IETF Logo Mail Archive

Re: [TLS] TLS1.2 vs TLS1.0

mrex@sap.com (Martin Rex) Tue, 21 May 2013 14:37 UTC

Return-Path: <mrex@sap.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7542021F9833 for <tls@ietfa.amsl.com>; Tue, 21 May 2013 07:37:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.249
X-Spam-Level:
X-Spam-Status: No, score=-10.249 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rLZrdy7PGQes for <tls@ietfa.amsl.com>; Tue, 21 May 2013 07:37:14 -0700 (PDT)
Received: from smtpde01.sap-ag.de (smtpde01.sap-ag.de [155.56.68.170]) by ietfa.amsl.com (Postfix) with ESMTP id 08E3121F97D6 for <tls@ietf.org>; Tue, 21 May 2013 07:37:13 -0700 (PDT)
Received: from mail06.wdf.sap.corp by smtpde01.sap-ag.de (26) with ESMTP id r4LEbAVh028327 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Tue, 21 May 2013 16:37:10 +0200 (MEST)
In-Reply-To: <662E9209-1BE8-4403-BD6F-F502E0DDAC5B@rhul.ac.uk>
To: "Paterson, Kenny" <Kenny.Paterson@rhul.ac.uk>
Date: Tue, 21 May 2013 16:37:10 +0200
X-Mailer: ELM [version 2.4ME+ PL125 (25)]
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="US-ASCII"
Message-Id: <20130521143710.5B3E21A75A@ld9781.wdf.sap.corp>
From: mrex@sap.com
X-SAP: out
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] TLS1.2 vs TLS1.0
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: mrex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 21 May 2013 14:37:22 -0000

Paterson, Kenny wrote:
> Hi
> 
> On 21 May 2013, at 14:47, Martin Rex wrote:
> 
> > The alleged (confidentiality) problems that have been demonstrated so far
> > are about design-flawed communication peers that require an attacker
> > to be able to insert data into the beginning of the TLS-protected
> > communication an repeat the request a few thousand times (or more)
> > in order to perform plaintext recovery on allegedley confidential
> > data that the attacked communication peer willingly inserted into
> > the same TLS channel following the data provided by the attacker.
> 
> This is an incorrect representation of the known attacks on
> confidentiality (as I understand them, at least).
> 
> - The attacker-injected data does not have to be at the start of the
>   TLS-protected communication.
> - The peer-inserted data does not have to follow the attacker-provided data.

True.  Technically, attacks (on CBC) become possible whenever the attacker
can force data of his choice to be processed along with a block of unknown
data under the same block cipher key and observe differences in the
resulting behaviour.

Being able to insert plaintext before the unknown data can be used to
attack the senders encryption oracle (what BEAST did), which may allow
blackholing the resulting output in order to avoid alarm bells
going off on the peer (original receiver).

For the more generic attacks on CBC-Padding using the receivers decryption
oracle it would be sufficient if the attacker can entice the client to
repeat essentially the same request (i.e. with the same interesting data
at a known or predictable position) sufficiently often (typically a few
thousand to a few million times), then rearranging the network data
that the receiver is going to process will be sufficient.  The large
number of failed reciever-side processing might eventually set off
receiver-side alarm-bells.


> 
> > Datagram TLS (DTLS) is another can of worms, because it has an unreasonable
> > requirement to ignore unlimited amounts of MAC-failing DTLS records on a
> > DTLS connection, but that is a defect from which the stream-oriented
> > regular TLS protocols do not suffer.
> 
> True. Though the spec for DTLS does allow DTLS implementations to
> terminate a connection in the event of errors. 
> 
> It's just that most (all?) implementations don't.


Now that you mention it, I hadn't noticed that DTLS gives actual two
_different_ guidances (MAY abort on MAC error and MUST discard records
with MAC error are mutually exclusive)

http://tools.ietf.org/html/rfc4347#section-4.1.2.1

   4.1.2.1  MAC  (last paragraph):

   In general, DTLS implementations SHOULD silently discard data with
   bad MACs.  If a DTLS implementation chooses to generate an alert when
   it receives a message with an invalid MAC, it MUST generate
   bad_record_mac alert with level fatal and terminate its connection
   state.

http://tools.ietf.org/html/rfc4347#section-4.1.2.5

   4.1.2.5  Anti-replay  (last paragraph):

   If the received record falls within the window and is new, or if the
   packet is to the right of the window, then the receiver proceeds to
   MAC verification.  If the MAC validation fails, the receiver MUST
   discard the received record as invalid.  The receive window is
   updated only if the MAC verification succeeds.


-Martin

v2.23.0 | Report a Bug | By Email