Re: [TLS] draft-mcgrew-aead-aes-cbc-hmac-sha2 can't be used as TLS 1.2 AEAD ciphers

Wan-Teh Chang <wtc@google.com> Wed, 28 August 2013 17:48 UTC

Return-Path: <wtc@google.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3253811E81D2 for <tls@ietfa.amsl.com>; Wed, 28 Aug 2013 10:48:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.978
X-Spam-Level:
X-Spam-Status: No, score=-1.978 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WTcn9KuKg0E5 for <tls@ietfa.amsl.com>; Wed, 28 Aug 2013 10:48:10 -0700 (PDT)
Received: from mail-qa0-x22d.google.com (mail-qa0-x22d.google.com [IPv6:2607:f8b0:400d:c00::22d]) by ietfa.amsl.com (Postfix) with ESMTP id 9D05F11E81C9 for <tls@ietf.org>; Wed, 28 Aug 2013 10:48:10 -0700 (PDT)
Received: by mail-qa0-f45.google.com with SMTP id f11so591143qae.18 for <tls@ietf.org>; Wed, 28 Aug 2013 10:48:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=56QGDDvF/34LKCBj/M9Mit5N8YQHcG62jSvSnyKOy/I=; b=BA0aDAmQTlozBbQdGqToJZUyHwjvMXxSu9oCcPKH/MPOa3YULP44cPRbtr/caO89S5 bFdkLbi4CV9m886WEFd+ulyNFzkaEewqZISAfvQepiyQsABRjVh8VY9bGX3OO/JNMTe6 RCkWXxVIHtnrBZVwia2ddKx5ORUkpIzoLoO6+D6HHrVSMzfZM0YJNSFdtlJQFsRX9JC8 36sCU34PJdrF48H0xvOtCmD1zUksoibAS8JW7TMBWKVml6VNpTZUWPM++tK1x0nrgh9O oLXe4H2dXzsOb30mpOlG9mUHxGGvZPaLbRwdhMB585yrpPiundFHbmTj2b/XSp9FMND3 31hw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=56QGDDvF/34LKCBj/M9Mit5N8YQHcG62jSvSnyKOy/I=; b=ahHT/shRfy+EG3Cq5+c8ZvhD7ZzBYS2oCHU+hhke4k11CKDEK1zQuXbGVcyukQWGJl Wx6NJ9A0G2rS45mSpeAMdT7UBB+3/X46NqW2zMHXnb1J0LE7NbVrZzUEs0BD4heXWPkW 6SGX0OEMzzAEr3XDIKS6LMaShUp2FvmOFEdz+c1RP5FAcLfPvYvEh9MYlTZmPmit1A6A j459XzMtRhDLMVwLYlN6SePY5K6w+fujDIZLTJMc0b5rxFwYimxIsdZE0wZ2WCSWj88+ ygcEnacswE+elfy9XoQcOejIH1V3xOvsngA8Ycga3bTQ/nxsl6hEFi5Hbvh3kIO5Prmc gzOg==
X-Gm-Message-State: ALoCoQnpSfCbXAHObgNtm6EQjYnztrTOOJImFD9gcO1DQkbtTXgACeEZh7pNaF2EtTZx1w75/Nz1dgT9B4yFHz8eMOECgHSSkofqFWjVNz2gIaeY39sjqVLHaupODt5I6XRHu7gD0dja2jk/+W/BKKWSBqQCK6V5Xw/beAraFQ7DnZSRcbsYukxnbXDTezLGKQYJaYDXSdfT
MIME-Version: 1.0
X-Received: by 10.229.51.69 with SMTP id c5mr9565753qcg.24.1377712089032; Wed, 28 Aug 2013 10:48:09 -0700 (PDT)
Received: by 10.229.201.137 with HTTP; Wed, 28 Aug 2013 10:48:08 -0700 (PDT)
In-Reply-To: <1377638822.4027.228.camel@darkstar>
References: <CALTJjxEjN04jfCb=mjo1ZWPvgX_sw0Dw6v+AMPKdXp=9BbCxow@mail.gmail.com> <5215102B.30200@cisco.com> <1377638822.4027.228.camel@darkstar>
Date: Wed, 28 Aug 2013 10:48:08 -0700
Message-ID: <CALTJjxGg+FMrd61kAtvvy0L2utv0f6HAZKWN6HqdC4CMTXRj4A@mail.gmail.com>
From: Wan-Teh Chang <wtc@google.com>
To: David McGrew <mcgrew@cisco.com>
Content-Type: text/plain; charset=ISO-8859-1
Cc: John Foley <foleyj@cisco.com>, "tls@ietf.org" <tls@ietf.org>, Ryan Sleevi <sleevi@google.com>
Subject: Re: [TLS] draft-mcgrew-aead-aes-cbc-hmac-sha2 can't be used as TLS 1.2 AEAD ciphers
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Aug 2013 17:48:11 -0000

Hi David,

Thank you for your reply and suggestions.

Re: CTS: I agree with John that adding CTS would be opposite to the
reason for existence for draft-mcgrew-aead-aes-cbc-hmac-sha2 because
CTS is not widely deployed.

I am more interested in figuring out how TLS can use an AEAD algorithm
that obscures the plaintext length. Consider the additional_data in
TLS 1.2:

   The additional authenticated data, which we denote as
   additional_data, is defined as follows:

      additional_data = seq_num + TLSCompressed.type +
                        TLSCompressed.version + TLSCompressed.length;

The plaintext length (TLSCompressed.length) is the problematic part.
Since the authentication tag of an AEAD algorithm should already cover
either the plaintext length or the ciphertext length, it seems that we
can safely remove TLSCompressed.version from additional_data. We can
consider making this change in TLS 1.3.

Wan-Teh Chang