Re: [TLS] TLS1.3
mrex@sap.com (Martin Rex) Mon, 11 February 2013 15:29 UTC
Return-Path: <mrex@sap.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3A18321F8920 for <tls@ietfa.amsl.com>; Mon, 11 Feb 2013 07:29:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.993
X-Spam-Level:
X-Spam-Status: No, score=-9.993 tagged_above=-999 required=5 tests=[AWL=-0.344, BAYES_00=-2.599, HELO_EQ_DE=0.35, J_CHICKENPOX_33=0.6, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xsw2AQDW9mIG for <tls@ietfa.amsl.com>; Mon, 11 Feb 2013 07:29:44 -0800 (PST)
Received: from smtpde01.sap-ag.de (smtpde01.sap-ag.de [155.56.68.170]) by ietfa.amsl.com (Postfix) with ESMTP id 6C16621F8891 for <tls@ietf.org>; Mon, 11 Feb 2013 07:29:43 -0800 (PST)
Received: from mail05.wdf.sap.corp by smtpde01.sap-ag.de (26) with ESMTP id r1BFTZl9025649 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Mon, 11 Feb 2013 16:29:35 +0100 (MET)
In-Reply-To: <9A043F3CF02CD34C8E74AC1594475C7333400716@uxcn10-2.UoA.auckland.ac.nz>
To: Peter Gutmann <pgut001@cs.auckland.ac.nz>
Date: Mon, 11 Feb 2013 16:29:34 +0100
X-Mailer: ELM [version 2.4ME+ PL125 (25)]
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="US-ASCII"
Message-Id: <20130211152934.ED58A1A542@ld9781.wdf.sap.corp>
From: mrex@sap.com
X-SAP: out
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] TLS1.3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: mrex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 11 Feb 2013 15:29:45 -0000
Peter Gutmann wrote: > Martin Rex <mrex@sap.com> writes: > > > >Personally, I also feel somewhat uncomfortable with a "radical" change to > >encrypt-then-MAC rather than the simply using the obvious pad-MAC-encrypt, as > >originally suggested by Serge Vaudenay. > > It's hardly a radical change, in terms of code complexity (at least in my > code) it came down to (comments and error checking removed) this: > > checkMacTLS( sessionInfoPtr, data, length, length - sessionInfoPtr->authBlocksize, packetType ); > decryptData( sessionInfoPtr, data, length - sessionInfoPtr->authBlocksize, &length ); > > In other words I swapped two lines of code. But this sounds like your changing the semantics for all ciphersuites, including the GenericStreamCipher PDU, which includes ciphers such as TLS_RSA_WITH_RC4_128_MD5, and AEAD ciphersuites. Personally, I would prefer to limit this change to the processing of the GenericBlockCipher PDU of TLS. > > >When the encryption scheme that is used is bijective, then it will not matter > >(to the confidentiality of the encryption) whether AtE or EtA is used, as > >long as authentication covers the exact same information in both cases, i.e. > >*ALL* of it, padding included. > > However you do need to to MAC the IV. Correct. > If you treat it as part of the ciphertext then it's trivial, > MAC the entire packet in its bits-on-the-wire > form. If you're MAC'ing the plaintext then you need to special-case the IV > vs. the plaintext and suddenly you're adding all sorts of kludgery to handle > that. Authenticating the exact bits on the wire is both cleaner conceptually/ > security-wise (you're authenticating the exact data that the attacker has > access to, not some bits as seen by the attacker and some bits as seen by you > after further processing), and implementation-wise (you just swap the bits of > code that do auth. vs. encrypt). To quote Kenny Paterson's recent message: > > It fixes every problem I can conceive of. And I've thought about the > analysis of TLS's current MAC-pad-encrypt construction long and hard, > believe me. > > That's pretty unambiguous. > > >However, in the EtA scheme, we would have a naked keyed hash. And would an > >attack on the keyed hash become somehow feasible, that attack might be easier > >on a naked keyed hash than on an encrypted keyed hash. > > That's going to be pretty unlikely, if someone can break HMAC then we've got > more serious things to worry about than forging of TLS packets. I would really hate having to add a black-list of cipher suites that must not be used with the new scheme (such as TLS_RSA_WITH_RC4_128_MD5) in a few years, when it turns out that an HMAC-MD5 is too weak. -Martin
- Re: [TLS] TLS1.3 Peter Gutmann
- [TLS] TLS1.3 Lewis, Nick
- Re: [TLS] TLS1.3 Lewis, Nick
- Re: [TLS] TLS1.3 Nikos Mavrogiannopoulos
- Re: [TLS] TLS1.3 Eric Rescorla
- Re: [TLS] TLS1.3 Lewis, Nick
- Re: [TLS] TLS1.3 Nikos Mavrogiannopoulos
- Re: [TLS] TLS1.3 Paterson, Kenny
- Re: [TLS] TLS1.3 Lewis, Nick
- Re: [TLS] TLS1.3 Lewis, Nick
- Re: [TLS] TLS1.3 Eric Rescorla
- Re: [TLS] TLS1.3 Lewis, Nick
- Re: [TLS] TLS1.3 Dan Harkins
- Re: [TLS] TLS1.3 Lewis, Nick
- Re: [TLS] TLS1.3 Peter Gutmann
- Re: [TLS] TLS1.3 Peter Gutmann
- Re: [TLS] TLS1.3 Peter Gutmann
- Re: [TLS] TLS1.3 Peter Gutmann
- Re: [TLS] TLS1.3 Yoav Nir
- Re: [TLS] TLS1.3 Lewis, Nick
- Re: [TLS] TLS1.3 David McGrew (mcgrew)
- Re: [TLS] TLS1.3 Nikos Mavrogiannopoulos
- Re: [TLS] TLS1.3 Paterson, Kenny
- Re: [TLS] TLS1.3 Martin Rex
- Re: [TLS] TLS1.3 Nikos Mavrogiannopoulos
- Re: [TLS] TLS1.3 Peter Gutmann
- Re: [TLS] TLS1.3 Martin Rex
- Re: [TLS] TLS1.3 Peter Gutmann
- Re: [TLS] TLS1.3 Blumenthal, Uri - 0558 - MITLL
- Re: [TLS] TLS1.3 Lewis, Nick
- Re: [TLS] TLS1.3 Paterson, Kenny
- Re: [TLS] TLS1.3 Lewis, Nick
- Re: [TLS] TLS1.3 Paterson, Kenny
- Re: [TLS] TLS1.3 Yoav Nir
- Re: [TLS] TLS1.3 Lewis, Nick
- Re: [TLS] TLS1.3 Lewis, Nick
- Re: [TLS] TLS1.3 Yoav Nir
- Re: [TLS] TLS1.3 Nikos Mavrogiannopoulos
- Re: [TLS] TLS1.3 Martin Rex
- Re: [TLS] TLS1.3 Nico Williams
- Re: [TLS] TLS1.3 Martin Rex
- Re: [TLS] TLS1.3 Russ Housley
- Re: [TLS] TLS1.3 Wan-Teh Chang
- Re: [TLS] TLS1.3 Scott Schmit
- Re: [TLS] TLS1.3 Martin Rex
- Re: [TLS] TLS1.3 Scott Schmit
- Re: [TLS] TLS1.3 Peter Gutmann