Re: [TLS] Spec tls13 comments, handshake tampering, mitigation, counter/seq_no predictability: WAS: Do we need DH?
Michael Clark <michael@metaparadigm.com> Wed, 07 January 2015 00:29 UTC
Return-Path: <michael@metaparadigm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 162FE1A8830 for <tls@ietfa.amsl.com>; Tue, 6 Jan 2015 16:29:16 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.678
X-Spam-Level:
X-Spam-Status: No, score=-1.678 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, IP_NOT_FRIENDLY=0.334, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eLgYK9iKMdnq for <tls@ietfa.amsl.com>; Tue, 6 Jan 2015 16:29:14 -0800 (PST)
Received: from klaatu.metaparadigm.com (klaatu.metaparadigm.com [67.207.128.90]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 805211A882D for <tls@ietf.org>; Tue, 6 Jan 2015 16:29:14 -0800 (PST)
Received: from monty.local (unknown.maxonline.com.sg [58.182.90.50] (may be forged)) (authenticated bits=0) by klaatu.metaparadigm.com (8.14.4/8.14.4/Debian-4) with ESMTP id t070ocji006933 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT) for <tls@ietf.org>; Wed, 7 Jan 2015 00:50:41 GMT
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=metaparadigm.com; s=klaatu; t=1420591843; bh=9KNn0RdZ+pdyANtC5hWrJCLrLdoDqx3QuswAumCGpG4=; h=Date:From:To:Subject:References:In-Reply-To:From; b=YNsGlmzLySKxPHF6sxD797i/spuHUOHrGmuKv5W9AmaFIApcEXYOu9Vx+aDA6CwvF PgrkehJoCyTY+OrdCXCw6SSaEoRNHp8nLxr+5iXOgqupW2GdLku6aIpFB436EEJNGM sGD0s1m1gsTA/1jYSk8rz0yXyDwJL/lmDgUGRwT8=
Message-ID: <54AC7DCF.6070302@metaparadigm.com>
Date: Wed, 07 Jan 2015 08:29:03 +0800
From: Michael Clark <michael@metaparadigm.com>
Organization: Metaparadigm Pte Ltd
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:31.0) Gecko/20100101 Thunderbird/31.3.0
MIME-Version: 1.0
To: tls@ietf.org
References: <CACsn0cmD=YA4i889f--e_b-OahUVoYdKyQUaiUN--QKOmqn8uA@mail.gmail.com> <54A252EA.1010905@iki.fi> <2348107.Lj21YcAO1u@pintsize.usersys.redhat.com> <DF638EB0-A163-4DBD-B095-43EEDA4D9DB1@gmail.com> <54ABE1D2.7090601@metaparadigm.com>
In-Reply-To: <54ABE1D2.7090601@metaparadigm.com>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
X-Virus-Scanned: clamav-milter 0.98.4 at klaatu.metaparadigm.com
X-Virus-Status: Clean
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/VPrisYM2AIjrqQeahw1umUAY-gM
Subject: Re: [TLS] Spec tls13 comments, handshake tampering, mitigation, counter/seq_no predictability: WAS: Do we need DH?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Jan 2015 00:29:16 -0000
> tls_record_protection_algorithm, length=11 > tls_aead_aead_null, tls_ssf56, aes_gcm, 128, hmac_null, > tls_aead_aead_null, tls_ssf56, aes_ccm, 128, hmac_null, > tls_aead_aead_null, tls_ssf56, camellia_gcm, 128, hmac_null, > tls_aead_aead_null, tls_ssf112, aes_gcm, 256, hmac_null, > tls_aead_aead_null, tls_ssf112, aes_ccm, 256, hmac_null, > tls_aead_aead_null, tls_ssf112, camellia_gcm, 256, hmac_null, > tls_aead_aead_null, tls_ssf112, chacha20_poly1305, 256, hmac_null, > tls_aead_aead_etm, tls_ssf168, aes_gcm, 256, hmac_sha2_256, > tls_aead_aead_etm, tls_ssf168, aes_ccm, 256, hmac_sha2_256, > tls_aead_aead_etm, tls_ssf168, camellia_gcm, 256, hmac_sha2_256, > tls_aead_aead_etm, tls_ssf168, chacha20_poly1305, 256, hmac_sha2_256, These ciphers are essentially the four AEAD ciphers that have existing IETF RFCs or drafts. CCM is a valid AEAD cipher choice and fits within the draft framework. However my earlier comment was that EAX (a NIST candidate) has complementary properties and a security proof. EAX2, the foundation for AES_EAX provides a generalized framework for Encypt-then-MAC i.e. EAX2[AES,OMAC2[AES]] I'm not attached to any of the ciphers and don't have an interest in CCM, other than having a choice of 3 AEAD ciphers, and one of them from NTT would be good. My conclusion on reading the literature was that EAX has better properties than CCM, despite its slightly longer key setup time (less then GCM) and equivalent performance to CCM. CCM is more like CBC mode with MAC whereas EAX is more like CTR mode (GCM) with IV increased entropy in the counter and the use of an alternative cipher based MAC, making it complementary to the current suite. AES_EAX has similar design properties to chacha20_poly1305 (poly1305 being a cipher based MAC based on AES security proof). This would be my revised list removing CCM and including the NTT alternative and chacha20_poly1305, both having IETF drafts (and losing interest in EAX): tls_record_protection_algorithm, length=8 tls_aead_aead_null, tls_ssf56, aes_gcm, 128, hmac_null, tls_aead_aead_null, tls_ssf56, camellia_gcm, 128, hmac_null, tls_aead_aead_null, tls_ssf112, aes_gcm, 256, hmac_null, tls_aead_aead_null, tls_ssf112, camellia_gcm, 256, hmac_null, tls_aead_aead_null, tls_ssf112, chacha20_poly1305, 256, hmac_null, tls_aead_aead_etm, tls_ssf168, aes_gcm, 256, hmac_sha2_256, tls_aead_aead_etm, tls_ssf168, camellia_gcm, 256, hmac_sha2_256, tls_aead_aead_etm, tls_ssf168, chacha20_poly1305, 256, hmac_sha2_256, 1). if there are no AEAD ciphers with > 128-bit MACS, what is the message forgery mitigation proposal for TLS application data? 2). is there consideration of an AEAD-ETM[null,hmac] for authentication of handshake messages? i.e. handshake forgery mitigation proposal. The random used for key derivation would need to be a constant AD on all handshake messages to mitigate against handshake tampering. i.e. authenticated handshake. AEAD-ETM[aaed-cipher,hmac] would fall out of adding authentication to the record protection layer and provide for extended authentication on application data. These were my main concerns for draft-tls13. The observation is that with the scope of global eCommerce, that handshake tampering capabilities provide more harm than good. It pays more to be merciful than mercenary when the core issue is protection of public data (business and consumer). It is a farcical stance to deny this protection if it is well known (as it is) that our eCommerce handshakes can be tampered with by *any* ISP in any jurisdiction (with or without the approval of various national affiliations). Michael Clark Independent.
- Re: [TLS] Do we need DH? Fedor Brunner
- Re: [TLS] Do we need DH? Tapio Sokura
- [TLS] Do we need DH? Watson Ladd
- Re: [TLS] Do we need DH? Alyssa Rowan
- Re: [TLS] Do we need DH? Yoav Nir
- Re: [TLS] Do we need DH? Peter Gutmann
- Re: [TLS] Do we need DH? Brian Smith
- Re: [TLS] Do we need DH? Maarten Bodewes
- Re: [TLS] Do we need DH? Hubert Kario
- Re: [TLS] Do we need DH? Yoav Nir
- Re: [TLS] Do we need DH? Alyssa Rowan
- Re: [TLS] Do we need DH? Nico Williams
- Re: [TLS] Do we need DH? Yoav Nir
- Re: [TLS] Do we need DH? Florian Weimer
- [TLS] Spec tls13 comments, handshake tampering, m… Michael Clark
- Re: [TLS] Spec tls13 comments, handshake tamperin… Michael Clark
- Re: [TLS] Spec tls13 comments, handshake tamperin… Nikos Mavrogiannopoulos