Re: [TLS] padding bug
mrex@sap.com (Martin Rex) Tue, 24 September 2013 17:16 UTC
Return-Path: <mrex@sap.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BD10921F9193 for <tls@ietfa.amsl.com>; Tue, 24 Sep 2013 10:16:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.818
X-Spam-Level:
X-Spam-Status: No, score=-9.818 tagged_above=-999 required=5 tests=[AWL=-0.269, BAYES_00=-2.599, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-8, SARE_BIZOP=0.7]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id k3A2hFQ4oZaA for <tls@ietfa.amsl.com>; Tue, 24 Sep 2013 10:16:01 -0700 (PDT)
Received: from smtpde01.sap-ag.de (smtpde01.sap-ag.de [155.56.68.170]) by ietfa.amsl.com (Postfix) with ESMTP id DF3B521F991F for <tls@ietf.org>; Tue, 24 Sep 2013 10:15:59 -0700 (PDT)
Received: from mail05.wdf.sap.corp by smtpde01.sap-ag.de (26) with ESMTP id r8OHFsAB022665 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Tue, 24 Sep 2013 19:15:54 +0200 (MEST)
In-Reply-To: <CAGAMPd_R-esTbs5d4QMkvmF3sFSA+Q7Wx9WPJhhZxZjm1W31SA@mail.gmail.com>
To: Hovav Shacham <hovav@cs.ucsd.edu>
Date: Tue, 24 Sep 2013 19:15:54 +0200
X-Mailer: ELM [version 2.4ME+ PL125 (25)]
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="US-ASCII"
Message-Id: <20130924171554.6F0931A9A0@ld9781.wdf.sap.corp>
From: mrex@sap.com
X-SAP: out
Cc: tls@ietf.org
Subject: Re: [TLS] padding bug
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: mrex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 24 Sep 2013 17:16:05 -0000
Hovav Shacham wrote: > Peter Gutmann <pgut001 at cs.auckland.ac.nz> writes: > > > > It seems to be accepted by everyone except the WG chairs > > I'm not thrilled with making changes to a fundamental part of the TLS > design through an extension. TLS is too complicated to analyze already; > this doesn't help. Where I agree is that it would be preferable to limit any fix to the exact problem that has been identified (already by Vaudenay), which is in how SSLv3&TLS use a Blockcipher in CBC mode with "authenticate-pad-encrypt" rather than "pad-authenticate-encrypt". "Making changes to a fundamental part of the TLS design through an extension" is a lame argument. If this was really an issue, then we would have to recomment against the existing rfc4492 approach to the use of lliptic curve crypto in TLS in its entirety. When we're concerned about the reconnect-fallbacks in Browsers to an extension-less SSLv3 Clienthello--which btw. will currently also prohibit the client to offer any AES-GCM cipher suites, then we could define a signaling cipher suite for the CBC-fix that can be safely included even in SSLv2 CLIENT-HELLO. > > I would prefer an approach that deprecates existing suites in favor of > non-CBC authenticated encryption modes. This sounds like a marketeers approach to the problem, appreciating the "new business opportunities". But it is very ignorant about software maintenance (for those vendors, which actually provide maintenance), where the amount of code changes to the installed base decides whether there is going to be an update produced for the installed base. There is nothing wrong with CBC, and it is a real pity that TLSv1.1 addressed&fixed only the running-IV problem, but entirely ignored the authenticate-pad-encrypt that Vaudenay had explicitly described as another problem. What is available in Browsers is really just a small part of the problem. For many communication scenarios, the end-to-end principle no longer applies, and the distance between an end-users browser and the regional perimeter gateway of the service provider is small in comparison to the distance from the regional perimeter gateway (a reverse proxy for HTTP-over-TLS) to the central/backend servers. The end user has no knowledge and no control what gets used behind the reverse proxy, and why should NSA try to listen to the regional and short connection between a browser and a regional gateway when it can instead pick up the contents on the regional gateway, on the backend, or from the transnational connection in between, an independent of whether that access is voluntary, compulsory or surreptitious. -Martin
- Re: [TLS] padding bug Peter Gutmann
- Re: [TLS] padding bug Nikos Mavrogiannopoulos
- Re: [TLS] padding bug Blumenthal, Uri - 0558 - MITLL
- Re: [TLS] padding bug Peter Gutmann
- Re: [TLS] padding bug Blumenthal, Uri - 0558 - MITLL
- Re: [TLS] padding bug Peter Gutmann
- Re: [TLS] padding bug Eric Rescorla
- Re: [TLS] padding bug Eric Rescorla
- Re: [TLS] padding bug Peter Gutmann
- Re: [TLS] padding bug Adam Langley
- Re: [TLS] padding bug Hugo Krawczyk
- Re: [TLS] padding bug Peter Gutmann
- Re: [TLS] padding bug Peter Gutmann
- Re: [TLS] padding bug Nikos Mavrogiannopoulos
- Re: [TLS] padding bug Ben Laurie
- Re: [TLS] padding bug Nikos Mavrogiannopoulos
- Re: [TLS] padding bug Ben Laurie
- Re: [TLS] padding bug Nikos Mavrogiannopoulos
- Re: [TLS] padding bug Peter Gutmann
- Re: [TLS] padding bug Blumenthal, Uri - 0558 - MITLL
- Re: [TLS] padding bug Paterson, Kenny
- Re: [TLS] padding bug Bodo Moeller
- Re: [TLS] padding bug Michael D'Errico
- Re: [TLS] padding bug Ben Laurie
- Re: [TLS] padding bug Christian Kahlo
- Re: [TLS] padding bug Hovav Shacham
- Re: [TLS] padding bug Blumenthal, Uri - 0558 - MITLL
- Re: [TLS] padding bug Martin Rex
- Re: [TLS] padding bug Andrei Popov
- Re: [TLS] padding bug Ben Laurie
- Re: [TLS] padding bug Kelly John Rose
- Re: [TLS] padding bug Lewis, Nick
- Re: [TLS] padding bug Alfredo Pironti
- Re: [TLS] padding bug Peter Gutmann
- Re: [TLS] padding bug Peter Gutmann