[TLS] draft-mcgrew-aead-aes-cbc-hmac-sha2 can't be used as TLS 1.2 AEAD ciphers
Wan-Teh Chang <wtc@google.com> Wed, 21 August 2013 17:49 UTC
Return-Path: <wtc@google.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2506D11E812D for <tls@ietfa.amsl.com>; Wed, 21 Aug 2013 10:49:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.978
X-Spam-Level:
X-Spam-Status: No, score=-1.978 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id r5jHDiih5cvh for <tls@ietfa.amsl.com>; Wed, 21 Aug 2013 10:49:56 -0700 (PDT)
Received: from mail-qe0-x232.google.com (mail-qe0-x232.google.com [IPv6:2607:f8b0:400d:c02::232]) by ietfa.amsl.com (Postfix) with ESMTP id 8849311E810A for <tls@ietf.org>; Wed, 21 Aug 2013 10:49:56 -0700 (PDT)
Received: by mail-qe0-f50.google.com with SMTP id s14so447138qeb.23 for <tls@ietf.org>; Wed, 21 Aug 2013 10:49:55 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:date:message-id:subject:from:to:cc:content-type; bh=EVCSICl9PakPdNRx57UhhzGKonSIgDLZsOKdDFNEcUI=; b=AgMi72J+Exh5z91jYtHh8cmr/Ke1Pj6EjL2Qc30AIX2/6zSTDtjal2FwNhuchFDVGV o1Cusa12crgYzro6TXYvyhyLA7JsazvzjvWtY6Jd7tpsWTxXloL+voPM4G1P70sta1BF pCGZIFxRi6AWZTRN0XYft+pEcYrv+fAPUX4Ld8u0V2Jt1xgQZKUDiR0In76k1pB5SZCo NqOPzigkoL7zK1kH+unwXT+EOvpTchGW/XO5qrpPWyjKkpuItOqiVmFX13fNsjJLbXiK 3RivJNX2KJ1iecwx8mAojCN4KdK1ANF4ih/m0+//ebptuDituug54C/zdnYVxR6abKx3 Vx4Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=x-gm-message-state:mime-version:date:message-id:subject:from:to:cc :content-type; bh=EVCSICl9PakPdNRx57UhhzGKonSIgDLZsOKdDFNEcUI=; b=VOUn+AqZstW7sF9jkt1uJk/RX4reAHu765oMPAfP0GXagnWq5Q3vVnF0cj/xvLHFCx mPfBJX+0kgN59Qb3m6k1pgxYHVE4dWopxQsnwi2pI7TKm8UyySVK6uiWrbKLDrbqtFsU NXsxhxgMjB827kX7ffWG1g6/Dm0A0kyOC2YkOSI2O6gWM2yeXqcXKZ3TdLBB9c8dF/Q0 vEf25TOWry8dbmZV0sy4D0R4AZ4G2ntVKqnp0dR/YjWP8RS95nkbw7EUyvnBZrbImuIY XzaGs8ncADLIdD8HzvqzPEZWOphWyvegpP3P1E8Yc8PBBYtASBHwaMokS7Ee8KiRh7T4 19bA==
X-Gm-Message-State: ALoCoQkINxTks9+bD+sV7sYmrEKYJpEqFLFiVUzFd7j2Ic01yODTnjOV3gDnysXxPxn8IKE8KyD5PUl3+24VSoWYt3TdztZdHfILE66ooMbj2tJ20Ahfy4CEl3arA7JgZTtZaojX6p7Gr3GA9z2gG6TqwIWCtvZYE33GGhxXrJqqnJQI2tA4aCaW1xft27Q+Ao6wuEk25Iyr
MIME-Version: 1.0
X-Received: by 10.229.171.134 with SMTP id h6mr2474306qcz.15.1377107395856; Wed, 21 Aug 2013 10:49:55 -0700 (PDT)
Received: by 10.229.154.20 with HTTP; Wed, 21 Aug 2013 10:49:55 -0700 (PDT)
Date: Wed, 21 Aug 2013 10:49:55 -0700
Message-ID: <CALTJjxEjN04jfCb=mjo1ZWPvgX_sw0Dw6v+AMPKdXp=9BbCxow@mail.gmail.com>
From: Wan-Teh Chang <wtc@google.com>
To: "tls@ietf.org" <tls@ietf.org>
Content-Type: text/plain; charset="ISO-8859-1"
Cc: foleyj@cisco.com, Ryan Sleevi <sleevi@google.com>
Subject: [TLS] draft-mcgrew-aead-aes-cbc-hmac-sha2 can't be used as TLS 1.2 AEAD ciphers
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Aug 2013 17:49:57 -0000
While reviewing the NSS patch for the AES-GCM TLS cipher suites, my
colleague Ryan Sleevi noticed that the AEAD algorithms defined in
draft-mcgrew-aead-aes-cbc-hmac-sha2 can't be used as TLS 1.2 AEAD
ciphers. The problem is how TLS 1.2 specifies the additional
authenticated data for AEAD ciphers:
RFC 5246 Section 6.2.3.3 says:
The plaintext is the TLSCompressed.fragment.
The additional authenticated data, which we denote as
additional_data, is defined as follows:
additional_data = seq_num + TLSCompressed.type +
TLSCompressed.version + TLSCompressed.length;
where "+" denotes concatenation.
So additional_data includes the length of the plaintext
(TLSCompressed.length). But a TLS 1.2 record only gives us the length
of the AEAD ciphertext. So the recipient needs to calculate the
plaintext's length using only the ciphertext.
This is difficult to do with the AEAD algorithms in
draft-mcgrew-aead-aes-cbc-hmac-sha2 because the amount of padding, and
therefore the plaintext length, is only known after CBC decryption.
Is this a known problem with TLS 1.2 AEAD ciphers?
Wan-Teh Chang
- [TLS] draft-mcgrew-aead-aes-cbc-hmac-sha2 can't b… Wan-Teh Chang
- Re: [TLS] draft-mcgrew-aead-aes-cbc-hmac-sha2 can… Adam Langley
- Re: [TLS] draft-mcgrew-aead-aes-cbc-hmac-sha2 can… Blumenthal, Uri - 0558 - MITLL
- Re: [TLS] draft-mcgrew-aead-aes-cbc-hmac-sha2 can… John Foley
- Re: [TLS] draft-mcgrew-aead-aes-cbc-hmac-sha2 can… Blumenthal, Uri - 0558 - MITLL
- Re: [TLS] draft-mcgrew-aead-aes-cbc-hmac-sha2 can… Juho Vähä-Herttua
- Re: [TLS] draft-mcgrew-aead-aes-cbc-hmac-sha2 can… David McGrew
- Re: [TLS] draft-mcgrew-aead-aes-cbc-hmac-sha2 can… David McGrew
- Re: [TLS] draft-mcgrew-aead-aes-cbc-hmac-sha2 can… Wan-Teh Chang
- Re: [TLS] draft-mcgrew-aead-aes-cbc-hmac-sha2 can… John Foley
- Re: [TLS] draft-mcgrew-aead-aes-cbc-hmac-sha2 can… Dr Stephen Henson