Re: [TLS] An SCSV to stop TLS fallback.
mrex@sap.com (Martin Rex) Sat, 07 December 2013 07:32 UTC
Return-Path: <mrex@sap.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 930AF1AE245 for <tls@ietfa.amsl.com>; Fri, 6 Dec 2013 23:32:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.552
X-Spam-Level:
X-Spam-Status: No, score=-6.552 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-5, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UchwABe6zCD8 for <tls@ietfa.amsl.com>; Fri, 6 Dec 2013 23:32:31 -0800 (PST)
Received: from smtpde02.sap-ag.de (smtpde02.sap-ag.de [155.56.68.140]) by ietfa.amsl.com (Postfix) with ESMTP id 81B571AE04A for <tls@ietf.org>; Fri, 6 Dec 2013 23:32:31 -0800 (PST)
Received: from mail05.wdf.sap.corp by smtpde02.sap-ag.de (26) with ESMTP id rB77WPFY007102 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Sat, 7 Dec 2013 08:32:25 +0100 (MET)
In-Reply-To: <CACsn0c=EpWn5yB1Y2zjBywDmYJ2FeqJ0yBC+nuTSBmj1yWVQ+w@mail.gmail.com>
To: Watson Ladd <watsonbladd@gmail.com>
Date: Sat, 07 Dec 2013 08:32:25 +0100
X-Mailer: ELM [version 2.4ME+ PL125 (25)]
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="US-ASCII"
Message-Id: <20131207073225.0F79D1AB3B@ld9781.wdf.sap.corp>
From: mrex@sap.com
X-SAP: out
Cc: IETF TLS WG <tls@ietf.org>
Subject: Re: [TLS] An SCSV to stop TLS fallback.
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: mrex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 07 Dec 2013 07:32:33 -0000
Watson Ladd wrote: > Martin Rex <mrex@sap.com> wrote: >> >> Btw. AES128-CBC-SHA1 is more secure than AES128-GCM/-CCM, so the only >> thing the client might be "loosing" is a little performance, and >> that AEAD can not currently be negotiated and used unless >> ClientHello.client_version is set to { 0x03, 0x03 } is a silly defect >> of the specification(s) that could be easily fixed. >> >> I am assuming you are discussing the modes as specified and >> implemented in TLS? In that case you are dead wrong. >> Lucky 13, BEAST, and even if we drop all that no protocol depending >> both on SHA1 and AES can be stronger than one depending >> on AES alone. >> >> Lucky 13 and BEAST are completely irrelevant for the majority >> of usage scenarios, and there's even a simple 1/(n-1) record splitting >> workaround for BEAST for those with paranoia. > > Paranoia is a requirement for this WG. TLSv1.1 and TLSv1.2 seem to have been developed without paranoia. The attack surface provided by mac-pad-encrypt rather than the obvious fix pad-mac-encrypt, which Lucky 13 exploited, was clearly pointed out by Serge Vaudenay in 2001, but completely ignored by the TLS WG in 2006 (TLSv1.1) and again in 2008 (TLSv1.2). Replacing the (rsa,md5+sha1) digitally-signed from SSLv3->TLSv1.1 with (rsa,sha1) or (rsa,md5) in TLSv1.2 is huge degradation in security, certainly nothing that someone with paranoia would do. > > > I don't know what you mean by "AES alone", but if you are refering > > to "AES-GCM", that isn't AES alone, but AES in combination with GHASH, > > and HMAC-SHA1 beats the security of GHASH by a huge safety margin. > > No, GHASH has an unconditional security guarantee, while HMAC is only > conjectured to be secure. If that were a real concern, then you would have to violently oppose to Peter's (and other folks) suggestion to change from mac-pad-encrypt to pad-encrypt-mac (aka EtA). > > If you break AES-GCM you break AES, and hence AES-CBC-SHA1. > AES-CBC-SHA1 also falls if > HMAC fails. Currently HMAC-SHA1 in TLS is protected by AES CBC encryption, so it is simply impossible to attack HMAC-SHA1 without first breaking AES. In contrast to AES-GCM, you can not target and flip individual bits of the MAC'ed plaintext from AES-CBC-SHA1 nor can you target and flip individual bits from the HMAC-SHA1 output. You actually do not not anything about what goes in and what comes out of HMAC-SHA1 right now. -Martin
- Re: [TLS] An SCSV to stop TLS fallback. Adam Langley
- Re: [TLS] An SCSV to stop TLS fallback. Adam Langley
- [TLS] An SCSV to stop TLS fallback. Adam Langley
- Re: [TLS] An SCSV to stop TLS fallback. Watson Ladd
- Re: [TLS] An SCSV to stop TLS fallback. Adam Langley
- Re: [TLS] An SCSV to stop TLS fallback. Andy Wilson
- Re: [TLS] An SCSV to stop TLS fallback. Yngve N. Pettersen
- Re: [TLS] An SCSV to stop TLS fallback. Martin Rex
- Re: [TLS] An SCSV to stop TLS fallback. Trevor Perrin
- Re: [TLS] An SCSV to stop TLS fallback. Adam Langley
- Re: [TLS] An SCSV to stop TLS fallback. Adam Langley
- Re: [TLS] An SCSV to stop TLS fallback. Martin Rex
- Re: [TLS] An SCSV to stop TLS fallback. Trevor Perrin
- Re: [TLS] An SCSV to stop TLS fallback. Watson Ladd
- Re: [TLS] An SCSV to stop TLS fallback. Brian Smith
- Re: [TLS] An SCSV to stop TLS fallback. Bodo Moeller
- Re: [TLS] An SCSV to stop TLS fallback. Adam Langley
- Re: [TLS] An SCSV to stop TLS fallback. Adam Langley
- Re: [TLS] An SCSV to stop TLS fallback. Adam Langley
- Re: [TLS] An SCSV to stop TLS fallback. Bodo Moeller
- Re: [TLS] An SCSV to stop TLS fallback. Jack Lloyd
- Re: [TLS] An SCSV to stop TLS fallback. Manger, James H
- Re: [TLS] An SCSV to stop TLS fallback. Wan-Teh Chang
- Re: [TLS] An SCSV to stop TLS fallback. Bodo Moeller
- Re: [TLS] An SCSV to stop TLS fallback. Wan-Teh Chang
- Re: [TLS] An SCSV to stop TLS fallback. Manuel Pégourié-Gonnard
- Re: [TLS] An SCSV to stop TLS fallback. Adam Langley
- Re: [TLS] An SCSV to stop TLS fallback. Bodo Moeller
- Re: [TLS] An SCSV to stop TLS fallback. Marsh Ray
- Re: [TLS] An SCSV to stop TLS fallback. Douglas Stebila
- Re: [TLS] An SCSV to stop TLS fallback. Yngve N. Pettersen
- Re: [TLS] An SCSV to stop TLS fallback. Yngve N. Pettersen
- Re: [TLS] An SCSV to stop TLS fallback. James Cloos
- Re: [TLS] An SCSV to stop TLS fallback. Yngve N. Pettersen
- Re: [TLS] An SCSV to stop TLS fallback. Manuel Pégourié-Gonnard
- Re: [TLS] An SCSV to stop TLS fallback. Bodo Moeller
- Re: [TLS] An SCSV to stop TLS fallback. Marsh Ray
- Re: [TLS] An SCSV to stop TLS fallback. Bodo Moeller
- Re: [TLS] An SCSV to stop TLS fallback. Martin Rex
- Re: [TLS] An SCSV to stop TLS fallback. Adam Langley
- Re: [TLS] An SCSV to stop TLS fallback. Daniel Kahn Gillmor
- Re: [TLS] An SCSV to stop TLS fallback. Brian Smith
- Re: [TLS] An SCSV to stop TLS fallback. Ralf Skyper Kaiser
- Re: [TLS] An SCSV to stop TLS fallback. Martin Rex
- Re: [TLS] An SCSV to stop TLS fallback. Martin Rex
- Re: [TLS] An SCSV to stop TLS fallback. Watson Ladd
- Re: [TLS] An SCSV to stop TLS fallback. Martin Rex
- Re: [TLS] An SCSV to stop TLS fallback. Watson Ladd
- Re: [TLS] An SCSV to stop TLS fallback. Martin Rex
- Re: [TLS] An SCSV to stop TLS fallback. Yaron Sheffer
- Re: [TLS] An SCSV to stop TLS fallback. Ralf Skyper Kaiser
- Re: [TLS] An SCSV to stop TLS fallback. Yaron Sheffer
- Re: [TLS] An SCSV to stop TLS fallback. Ralf Skyper Kaiser
- Re: [TLS] An SCSV to stop TLS fallback. Manuel Pégourié-Gonnard
- Re: [TLS] An SCSV to stop TLS fallback. Ralf Skyper Kaiser
- Re: [TLS] An SCSV to stop TLS fallback. Bodo Moeller