no idea how it affects TLS without further analysis, > using it in a standard way would at least give more information about > what is broken. And of course HMAC is not just a hash. The security of HMAC is vitally dependent on the security of the underlying hash function. IIRC, The first weakness demonstrated for MD5 (by Dobbertin) were modifications of two bits that cancelled each other out for a specific internal state of the MD5 hash. Later, methods were discovered to compute two plaintexts that will have the same hash result for arbitrary internal state. What would be devastating for pad-encrypt-hmac is when a method was found to find bit modifications that cancel each other out with little or no dependence on the internal state of the hash. This would immediately and seriously affect all pad-encrypt-hmac schemes with that hash, the AEAD and GenericStreamCipher schemes independent of encrypt-mac or mac-encrypt. GenericBlockCipher with pad-mac-encrypt will be significantly less impacted, because flipping specific bits on the plaintext (the data that is mac'ed in pad-mac-encrypt) will only be possible if the BlockCipher is broken as well. -Martin
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Martin Rex
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Peter Gutmann
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Eric Rescorla
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Watson Ladd
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Juho Vähä-Herttua
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Bodo Moeller
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Nikos Mavrogiannopoulos
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Bodo Moeller
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Martin Rex
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Juho Vähä-Herttua
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Robert Ransom
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Nikos Mavrogiannopoulos
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Watson Ladd
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Juho Vähä-Herttua
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Martin Rex
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Taylor Hornby
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Martin Rex
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Nikos Mavrogiannopoulos
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Watson Ladd
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Martin Rex
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Nikos Mavrogiannopoulos
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Alfredo Pironti
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Paterson, Kenny
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Alfredo Pironti
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Watson Ladd
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Alfredo Pironti
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Martin Rex
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Wan-Teh Chang
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Paterson, Kenny
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Nikos Mavrogiannopoulos
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Paterson, Kenny
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Watson Ladd
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Martin Rex
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Peter Gutmann
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Peter Gutmann
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Peter Gutmann
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Peter Gutmann
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Trevor Perrin
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Watson Ladd