Re: [TLS] History of TLS analysis (was Re: TLS 1.2 Long-term Support Profile draft posted)

Bodo Moeller <bmoeller@acm.org> Mon, 21 March 2016 09:57 UTC

Return-Path: <bmoeller@acm.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CFA4F12D5BE for <tls@ietfa.amsl.com>; Mon, 21 Mar 2016 02:57:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.935
X-Spam-Level:
X-Spam-Status: No, score=-1.935 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, SPF_SOFTFAIL=0.665] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id j0be0BttMRJf for <tls@ietfa.amsl.com>; Mon, 21 Mar 2016 02:57:50 -0700 (PDT)
Received: from mout.kundenserver.de (mout.kundenserver.de [212.227.17.10]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4E3EE12D6F7 for <tls@ietf.org>; Mon, 21 Mar 2016 02:57:49 -0700 (PDT)
Received: from mail-lf0-f50.google.com ([209.85.215.50]) by mrelayeu.kundenserver.de (mreue103) with ESMTPSA (Nemesis) id 0Mg0zl-1aTJU626on-00NRe9 for <tls@ietf.org>; Mon, 21 Mar 2016 10:57:47 +0100
Received: by mail-lf0-f50.google.com with SMTP id e196so28622928lfg.1 for <tls@ietf.org>; Mon, 21 Mar 2016 02:57:47 -0700 (PDT)
X-Gm-Message-State: AD7BkJL32scTFdQO1JznXPxi18FEGr422/cd72BXIqukgDbf5Kjmjyi1TpuuzoDyQdX5Cxn63nBQ0lpjIJVtJQ==
MIME-Version: 1.0
X-Received: by 10.25.135.8 with SMTP id j8mr10461755lfd.64.1458554266897; Mon, 21 Mar 2016 02:57:46 -0700 (PDT)
Received: by 10.112.22.67 with HTTP; Mon, 21 Mar 2016 02:57:46 -0700 (PDT)
In-Reply-To: <CACsn0c=r7m94xOg0T=sxXn0JMfDq0us2iuEWi29uFEgE+r4SLw@mail.gmail.com>
References: <CACsn0c=r7m94xOg0T=sxXn0JMfDq0us2iuEWi29uFEgE+r4SLw@mail.gmail.com>
Date: Mon, 21 Mar 2016 10:57:46 +0100
X-Gmail-Original-Message-ID: <CADMpkcLi5akSi5Hk8bnK0kzScmmF1tMtYVLStARdiKjYTvk6+A@mail.gmail.com>
Message-ID: <CADMpkcLi5akSi5Hk8bnK0kzScmmF1tMtYVLStARdiKjYTvk6+A@mail.gmail.com>
From: Bodo Moeller <bmoeller@acm.org>
To: Watson Ladd <watsonbladd@gmail.com>
Content-Type: multipart/alternative; boundary=001a113fc32cf6d2db052e8c203b
X-Provags-ID: V03:K0:RsrgP0mTLB7316DgyKUb/KmMfUyagqrzq65NoYQl2U2qPM7zzuW +wWEFWixBZGNrXeTVTBI/XanerYH5CSCgqnXvAeCpU3gwifqI1xwKf+RjJnuIzgnNlOA83F S721klbaJpuNLn2hbxpYKmyKMtgEc1V5+rqleewZaeSWUveiJgZufIJN1EsZu714wOA260q NjgKLtIa20c98uePH6Ifw==
X-UI-Out-Filterresults: notjunk:1;V01:K0:PqRBtMMvY1Q=:z8Jw+MbeZTI79r0dFV+uqS py82i3swNLRBaqdfY3S9Y7HJ+gKQmvSC+sz2WUVuXHKnOcO5mNq4i4vS01feQ4CTlAlTfH/LY Y92Cbg9auwukE7qgoycZ39RiCnDJuVNREREI3hZe/vQ8t3l746K/YV0ENQ7NuZSa115QEu2ef hU6bt1dJASiXZQe32r8o9T191S5sgfD6VQ+4VpBAKZqwDfWhWUkXFjFr5jiAM3Dc9tsYnkWxI xqnbgNGgIIzJoKQuAEeEsDZd3X1oFXXG1IJCD335yNIvv2E+0XIKAdYSe+UXaY4drUANmHA0L PBONzGN8TP48q0/MOZRJp3eXB9wJurJjrjRXAL3/GGQs/67MVpCU8DFlwrrWXW66cf43cChg9 JzJF85h7KD3WyOou5SLrGAe+OfCY4AiIcIwBqiWKJYfKV0xsHO9V2IMD4YnA+o5se5bL97w8c uN5FotodWYhszhwbsm+KfG9MeR8L1HNhL1Ex8F9Imtv1Uvl/UvA/HgbDcj1b+NW6FIVqKsHAr vlAUY0Q12SLv8P5em5s7lS7ngJhbfAWFNxH8FKV/1sys6HUQ83ZGuaMJSsBk66l0HDL0eThx/ Z8Gh8OxdWK0f8qPBRHNyi5uvZKoW/V155j+icdLNxUyY62iSpRJBvoabzPNvm4jE/AvPsZwJn jzbk6w0RSr+/7ovnd3Te4dUTIRuEYOSUbe7QjhjdNcXuHi3bFjj7YIMoSD6AWyDm2WYzYyRvt cr1ixxRZZXsxqu+W
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/btr5v7sfnU79mtny0x8uiLtWiRA>
Cc: "<tls@ietf.org>" <tls@ietf.org>
Subject: Re: [TLS] History of TLS analysis (was Re: TLS 1.2 Long-term Support Profile draft posted)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 21 Mar 2016 09:57:53 -0000

Watson Ladd <watsonbladd@gmail.com>om>:

The use of predictable IVs in TLS 1.0 was first commented on by
> Rogaway in 1995. (I'm hunting down the source, but this is from a
> presentation of Patterson)


I think you mean
http://web.cs.ucdavis.edu/~rogaway/papers/draft-rogaway-ipsec-comments-00.txt,
which discussed the problem of predictable IVs in the context of work
towards IPSEC, without making the connection to SSL.  Note that this was
before TLS 1.0 and, I think, before SSL 3.0.  SSL 2.0 already had
predictable CBC IVs but placed the MAC before the payload in the
to-be-encrypted data, which, through sheer luck, avoided the problem.

Bodo