Re: [TLS] Comments/Questions on draft-gutmann-tls-encrypt-then-mac-00.txt

"Christian Kahlo" <christian.kahlo@ageto.net> Mon, 23 September 2013 12:50 UTC

Return-Path: <christian.kahlo@ageto.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1844C21F8423 for <tls@ietfa.amsl.com>; Mon, 23 Sep 2013 05:50:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.066
X-Spam-Level:
X-Spam-Status: No, score=-3.066 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1, SARE_URI_OEM=0.533]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3iIroiIrnK89 for <tls@ietfa.amsl.com>; Mon, 23 Sep 2013 05:50:06 -0700 (PDT)
Received: from mail-bk0-f44.google.com (mail-bk0-f44.google.com [209.85.214.44]) by ietfa.amsl.com (Postfix) with ESMTP id E4BA821F9EB5 for <tls@ietf.org>; Mon, 23 Sep 2013 05:50:04 -0700 (PDT)
Received: by mail-bk0-f44.google.com with SMTP id mz10so1186049bkb.3 for <tls@ietf.org>; Mon, 23 Sep 2013 05:50:04 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:reply-to:from:to:cc:references:in-reply-to :subject:date:organization:message-id:mime-version:content-type :content-transfer-encoding:thread-index:content-language; bh=JO7U94VMQdvt/zHRdk8yBQ1whu2Fty3vaQBSFJSXzcg=; b=VsCisIUWC6xIaAeRpxXG5Kyzai0POVI6kIwrXOXLaPyx7FkHwf/ymxcv9SRjN4W8IJ wr3pRpeAdtHTTdbpcMOd/QPm47moJnHiDAqbgxeOAFgn1uvkPGpK3J7RMz4OQ4floe1c KSdDrCjASi9GTUuTse5ER+xH+mvodqhwZuLnSl1XsJlL2MrG/kzESjo5z4a+ngX0jwQq wGus+agjnebvFUz2Hhew4fCne3DdodyAo2lLmv4KDRHyxAoG8bjsvgsK/yJYRmFBZKoI dYmDiJeA2nB2+cSJRtWF7Kxyl06EIIoKSm/9mCcka1o9wSnRRH+BXtDGBOx0833h7YdD YP4g==
X-Gm-Message-State: ALoCoQl3m/HNhKkJGqq5tThtCUm1x1U43iu2vSjhObqA09gPdQhzQ72J3T/8DLARs/+ad3YKNNUm
X-Received: by 10.205.76.133 with SMTP id ze5mr286048bkb.37.1379940603448; Mon, 23 Sep 2013 05:50:03 -0700 (PDT)
Received: from THINK2 (cable-82-119-12-81.cust.telecolumbus.net. [82.119.12.81]) by mx.google.com with ESMTPSA id nv4sm8663372bkb.3.1969.12.31.16.00.00 (version=TLSv1.2 cipher=RC4-SHA bits=128/128); Mon, 23 Sep 2013 05:50:02 -0700 (PDT)
From: "Christian Kahlo" <christian.kahlo@ageto.net>
To: "'Nikos Mavrogiannopoulos'" <nmav@gnutls.org>, <tls@ietf.org>
References: <CABcZeBN+0hX1-cb0V4AyaO3FrwaGrtjbRO3BGOV0KBSjRkNwkw@mail.gmail.com> <523c738f.0733cc0a.41a0.3096@mx.google.com> <523F383A.20803@drh-consultancy.co.uk> <523FE7B6.10501@gnutls.org>
In-Reply-To: <523FE7B6.10501@gnutls.org>
Date: Mon, 23 Sep 2013 14:50:07 +0200
Organization: AGETO Innovation GmbH
Message-ID: <524038fa.c402cd0a.127a.ffffc841@mx.google.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Office Outlook 12.0
Thread-Index: Ac64Kw6yuxSnT91ZT7WZgfNnfC1+5QALsRaQ
Content-Language: de
X-Mailman-Approved-At: Mon, 23 Sep 2013 08:46:02 -0700
Cc: 'Team Neuer Personalausweis' <npa@ageto.net>
Subject: Re: [TLS] Comments/Questions on draft-gutmann-tls-encrypt-then-mac-00.txt
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: c.kahlo@ageto.net
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 23 Sep 2013 12:50:12 -0000

Nikos,

> > This has some interesting parallels with FIPS 140-2. Currently the
> only approved
> > symmetric algorithms for FIPS 140-2 and TLS are AES-GCM, AES-CBC and
> DES3-CBC.
> > If you can't deploy TLS 1.2 you're then stuck with CBC.
> [...]
> > spec, as it doesn't need any new algorithms, could be
> > deployed as soon as it is approved.
> >
> > I'm not saying that we don't approve new algorithms and ciphers
> suites. I'm
> > saying we need ETM as well.
> 
> What we need is a solution for the issue with the unauthenticated
> padding in the CBC ciphersuites. ETM is not the only way to solve the
> issue, and even if it is used, it would be highly recommendable to
> follow the existing good practices. TLS isn't the first protocol to use
> this mode, thus there isn't a need to innovate.

maybe you want to read http://cseweb.ucsd.edu/~mihir/papers/oem.pdf
and http://www.iacr.org/archive/crypto2001/21390309.pdf.
Both mentioned within this thread:
http://crypto.stackexchange.com/questions/202/should-we-mac-then-encrypt-or-
encrypt-then-mac

Please tell us which protocols are still using Mac-then-Encrypt today
without running into any security trouble (esp. chosen ciphertext
attacks). MtE is considered as a design fail by many researchers.

As we discussed earlier AEAD might be a solution, but AEAD is not the
only one. I would encourage everbody to also have a look into
ISO7816-4 secure messaging. That's the way most electronic ID cards,
electronic purse cards, credit cards, small HSMs, etc. do communicate.
And now think about that there's a reason for that it's an EtM-
scheme.

Sorry, your attitude "there isn't a need to innovate" sounds
somewhat unfamiliar with cryptographic primitives to me.

Cheers,
Christian