Re: [TLS] Encrypt-then-MAC again (was Re: padding bug)

Trevor Perrin <trevp@trevp.net> Thu, 05 December 2013 05:51 UTC

Return-Path: <trevp@trevp.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5D9AB1AE1F2 for <tls@ietfa.amsl.com>; Wed, 4 Dec 2013 21:51:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.978
X-Spam-Level:
X-Spam-Status: No, score=-1.978 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3Wii35IN3O8C for <tls@ietfa.amsl.com>; Wed, 4 Dec 2013 21:51:39 -0800 (PST)
Received: from mail-wi0-f179.google.com (mail-wi0-f179.google.com [209.85.212.179]) by ietfa.amsl.com (Postfix) with ESMTP id 97D7F1AE085 for <tls@ietf.org>; Wed, 4 Dec 2013 21:51:39 -0800 (PST)
Received: by mail-wi0-f179.google.com with SMTP id z2so7716326wiv.6 for <tls@ietf.org>; Wed, 04 Dec 2013 21:51:35 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=bM0zzoxA4+u8wjNQP+uDGiHis7tK40+tgLAJ7T3Im9E=; b=HjGTpoopmN7sQ6eP2rwIJweHNdVa7mIqEAi1K5pACi2xgrYTbcL3NaYYuoNsBVc4Et 5M6hEm6/dL6pRrtSesIKdGotOi9Zmly4zKsAAQ4By3XDkrMIizibcpjlR4G9YeOlLKWJ UMtNpdpbNAMCp93vkccKmVqhpGhU3mWCm29Tiqs7JQ42KzTKwAabOYZ5rbc1WhpJZZkp sjwCC6JMVTFjeAnAqonG+itPhbiOLnzIp3ib30NHBTdpPBPGTQ+q6A+aTHMycGPwyp4F Jh7trfOclT/hBl0CrnovkSHcq5xfMcMNulWdKkm0Ljpsd0rN5ZAkyjuU4UsOUKR12FJL PI4Q==
X-Gm-Message-State: ALoCoQm0dtVwzp0QSPN+1UA/rPmtW5JIY63/iORMe1rH8gLdPKUkw+ipe9sIXlvwJlIzJYR0e8y/
MIME-Version: 1.0
X-Received: by 10.194.104.66 with SMTP id gc2mr5431350wjb.75.1386222695924; Wed, 04 Dec 2013 21:51:35 -0800 (PST)
Received: by 10.216.214.134 with HTTP; Wed, 4 Dec 2013 21:51:35 -0800 (PST)
X-Originating-IP: [166.137.187.58]
In-Reply-To: <9A043F3CF02CD34C8E74AC1594475C7365423E95@uxcn10-6.UoA.auckland.ac.nz>
References: <9A043F3CF02CD34C8E74AC1594475C7365423E95@uxcn10-6.UoA.auckland.ac.nz>
Date: Wed, 4 Dec 2013 21:51:35 -0800
Message-ID: <CAGZ8ZG0BGiCF5OsMig-J6mikpZR1BPhn3K+kJb2HhbXbXhGKjA@mail.gmail.com>
From: Trevor Perrin <trevp@trevp.net>
To: Peter Gutmann <p.gutmann@auckland.ac.nz>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Cc: "<tls@ietf.org>" <tls@ietf.org>
Subject: Re: [TLS] Encrypt-then-MAC again (was Re: padding bug)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Dec 2013 05:51:41 -0000

I'd like to add a vote for Peter's draft, along with (I believe)
Wan-Teh, Robert Ransom, Juho Vähä-Herttua, and others.

Some small objections have been raised which I believe can be countered:

 * Nikos prefers Mac-then-Encrypt over the reverse, but otherwise
supports this. [1]

 * Adam Langley has "no objection" to this, but prefers to focus on
AES-GCM and ChaCha20 [2].  Browsers are very concerned with speed, so
it's not surprising they prefer CTR-and-polynomial-MAC ciphersuites.
However, TLS is used places besides the browser, and I suspect many of
the smaller TLS libraries (such as those by Nikos, Peter, or myself)
would prefer smaller code changes.  Also, Peter's draft easily
upgrades security for all versions of TLS, and less-common
ciphersuites like TLS-SRP and TLS-PSK.


Trevor


[1] http://www.ietf.org/mail-archive/web/tls/current/msg10736.html
[2] http://www.ietf.org/mail-archive/web/tls/current/msg09826.html