Re: [TLS] Encrypt-then-MAC again (was Re: padding bug)
Trevor Perrin <trevp@trevp.net> Thu, 05 December 2013 05:51 UTC
Return-Path: <trevp@trevp.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5D9AB1AE1F2 for <tls@ietfa.amsl.com>; Wed, 4 Dec 2013 21:51:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.978
X-Spam-Level:
X-Spam-Status: No, score=-1.978 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3Wii35IN3O8C for <tls@ietfa.amsl.com>; Wed, 4 Dec 2013 21:51:39 -0800 (PST)
Received: from mail-wi0-f179.google.com (mail-wi0-f179.google.com [209.85.212.179]) by ietfa.amsl.com (Postfix) with ESMTP id 97D7F1AE085 for <tls@ietf.org>; Wed, 4 Dec 2013 21:51:39 -0800 (PST)
Received: by mail-wi0-f179.google.com with SMTP id z2so7716326wiv.6 for <tls@ietf.org>; Wed, 04 Dec 2013 21:51:35 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=bM0zzoxA4+u8wjNQP+uDGiHis7tK40+tgLAJ7T3Im9E=; b=HjGTpoopmN7sQ6eP2rwIJweHNdVa7mIqEAi1K5pACi2xgrYTbcL3NaYYuoNsBVc4Et 5M6hEm6/dL6pRrtSesIKdGotOi9Zmly4zKsAAQ4By3XDkrMIizibcpjlR4G9YeOlLKWJ UMtNpdpbNAMCp93vkccKmVqhpGhU3mWCm29Tiqs7JQ42KzTKwAabOYZ5rbc1WhpJZZkp sjwCC6JMVTFjeAnAqonG+itPhbiOLnzIp3ib30NHBTdpPBPGTQ+q6A+aTHMycGPwyp4F Jh7trfOclT/hBl0CrnovkSHcq5xfMcMNulWdKkm0Ljpsd0rN5ZAkyjuU4UsOUKR12FJL PI4Q==
X-Gm-Message-State: ALoCoQm0dtVwzp0QSPN+1UA/rPmtW5JIY63/iORMe1rH8gLdPKUkw+ipe9sIXlvwJlIzJYR0e8y/
MIME-Version: 1.0
X-Received: by 10.194.104.66 with SMTP id gc2mr5431350wjb.75.1386222695924; Wed, 04 Dec 2013 21:51:35 -0800 (PST)
Received: by 10.216.214.134 with HTTP; Wed, 4 Dec 2013 21:51:35 -0800 (PST)
X-Originating-IP: [166.137.187.58]
In-Reply-To: <9A043F3CF02CD34C8E74AC1594475C7365423E95@uxcn10-6.UoA.auckland.ac.nz>
References: <9A043F3CF02CD34C8E74AC1594475C7365423E95@uxcn10-6.UoA.auckland.ac.nz>
Date: Wed, 04 Dec 2013 21:51:35 -0800
Message-ID: <CAGZ8ZG0BGiCF5OsMig-J6mikpZR1BPhn3K+kJb2HhbXbXhGKjA@mail.gmail.com>
From: Trevor Perrin <trevp@trevp.net>
To: Peter Gutmann <p.gutmann@auckland.ac.nz>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Cc: "<tls@ietf.org>" <tls@ietf.org>
Subject: Re: [TLS] Encrypt-then-MAC again (was Re: padding bug)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Dec 2013 05:51:41 -0000
I'd like to add a vote for Peter's draft, along with (I believe) Wan-Teh, Robert Ransom, Juho Vähä-Herttua, and others. Some small objections have been raised which I believe can be countered: * Nikos prefers Mac-then-Encrypt over the reverse, but otherwise supports this. [1] * Adam Langley has "no objection" to this, but prefers to focus on AES-GCM and ChaCha20 [2]. Browsers are very concerned with speed, so it's not surprising they prefer CTR-and-polynomial-MAC ciphersuites. However, TLS is used places besides the browser, and I suspect many of the smaller TLS libraries (such as those by Nikos, Peter, or myself) would prefer smaller code changes. Also, Peter's draft easily upgrades security for all versions of TLS, and less-common ciphersuites like TLS-SRP and TLS-PSK. Trevor [1] http://www.ietf.org/mail-archive/web/tls/current/msg10736.html [2] http://www.ietf.org/mail-archive/web/tls/current/msg09826.html
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Martin Rex
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Peter Gutmann
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Eric Rescorla
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Watson Ladd
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Juho Vähä-Herttua
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Bodo Moeller
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Nikos Mavrogiannopoulos
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Bodo Moeller
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Martin Rex
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Juho Vähä-Herttua
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Robert Ransom
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Nikos Mavrogiannopoulos
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Watson Ladd
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Juho Vähä-Herttua
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Martin Rex
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Taylor Hornby
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Martin Rex
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Nikos Mavrogiannopoulos
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Watson Ladd
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Martin Rex
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Nikos Mavrogiannopoulos
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Alfredo Pironti
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Paterson, Kenny
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Alfredo Pironti
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Watson Ladd
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Alfredo Pironti
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Martin Rex
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Wan-Teh Chang
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Paterson, Kenny
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Nikos Mavrogiannopoulos
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Paterson, Kenny
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Watson Ladd
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Martin Rex
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Peter Gutmann
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Peter Gutmann
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Peter Gutmann
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Peter Gutmann
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Trevor Perrin
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Watson Ladd