IETF Logo Mail Archive

Re: [TLS] TLS1.3

Scott Schmit <i.grok@comcast.net> Sat, 16 February 2013 05:09 UTC

Return-Path: <i.grok@comcast.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BD2501F0C4E for <tls@ietfa.amsl.com>; Fri, 15 Feb 2013 21:09:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -100.437
X-Spam-Level:
X-Spam-Status: No, score=-100.437 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_NET=0.611, RDNS_NONE=0.1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Pd+9E6TPMI6Q for <tls@ietfa.amsl.com>; Fri, 15 Feb 2013 21:09:16 -0800 (PST)
Received: from qmta03.westchester.pa.mail.comcast.net (qmta03.westchester.pa.mail.comcast.net [IPv6:2001:558:fe14:43:76:96:62:32]) by ietfa.amsl.com (Postfix) with ESMTP id 8B4EE1F0C36 for <tls@ietf.org>; Fri, 15 Feb 2013 21:09:16 -0800 (PST)
Received: from omta07.westchester.pa.mail.comcast.net ([76.96.62.59]) by qmta03.westchester.pa.mail.comcast.net with comcast id 0sfB1l0061GhbT853t96NK; Sat, 16 Feb 2013 05:09:06 +0000
Received: from odin.ulthar.us ([IPv6:2001:470:8c86:0:225:64ff:fe8b:c2f2]) by omta07.westchester.pa.mail.comcast.net with comcast id 0t951l00S2Ekl483Tt96YL; Sat, 16 Feb 2013 05:09:06 +0000
Received: from odin.ulthar.us (localhost [127.0.0.1]) by odin.ulthar.us (8.14.5/8.14.5) with ESMTP id r1G595BQ022243 for <tls@ietf.org>; Sat, 16 Feb 2013 00:09:05 -0500
Received: (from draco@localhost) by odin.ulthar.us (8.14.5/8.14.5/Submit) id r1G595DQ022242 for tls@ietf.org; Sat, 16 Feb 2013 00:09:05 -0500
Date: Sat, 16 Feb 2013 00:09:05 -0500
From: Scott Schmit <i.grok@comcast.net>
To: tls@ietf.org
Message-ID: <20130216050905.GB21026@odin.ulthar.us>
Mail-Followup-To: tls@ietf.org
References: <20130216031312.GA21026@odin.ulthar.us> <20130216045356.16F8A1A580@ld9781.wdf.sap.corp>
MIME-Version: 1.0
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha1"; boundary="WhfpMioaduB5tiZL"
Content-Disposition: inline
In-Reply-To: <20130216045356.16F8A1A580@ld9781.wdf.sap.corp>
User-Agent: Mutt/1.5.21 (2010-09-15)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=comcast.net; s=q20121106; t=1360991346; bh=E3nTNmMCqDcRxMu1Uz74Q71eCR/xiB08/YuLhqMVe/s=; h=Received:Received:Received:Received:Date:From:To:Subject: Message-ID:MIME-Version:Content-Type; b=CggmjcODq1mLz/Ftopwa5wEfGecGklk7cy27llYTDGCrOs07mGzu0xUqj0zgv3PBU CN270yDRTH/F2Vb1iwjrKYUojzXnZo44Ln3mSVYwN7ml/RUfsP/04vCclcKV7WES28 1ziJ4eCnP+EZxaMhEmrLyMYf2rbvwZCSdZhPZ4HsYDF4meCd5pghXLgsVB1EQUGqfV 5zGJ0h3MLrtCHyxeuqMZrph1psKnCVxbIXxb1XbSiCtg9bPjZcWgfWlc4Y3fMbMn5I q/b9RbgyjyjQ3Ibhqs+Rtr8DDUOxix67Unok4U7NrS51JWLyQRmoAE5/zNpXzC2Waz LG1oAva+Ijlqw==
Subject: Re: [TLS] TLS1.3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 16 Feb 2013 05:09:17 -0000

On Sat, Feb 16, 2013 at 05:53:56AM +0100, Martin Rex wrote:
> Scott Schmit wrote:
> > On Mon, Feb 11, 2013 at 04:33:27PM +0100, Martin Rex wrote:
> > > Re-thinking it,  I believe it would be OK to _not_ cover the CBC-IV in
> > > the AtE, while you *MUST* cover the IV in the EtA case.
> > 
> > Look at the CBC decrypt operation again. If I can modify the IV, I can
> > modify the first block of your plaintext.  So much for authentication...
> 
> I'm sorry, but I fail to see what your comment refers to.
> 
> The CBC-IV is either part of the ciphertext or part of the keying material,
> but never part of the plaintext.
> 
> For Authenticate-then-Encrypt (AtE), it is unnecesary to cover the IV
> by the Authentication (it is also not currently done in TLS), and
> independent of whether the CBC-IV is part of the keying material
> as in SSLv3/TLSv1.0 or part of the ciphertext as in TLSv1.1+.
> 
> For Encrypt-then-Authenticate, you MUST cover the CBC-IV by the
> authentication when it is part of the ciphertext (TLSv1.1+), and
> you MAY cover the CBC-IV (or not) when it is part of the keying
> material (SSLv3/TLSv1.0)

Ah, right.  I misread.  Sorry for the noise.

-- 
Scott Schmit

v2.23.0 | Report a Bug | By Email