Re: [TLS] padding bug

Nikos Mavrogiannopoulos <nmav@gnutls.org> Mon, 09 September 2013 16:17 UTC

Return-Path: <n.mavrogiannopoulos@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 356AA21E80A5 for <tls@ietfa.amsl.com>; Mon, 9 Sep 2013 09:17:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id n3LkZ7eMFaw4 for <tls@ietfa.amsl.com>; Mon, 9 Sep 2013 09:17:08 -0700 (PDT)
Received: from mail-ee0-x22a.google.com (mail-ee0-x22a.google.com [IPv6:2a00:1450:4013:c00::22a]) by ietfa.amsl.com (Postfix) with ESMTP id F26B521E8211 for <tls@ietf.org>; Mon, 9 Sep 2013 08:53:15 -0700 (PDT)
Received: by mail-ee0-f42.google.com with SMTP id b45so3253719eek.29 for <tls@ietf.org>; Mon, 09 Sep 2013 08:53:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=sender:message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:openpgp:content-type :content-transfer-encoding; bh=++RBgtbvH5R7o5GJZpaGiTfzO4sV1vYqSGM3yw3Ctsg=; b=pqDRLoUml7kZSCW0vSBYZofSjfCCOtWBtdywA9DXkAtEUGK55eYtT5iP7eD0EAg7Pq Mi1wNgg67SaH6uUwUhIDdVpc7zmWBM4HURw23cF4HKaoUxWyubUrh52j+c1BiepMF+rR QeK4EKkKb8MNfU9neULAi+rMrrGqHzWZuNAQA3c8WeB1aHIL2sG1apJTIRYtd1FwPnwu Suhe+VyGpLULLDLtUvdAZXuirToN3b/+UpjuGFRflL0ameKfb/gnAwYCP1nHK41yJF1b kGBTFUyjRG7yNM5widR8IIUB+4NaP6ccrdAyI5wSwrysBpHYg4Ffy8nIwiD5Lo9vh9Ft Dufw==
X-Received: by 10.14.176.8 with SMTP id a8mr31555430eem.12.1378741992622; Mon, 09 Sep 2013 08:53:12 -0700 (PDT)
Received: from [10.100.2.17] (94-224-103-174.access.telenet.be. [94.224.103.174]) by mx.google.com with ESMTPSA id h52sm22984795eez.3.1969.12.31.16.00.00 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Mon, 09 Sep 2013 08:53:12 -0700 (PDT)
Sender: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
Message-ID: <522DEEE8.50001@gnutls.org>
Date: Mon, 09 Sep 2013 17:53:12 +0200
From: Nikos Mavrogiannopoulos <nmav@gnutls.org>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130630 Icedove/17.0.7
MIME-Version: 1.0
To: Ben Laurie <benl@google.com>
References: <AAE0766F5AF36B46BAB7E0EFB927320630E4A54175@GBTWK10E001.Technology.local> <522BE808.4090405@stpeter.im> <522C6892.4020206@drh-consultancy.co.uk> <522C7FD8.1000301@drh-consultancy.co.uk> <CABrd9SSbv1owOq9RK-OY2YqfUHavpebYCdKUVd6MGSff_MiiWg@mail.gmail.com> <CABcZeBPcvB2i2Xo7ceiybgLUw8KgJz=aJaNWEfTekFY1RdYC7w@mail.gmail.com> <CABrd9SSHzfFH03euDh1yP2AOxa7vQP2ds5EFyPrP-=BqJ7BOMA@mail.gmail.com>
In-Reply-To: <CABrd9SSHzfFH03euDh1yP2AOxa7vQP2ds5EFyPrP-=BqJ7BOMA@mail.gmail.com>
X-Enigmail-Version: 1.5.1
OpenPGP: id=96865171
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] padding bug
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Sep 2013 16:17:10 -0000

On 09/09/2013 03:31 PM, Ben Laurie wrote:

> I'm not planning to be at YVR, what happened to using the mailing list for
> discussion?
[...]

> 3. I've seen no objection that makes any sense. One objection I have seen
> was that it "may not protect from key-recovery in a weak MAC construction"
> - firstly, I am not aware of any such constructions in use in SSL/TLS, and
> secondly, if there are any, it would be trivial to deprecate their use in
> conjunction with this extension.

Unfortunately all algorithms are strong until the point they are broken.
We currently have HMAC-MD5 and while a key recovery attack does not
exist yet, I don't think anybody could rule-out such a development. What
about HMAC-SHA1?

Why not protect against future key recovery attacks by truncating the
MAC? After all IPSec does truncate the MAC to 96-bits for exactly the
same reason (see RFC2104 Section 5: Truncated output). Using the
existing good practices is a good thing.

regards,
Nikos