Re: [TLS] An SCSV to stop TLS fallback.

mrex@sap.com (Martin Rex) Sat, 07 December 2013 07:32 UTC

Return-Path: <mrex@sap.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 930AF1AE245 for <tls@ietfa.amsl.com>; Fri, 6 Dec 2013 23:32:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.552
X-Spam-Level:
X-Spam-Status: No, score=-6.552 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-5, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UchwABe6zCD8 for <tls@ietfa.amsl.com>; Fri, 6 Dec 2013 23:32:31 -0800 (PST)
Received: from smtpde02.sap-ag.de (smtpde02.sap-ag.de [155.56.68.140]) by ietfa.amsl.com (Postfix) with ESMTP id 81B571AE04A for <tls@ietf.org>; Fri, 6 Dec 2013 23:32:31 -0800 (PST)
Received: from mail05.wdf.sap.corp by smtpde02.sap-ag.de (26) with ESMTP id rB77WPFY007102 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Sat, 7 Dec 2013 08:32:25 +0100 (MET)
In-Reply-To: <CACsn0c=EpWn5yB1Y2zjBywDmYJ2FeqJ0yBC+nuTSBmj1yWVQ+w@mail.gmail.com>
To: Watson Ladd <watsonbladd@gmail.com>
Date: Sat, 7 Dec 2013 08:32:25 +0100 (CET)
X-Mailer: ELM [version 2.4ME+ PL125 (25)]
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="US-ASCII"
Message-Id: <20131207073225.0F79D1AB3B@ld9781.wdf.sap.corp>
From: mrex@sap.com (Martin Rex)
X-SAP: out
Cc: IETF TLS WG <tls@ietf.org>
Subject: Re: [TLS] An SCSV to stop TLS fallback.
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: mrex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 07 Dec 2013 07:32:33 -0000

Watson Ladd wrote:
> Martin Rex <mrex@sap.com> wrote:
>>
>> Btw. AES128-CBC-SHA1 is more secure than AES128-GCM/-CCM, so the only
>> thing the client might be "loosing" is a little performance, and
>> that AEAD can not currently be negotiated and used unless
>> ClientHello.client_version is set to { 0x03, 0x03 } is a silly defect
>> of the specification(s) that could be easily fixed.
>>
>> I am assuming you are discussing the modes as specified and
>> implemented in TLS? In that case you are dead wrong.
>> Lucky 13, BEAST, and even if we drop all that no protocol depending
>> both on SHA1 and AES can be stronger than one depending
>> on AES alone.
>>
>> Lucky 13 and BEAST are completely irrelevant for the majority
>> of usage scenarios, and there's even a simple 1/(n-1) record splitting
>> workaround for BEAST for those with paranoia.
>
> Paranoia is a requirement for this WG.

TLSv1.1 and TLSv1.2 seem to have been developed without paranoia.

The attack surface provided by mac-pad-encrypt rather than the
obvious fix pad-mac-encrypt, which Lucky 13 exploited, was clearly
pointed out by Serge Vaudenay in 2001, but completely ignored by
the TLS WG in 2006 (TLSv1.1) and again in 2008 (TLSv1.2).

Replacing the (rsa,md5+sha1) digitally-signed from SSLv3->TLSv1.1 with
(rsa,sha1) or (rsa,md5) in TLSv1.2 is huge degradation in security,
certainly nothing that someone with paranoia would do. 


>
> > I don't know what you mean by "AES alone", but if you are refering
> > to "AES-GCM", that isn't AES alone, but AES in combination with GHASH,
> > and HMAC-SHA1 beats the security of GHASH by a huge safety margin.
>
> No, GHASH has an unconditional security guarantee, while HMAC is only
> conjectured to be secure.

If that were a real concern, then you would have to violently
oppose to Peter's (and other folks) suggestion to change
from mac-pad-encrypt to pad-encrypt-mac (aka EtA).

>
> If you break AES-GCM you break AES, and hence AES-CBC-SHA1.
> AES-CBC-SHA1 also falls if
> HMAC fails.

Currently HMAC-SHA1 in TLS is protected by AES CBC encryption,
so it is simply impossible to attack HMAC-SHA1 without first breaking AES.

In contrast to AES-GCM, you can not target and flip individual bits
of the MAC'ed plaintext from AES-CBC-SHA1 nor can you target and flip
individual bits from the HMAC-SHA1 output.  You actually do not not
anything about what goes in and what comes out of HMAC-SHA1 right now.


-Martin