Re: [TLS] Encrypt-then-MAC again (was Re: padding bug)

Bodo Moeller <bmoeller@acm.org> Fri, 29 November 2013 16:02 UTC

Return-Path: <SRS0=WqfS=VG=acm.org=bmoeller@srs.kundenserver.de>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0C0321AE0D0 for <tls@ietfa.amsl.com>; Fri, 29 Nov 2013 08:02:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.93
X-Spam-Level:
X-Spam-Status: No, score=-0.93 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HELO_EQ_DE=0.35, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Hn4bqT18pEUc for <tls@ietfa.amsl.com>; Fri, 29 Nov 2013 08:02:19 -0800 (PST)
Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.186]) by ietfa.amsl.com (Postfix) with ESMTP id 5EB1E1AE01E for <tls@ietf.org>; Fri, 29 Nov 2013 08:02:19 -0800 (PST)
Received: from mail-oa0-f50.google.com (mail-oa0-f50.google.com [209.85.219.50]) by mrelayeu.kundenserver.de (node=mrbap4) with ESMTP (Nemesis) id 0Ma2v9-1W3oXu1C4l-00LoZZ; Fri, 29 Nov 2013 17:02:17 +0100
Received: by mail-oa0-f50.google.com with SMTP id n16so10480957oag.23 for <tls@ietf.org>; Fri, 29 Nov 2013 08:02:16 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=FFyv1UtzPD2pRN9YYjheGWQOMtDyWzVizALcG80HwHI=; b=BS2gQ8f/wQm14LHslV7F8N3pVz/07MgTxfMeacWiCmySTmkcPs8L1aEhOCJWTWuolC oPStOERNu181eUEpZ73ifT4FkLwlwZ152/IzQJYP8TzoEuqxxtTrI2nrYXCEvWWQRjxl dVSAzwUG4Gif4u/R9o7vDWC7HC6AVg1F/xKTWlobfuNaO2Ac9cUZxHoQ/HCoz4vTab2T LBjj82iJkH8GHyT/+0qyeBqjzwISFpEYlWkdpx+aMhAhUqh6kiDxsn3AseqKwJTQa9Z1 ymFr2jkXMllBS/0ffRGL96RZVkAmvOA4HfXyPrRez2h00qE+QY7+PT4ysjFb0MumKO2d M8cw==
MIME-Version: 1.0
X-Received: by 10.182.80.196 with SMTP id t4mr43695868obx.1.1385740936019; Fri, 29 Nov 2013 08:02:16 -0800 (PST)
Received: by 10.60.137.194 with HTTP; Fri, 29 Nov 2013 08:02:15 -0800 (PST)
In-Reply-To: <1385738609.3050.4.camel@aspire.lan>
References: <9A043F3CF02CD34C8E74AC1594475C7365420C29@uxcn10-6.UoA.auckland.ac.nz> <CABcZeBP77fwR8Rwv9me4PuGza7ec9cU-JbsMUOxHbpV0ULYOqA@mail.gmail.com> <CACsn0ckAoQeo_rP0K4XONahzXp_kxLo8LxZMv8wjxr-dL+q_=A@mail.gmail.com> <CADMpkc+jju32F+TwGQCY+jqFW0uZMZ6H68PB+Cw_x9ThuudJww@mail.gmail.com> <1385738609.3050.4.camel@aspire.lan>
Date: Fri, 29 Nov 2013 17:02:15 +0100
Message-ID: <CADMpkc+uK8C=LwbgV0jkpnDPEPyYs_vv_+XtbiGjSMRHs2rM0Q@mail.gmail.com>
From: Bodo Moeller <bmoeller@acm.org>
To: "<tls@ietf.org>" <tls@ietf.org>
Content-Type: multipart/alternative; boundary=047d7b2e4eda3e5b7b04ec52f44b
X-Provags-ID: V02:K0:nXuS3/n2wSMxGHwyriwkOeBVSFK6JeXv8mbfPCg12pn BL/oFymI8UE659Y3FUB0jW6jGUvu8Pt//w4Ix3EjlIG6ERYAux Bh5MchYsP44x5je3ip2xActeri7d/38vI2neU4I1H/K9xUlxQj H0yDArX0Asmjc8yemEi9o1hwAjSyLbXa/n1OIS804hk35AENau vRbbBB/ydXWDCEBCofEwkNrg1r8Det1+BnrRTeIIKht1U6/cqM TikJnZuk49G8ZJBKMJztqYiIPlAH3wxVB1SHFKCjI0mtxRdIyW 0RB/i9Ncj1hB3aF8vGOKjozdOv5KsIayO1a5TbR+83o2YRpccJ eg6nVyR2MebWHfvuOuunx0lNiK0Xxhe6uaxq5v7wv2RjnozbJp 07CI+cJXBmLOw2jeOUls1CLVt3WFxmgFUeHxJ80ESPzlcKTPCe pfkfJ
Subject: Re: [TLS] Encrypt-then-MAC again (was Re: padding bug)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 29 Nov 2013 16:02:21 -0000

>
>
> > http://www.ietf.org/mail-archive/web/tls/current/msg10004.html
> >
> > (That said, Nikos' complaint seems bogus to me.  Peter's proposal
> > seems fine from a security point of view -- as long as clients refuse
> > to unnecessarily roll back to SSL 3.0, e.g. using
> > draft-bmoeller-tls-downgrade-scsv-01 --, the question is just if it's
> > worth the extra complexity given the other options.)
>
> I think there is some confusion over that. It was a suggestion rather
> than a complain; and is not a stopper for such a draft.


Thanks for clarifying!


> The fact that
> MAC truncation is known to improve security (for HMAC-MD5 and
> HMAC-SHA1), does not render non-truncation insecure (as many have
> pointed out -including me - there are no known practical attacks against
> HMAC-MD5 and HMAC-SHA1).
>

It's also not actually a known fact that MAC truncation will improve
security.  While there are certain (hypothetical) advantages, there are
also certain (more concrete) disadvantages.  As the HMAC RFC puts it (RFC
2104): "The results in this area are not absolute as for the overall
security advantages of truncation."

Bodo