Re: [TLS] Comments/Questions on draft-gutmann-tls-encrypt-then-mac-00.txt

"Christian Kahlo" <> Mon, 23 September 2013 12:50 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 1844C21F8423 for <>; Mon, 23 Sep 2013 05:50:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -3.066
X-Spam-Status: No, score=-3.066 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1, SARE_URI_OEM=0.533]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 3iIroiIrnK89 for <>; Mon, 23 Sep 2013 05:50:06 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id E4BA821F9EB5 for <>; Mon, 23 Sep 2013 05:50:04 -0700 (PDT)
Received: by with SMTP id mz10so1186049bkb.3 for <>; Mon, 23 Sep 2013 05:50:04 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20130820; h=x-gm-message-state:reply-to:from:to:cc:references:in-reply-to :subject:date:organization:message-id:mime-version:content-type :content-transfer-encoding:thread-index:content-language; bh=JO7U94VMQdvt/zHRdk8yBQ1whu2Fty3vaQBSFJSXzcg=; b=VsCisIUWC6xIaAeRpxXG5Kyzai0POVI6kIwrXOXLaPyx7FkHwf/ymxcv9SRjN4W8IJ wr3pRpeAdtHTTdbpcMOd/QPm47moJnHiDAqbgxeOAFgn1uvkPGpK3J7RMz4OQ4floe1c KSdDrCjASi9GTUuTse5ER+xH+mvodqhwZuLnSl1XsJlL2MrG/kzESjo5z4a+ngX0jwQq wGus+agjnebvFUz2Hhew4fCne3DdodyAo2lLmv4KDRHyxAoG8bjsvgsK/yJYRmFBZKoI dYmDiJeA2nB2+cSJRtWF7Kxyl06EIIoKSm/9mCcka1o9wSnRRH+BXtDGBOx0833h7YdD YP4g==
X-Gm-Message-State: ALoCoQl3m/HNhKkJGqq5tThtCUm1x1U43iu2vSjhObqA09gPdQhzQ72J3T/8DLARs/+ad3YKNNUm
X-Received: by with SMTP id ze5mr286048bkb.37.1379940603448; Mon, 23 Sep 2013 05:50:03 -0700 (PDT)
Received: from THINK2 ( []) by with ESMTPSA id nv4sm8663372bkb.3.1969. (version=TLSv1.2 cipher=RC4-SHA bits=128/128); Mon, 23 Sep 2013 05:50:02 -0700 (PDT)
From: "Christian Kahlo" <>
To: "'Nikos Mavrogiannopoulos'" <>, <>
References: <> <> <> <>
In-Reply-To: <>
Date: Mon, 23 Sep 2013 14:50:07 +0200
Organization: AGETO Innovation GmbH
Message-ID: <>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Office Outlook 12.0
Thread-Index: Ac64Kw6yuxSnT91ZT7WZgfNnfC1+5QALsRaQ
Content-Language: de
X-Mailman-Approved-At: Mon, 23 Sep 2013 08:46:02 -0700
Cc: 'Team Neuer Personalausweis' <>
Subject: Re: [TLS] Comments/Questions on draft-gutmann-tls-encrypt-then-mac-00.txt
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 23 Sep 2013 12:50:12 -0000


> > This has some interesting parallels with FIPS 140-2. Currently the
> only approved
> > symmetric algorithms for FIPS 140-2 and TLS are AES-GCM, AES-CBC and
> > If you can't deploy TLS 1.2 you're then stuck with CBC.
> [...]
> > spec, as it doesn't need any new algorithms, could be
> > deployed as soon as it is approved.
> >
> > I'm not saying that we don't approve new algorithms and ciphers
> suites. I'm
> > saying we need ETM as well.
> What we need is a solution for the issue with the unauthenticated
> padding in the CBC ciphersuites. ETM is not the only way to solve the
> issue, and even if it is used, it would be highly recommendable to
> follow the existing good practices. TLS isn't the first protocol to use
> this mode, thus there isn't a need to innovate.

maybe you want to read
Both mentioned within this thread:

Please tell us which protocols are still using Mac-then-Encrypt today
without running into any security trouble (esp. chosen ciphertext
attacks). MtE is considered as a design fail by many researchers.

As we discussed earlier AEAD might be a solution, but AEAD is not the
only one. I would encourage everbody to also have a look into
ISO7816-4 secure messaging. That's the way most electronic ID cards,
electronic purse cards, credit cards, small HSMs, etc. do communicate.
And now think about that there's a reason for that it's an EtM-

Sorry, your attitude "there isn't a need to innovate" sounds
somewhat unfamiliar with cryptographic primitives to me.