[TLS] Comments/Questions on draft-gutmann-tls-encrypt-then-mac-00.txt

Eric Rescorla <ekr@rtfm.com> Fri, 20 September 2013 15:53 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 6B81221F9B6A for <tls@ietfa.amsl.com>; Fri, 20 Sep 2013 08:53:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.643
X-Spam-Status: No, score=-102.643 tagged_above=-999 required=5 tests=[AWL=0.333, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id hPyOT7GrRp5l for <tls@ietfa.amsl.com>; Fri, 20 Sep 2013 08:53:53 -0700 (PDT)
Received: from mail-qa0-f52.google.com (mail-qa0-f52.google.com []) by ietfa.amsl.com (Postfix) with ESMTP id 4877D21F9A99 for <tls@ietf.org>; Fri, 20 Sep 2013 08:53:39 -0700 (PDT)
Received: by mail-qa0-f52.google.com with SMTP id k4so552345qaq.18 for <tls@ietf.org>; Fri, 20 Sep 2013 08:53:38 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:from:date:message-id:subject:to :content-type; bh=cV3DiUMLsSE4PAmRMWc7Gw4Nrpt94GlPrfVxRr5gkAI=; b=U2NjTcd7qC6IqcbLZ8dRPcAu6/u1ePnh5Ig9woWV8PaBkhmMwH/jd+tPZ93ZgQXpll c5pK0I0jIL+Q2Gbz14wSos15P8CjchFy4kjiqOBz+h+XVDZjF6OgeZBXGy4bJKfC3scE 1/6cMFGwneYNkvUxdTEQROTw3pEIkGBjpbzJnbH2ZtHFOtOTxDPpy3r9timcr4Ornayr zm9K481WcXXQOGGZG4c566HMJxi/iKhjSryyM06Vp8+HeYbwssCJpcoUITgEj9OAj/3N CZvRcJnS0NTgGjsMW6ivkwcGEaFlcGadmdDc6x6GWdeeg7NpKejB0wWn6A3BfuNK9lZG BTHQ==
X-Gm-Message-State: ALoCoQkcA+GmHortHCAfqDK+fRHVixBTGzp1yn49ax661vhLxGKF12pHSo+UQa3jSPzh5a8nMCn+
X-Received: by with SMTP id f4mr6454995qab.42.1379692418766; Fri, 20 Sep 2013 08:53:38 -0700 (PDT)
MIME-Version: 1.0
Received: by with HTTP; Fri, 20 Sep 2013 08:52:58 -0700 (PDT)
X-Originating-IP: []
From: Eric Rescorla <ekr@rtfm.com>
Date: Fri, 20 Sep 2013 08:52:58 -0700
Message-ID: <CABcZeBN+0hX1-cb0V4AyaO3FrwaGrtjbRO3BGOV0KBSjRkNwkw@mail.gmail.com>
To: "tls@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary=001a11336248852a0b04e6d2acd4
Subject: [TLS] Comments/Questions on draft-gutmann-tls-encrypt-then-mac-00.txt
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 20 Sep 2013 15:53:58 -0000


After reviewing this document I have a few comments/questions:

- Because this draft relies on extensions, it seems not to resist
  active attack when clients do insecure version fallback
  (see for instance:
  The existing attacks appear to principally be active attacks on the
  environment, which is where fallback tends to happen.

- Maybe I am misreading the draft, but I'm unclear on how you get
   the TLSCompressed.length for the MAC computation in Section 3.
   Does this have the same issue as was raised for McGrew's CBC AEAD

Am I missing something here?