IETF Logo Mail Archive

Re: [TLS] [Technical Errata Reported] RFC5288 (4694)

Joseph Salowey <joe@salowey.net> Mon, 16 May 2016 02:23 UTC

Return-Path: <joe@salowey.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F3D4712D58B for <tls@ietfa.amsl.com>; Sun, 15 May 2016 19:23:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=salowey-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KMCKvmRGrL3S for <tls@ietfa.amsl.com>; Sun, 15 May 2016 19:23:41 -0700 (PDT)
Received: from mail-qg0-x22d.google.com (mail-qg0-x22d.google.com [IPv6:2607:f8b0:400d:c04::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 638D212D56F for <tls@ietf.org>; Sun, 15 May 2016 19:23:41 -0700 (PDT)
Received: by mail-qg0-x22d.google.com with SMTP id w36so83874727qge.3 for <tls@ietf.org>; Sun, 15 May 2016 19:23:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=salowey-net.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=MFk5cEBnNm9z2Fg/erL22uqbL0kTiRizrQ1WawxyjJM=; b=NOhfvV3TFjqe1PYcf2JvQ9kBRieYNtO18h16Ww5R1YxUFO909jYRlfif2LU5QRzYl5 ZsbspOG0S1gSyiTK3S93psQNvMhEYnRVvF9QqmWauOa0HojE4QiWTvrL2TWJi3H3lwrf 8g19yCt7LApBnhmphAhd5Q/hxNTUE7Y6yBjhGMJdceVSL7aKfpyLQ81npwVgMRpdAVnX cOckyrWu5dqk2DrwldFjNQSGZNAeTSyYY2NKtlCU6lLshJCwtV+xzBIRFsCBB56iVgOf koYO2K+YZkMVmijMt3r9Jbg0XTDTQdCeiN7RE4Fs614SLz8GVIGe0qVvrLHLAqZtQ2Le 8d4g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=MFk5cEBnNm9z2Fg/erL22uqbL0kTiRizrQ1WawxyjJM=; b=G+5ysA5nT8xpgtv3YENvpy+Cg7TIhBJbs94tMjOaRiSLaH6zta3Z19yuFGW0K7saL0 KDbxcv7OWHwmlutIRRdjApDGZLFZyVLFIUW2Nc/fZBdCeTiKA5JBRaGIi7N8IlukZ2Rh OM2VMSIuX2F3JEPJliSdIAV+JNLCgJw3SHXZKY+3ekr9YgR7yTJkPWIdstRZVOVNIbVo zc4TSp13irJJmuKl6PJvItUb8hTan/GtEKv3aeWdv1ZDqshCQRx+WiO8nVRVHuu+HsP2 0PgtGHx+i2Uh1l7+qSCLW4PqL/rEn2Bkp4khQ6DJJ3n/MT4KidnMXgTL43TVFs6suQZA 43Ew==
X-Gm-Message-State: AOPr4FUQB7yVwqpg+oMdPTEgHJXeepRBv9ENkInk/AksTK5wgFwhOBJf3PtHF94B37L2Wv0SwC2dPFMtQgTMag==
X-Received: by 10.140.159.143 with SMTP id f137mr28320427qhf.61.1463365420539; Sun, 15 May 2016 19:23:40 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.55.175.196 with HTTP; Sun, 15 May 2016 19:23:21 -0700 (PDT)
In-Reply-To: <5738C35B.2070504@openfortress.nl>
References: <20160514082717.7997D180004@rfc-editor.org> <9A043F3CF02CD34C8E74AC1594475C73F4C80CD0@uxcn10-5.UoA.auckland.ac.nz> <5738C35B.2070504@openfortress.nl>
From: Joseph Salowey <joe@salowey.net>
Date: Sun, 15 May 2016 19:23:21 -0700
Message-ID: <CAOgPGoBWi-=wGfFFBRNb_XTQU-JuL_Yk6L6gsPrm5AbY_Unoaw@mail.gmail.com>
To: Rick van Rein <rick@openfortress.nl>
Content-Type: multipart/alternative; boundary="001a113992721178e60532ec50b6"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/Wvua53CsHTMwqwpgegJISr3uC1E>
X-Mailman-Approved-At: Sun, 15 May 2016 19:24:36 -0700
Cc: "sean+ietf@sn3rd.com" <sean+ietf@sn3rd.com>, "Kathleen.Moriarty.ietf@gmail.com" <Kathleen.Moriarty.ietf@gmail.com>, "mcgrew@cisco.com" <mcgrew@cisco.com>, "jsalowey@cisco.com" <jsalowey@cisco.com>, "tls@ietf.org" <tls@ietf.org>, RFC Errata System <rfc-editor@rfc-editor.org>, "abhijitc@cisco.com" <abhijitc@cisco.com>
Subject: Re: [TLS] [Technical Errata Reported] RFC5288 (4694)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 16 May 2016 02:23:43 -0000

On Sun, May 15, 2016 at 11:43 AM, Rick van Rein <rick@openfortress.nl>
wrote:

> Hi,
>
> > I think the erratum needs an erratum.  Firstly, "nonce" doesn't mean
> "number
> > used once", and secondly nonce re-use in AES-GCM doesn't just result in
> > "catastrophic failure of it's authenticity", it results in catastrophic
> > failure of the entire mode, both confidentiality and
> integrity/authenticity.
>
> I'd like to add that I don't see a difference between a "failure" and a
> "catastrophic failure".  It's probably better to stay away from subjective
> words like that.
>
>
[Joe] It would be better to state what actually fails:

"Nonce re-use in AES-GCM allows for the recovery of the authentication key
resulting in complete failure of the mode's authenticity.  Hence, TLS
sessions can be effectively attacked through forgery by an adversary.  This
enables an attacker to inject data into the TLS allowing for XSS and other
attack vectors. "



> -Rick
>

v2.23.0 | Report a Bug | By Email