Re: [TLS] Decryption_failed alert in TLS 1.1
<Pasi.Eronen@nokia.com> Fri, 25 September 2009 07:19 UTC
Return-Path: <Pasi.Eronen@nokia.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 95F5D3A68B7 for <tls@core3.amsl.com>; Fri, 25 Sep 2009 00:19:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.446
X-Spam-Level:
X-Spam-Status: No, score=-6.446 tagged_above=-999 required=5 tests=[AWL=0.153, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KyihmBXphx25 for <tls@core3.amsl.com>; Fri, 25 Sep 2009 00:19:31 -0700 (PDT)
Received: from mgw-mx09.nokia.com (smtp.nokia.com [192.100.105.134]) by core3.amsl.com (Postfix) with ESMTP id 612CA3A6894 for <tls@ietf.org>; Fri, 25 Sep 2009 00:19:31 -0700 (PDT)
Received: from esebh106.NOE.Nokia.com (esebh106.ntc.nokia.com [172.21.138.213]) by mgw-mx09.nokia.com (Switch-3.3.3/Switch-3.3.3) with ESMTP id n8P7JDER021189; Fri, 25 Sep 2009 02:19:50 -0500
Received: from vaebh102.NOE.Nokia.com ([10.160.244.23]) by esebh106.NOE.Nokia.com with Microsoft SMTPSVC(6.0.3790.3959); Fri, 25 Sep 2009 10:20:00 +0300
Received: from smtp.mgd.nokia.com ([65.54.30.6]) by vaebh102.NOE.Nokia.com over TLS secured channel with Microsoft SMTPSVC(6.0.3790.3959); Fri, 25 Sep 2009 10:19:47 +0300
Received: from NOK-EUMSG-01.mgdnok.nokia.com ([65.54.30.86]) by nok-am1mhub-02.mgdnok.nokia.com ([65.54.30.6]) with mapi; Fri, 25 Sep 2009 09:19:46 +0200
From: Pasi.Eronen@nokia.com
To: ekr@networkresonance.com
Date: Fri, 25 Sep 2009 09:19:46 +0200
Thread-Topic: [TLS] Decryption_failed alert in TLS 1.1
Thread-Index: AcnJsYvQ+I/CT+uWReiAwKtlCgEV7hz/oICA
Message-ID: <808FD6E27AD4884E94820BC333B2DB773C096DD1FA@NOK-EUMSG-01.mgdnok.nokia.com>
References: <808FD6E27AD4884E94820BC333B2DB7727F24D50BE@NOK-EUMSG-01.mgdnok.nokia.com> <20090430163727.17D9A194FC4@kilo.networkresonance.com>
In-Reply-To: <20090430163727.17D9A194FC4@kilo.networkresonance.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginalArrivalTime: 25 Sep 2009 07:19:47.0631 (UTC) FILETIME=[903373F0:01CA3DB0]
X-Nokia-AV: Clean
Cc: tls@ietf.org
Subject: Re: [TLS] Decryption_failed alert in TLS 1.1
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 25 Sep 2009 07:19:32 -0000
(catching up on some messages I hadn't replied to yet..) Thanks for the clarification, Eric! I have now split off this issue to a separate Errata ID (all the other issues in #117 are editorial): http://www.rfc-editor.org/errata_search.php?eid=1896 The errata text now says: Section 7.2.2 says: decryption_failed This alert MAY be returned if a TLSCiphertext decrypted in an invalid way: either it wasn't an even multiple of the block length, or its padding values, when checked, weren't correct. This message is always fatal. Note: Differentiating between bad_record_mac and decryption_failed alerts may permit certain attacks against CBC mode as used in TLS [CBCATT]. It is preferable to uniformly use the bad_record_mac alert to hide the specific type of the error. It should say: decryption_failed This alert was used in TLS version 1.0, and MUST NOT be sent in TLS 1.1. Note: Differentiating between bad_record_mac and decryption_failed alerts may have permitted certain attacks against CBC mode as used in TLS 1.0 [CBCATT]. It is preferable to uniformly use the bad_record_mac alert to hide the specific type of the error. Notes: (split off from Errata ID 117 ) The original text contradicted the text for bad_record_mac ("This alert also MUST be returned if an alert is sent because a TLSCiphertext decrypted in an invalid way"). Unless I hear any objections soon, I will mark this as "Verified", and Errata ID 117 as "Held for Document Update". Best regards, Pasi > -----Original Message----- > From: ext Eric Rescorla [mailto:ekr@networkresonance.com] > Sent: 30 April, 2009 19:37 > To: Eronen Pasi (Nokia-NRC/Helsinki) > Cc: tls@ietf.org > Subject: Re: [TLS] Decryption_failed alert in TLS 1.1 > > At Thu, 30 Apr 2009 11:41:45 +0200, > <Pasi.Eronen@nokia.com> wrote: > > > > Hi, > > > > I'm going through unverified errata for various SEC area RFCs, > > and came to errata ID 117 for RFC 4346 (TLS 1.1), available > > from here: > > > > http://www.rfc-editor.org/errata_search.php?rfc=4346 > > > > Currently, Section 7.2.2 of RFC 4346 says: > > > > bad_record_mac > > This alert is returned if a record is received with an > incorrect > > MAC. This alert also MUST be returned if an alert is sent > because > > a TLSCiphertext decrypted in an invalid way: either it wasn't > an > > even multiple of the block length, or its padding values, when > > checked, weren't correct. This message is always fatal. > > > > and then continues: > > > > decryption_failed > > This alert MAY be returned if a TLSCiphertext decrypted in an > > invalid way: either it wasn't an even multiple of the block > > length, or its padding values, when checked, weren't correct. > > This message is always fatal. > > > > Note: Differentiating between bad_record_mac and decryption_failed > > alerts may permit certain attacks against CBC mode as used > in > > TLS [CBCATT]. It is preferable to uniformly use the > > bad_record_mac alert to hide the specific type of the error. > > > > These two contradict each other; it first says "bad_record_mac MUST > be > > sent", but then says decryption_failed "MAY be returned", and using > > bad_record_mac is "preferable". > > > > Does anyone recall what the intent here was? Early drafts (until -09) > > said "bad_record_mac SHOULD be returned", but that was later changed > > to "MUST". Should the errata fix this to something like this? > > > > decryption_failed > > This alert was used in TLS 1.0 if a TLSCiphertext decrypted > > in an invalid way. It MUST NOT be sent in TLS 1.1. > > > > (TLS 1.2 is very clear about this; decryption_failed MUST NOT > > be sent.) > > Yeah, I think we just did s/SHOULD/MUST/ and didn't remove the > corresponding MAY > > -Ekr
- [TLS] Decryption_failed alert in TLS 1.1 Pasi.Eronen
- Re: [TLS] Decryption_failed alert in TLS 1.1 Eric Rescorla
- Re: [TLS] Decryption_failed alert in TLS 1.1 Pasi.Eronen
- Re: [TLS] Decryption_failed alert in TLS 1.1 Pasi.Eronen