Re: [TLS] TLS1.3
"Blumenthal, Uri - 0558 - MITLL" <uri@ll.mit.edu> Sun, 10 February 2013 03:13 UTC
Return-Path: <prvs=575395df64=uri@ll.mit.edu>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7F39521F84B9 for <tls@ietfa.amsl.com>; Sat, 9 Feb 2013 19:13:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.174
X-Spam-Level:
X-Spam-Status: No, score=-5.174 tagged_above=-999 required=5 tests=[AWL=0.073, BAYES_00=-2.599, J_CHICKENPOX_33=0.6, RCVD_IN_DNSWL_MED=-4, SARE_OBFU_ALL=0.751, UNPARSEABLE_RELAY=0.001]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id o4h7a18OUBLx for <tls@ietfa.amsl.com>; Sat, 9 Feb 2013 19:13:05 -0800 (PST)
Received: from mx2.ll.mit.edu (MX2.LL.MIT.EDU [129.55.12.46]) by ietfa.amsl.com (Postfix) with ESMTP id B1C7021F8425 for <tls@ietf.org>; Sat, 9 Feb 2013 19:13:05 -0800 (PST)
Received: from LLE2K7-HUB02.mitll.ad.local (LLE2K7-HUB02.mitll.ad.local) by mx2.ll.mit.edu (unknown) with ESMTP id r1A3CxYZ026589; Sat, 9 Feb 2013 22:12:59 -0500
From: "Blumenthal, Uri - 0558 - MITLL" <uri@ll.mit.edu>
To: "'pgut001@cs.auckland.ac.nz'" <pgut001@cs.auckland.ac.nz>, "'tls@ietf.org'" <tls@ietf.org>
Date: Sat, 09 Feb 2013 22:12:58 -0500
Thread-Topic: [TLS] TLS1.3
Thread-Index: Ac4HOYfom6WOGAD6TVephREdBcO15AAAvusn
In-Reply-To: <9A043F3CF02CD34C8E74AC1594475C7333400716@uxcn10-2.UoA.auckland.ac.nz>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:5.9.8327, 1.0.431, 0.0.0000 definitions=2013-02-10_01:2013-02-08, 2013-02-10, 1970-01-01 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 ipscore=0 suspectscore=7 phishscore=0 bulkscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=6.0.2-1211240000 definitions=main-1302090366
Message-Id: <20130210031305.B1C7021F8425@ietfa.amsl.com>
Subject: Re: [TLS] TLS1.3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 10 Feb 2013 03:13:06 -0000
I worry much less about attacks against "naked" keyed hash (such as HMAC, or in fact any other cryptographic MAC) than against attacks against encrypted padding, etc. Pad->Encrypt->MAC is the most straightforward solution, IMHO, and I see no reason doing something else. -- Regards, Uri Blumenthal Voice: (781) 981-1638 Cyber Systems and Technology Fax: (781) 981-0186 MIT Lincoln Laboratory Cell: (339) 223-5363 244 Wood Street Email: <uri@ll.mit.edu> Lexington, MA 02420-9185 Web: http://www.ll.mit.edu/CST/ MIT LL Root CA: <https://www.ll.mit.edu/labcertificateauthority.html> DSN: 478-5980 ask Lincoln ext.1638 ----- Original Message ----- From: Peter Gutmann [mailto:pgut001@cs.auckland.ac.nz] Sent: Saturday, February 09, 2013 09:51 PM To: tls@ietf.org <tls@ietf.org> Subject: Re: [TLS] TLS1.3 Martin Rex <mrex@sap.com> writes: >Personally, I also feel somewhat uncomfortable with a "radical" change to >encrypt-then-MAC rather than the simply using the obvious pad-MAC-encrypt, as >originally suggested by Serge Vaudenay. It's hardly a radical change, in terms of code complexity (at least in my code) it came down to (comments and error checking removed) this: checkMacTLS( sessionInfoPtr, data, length, length - sessionInfoPtr->authBlocksize, packetType ); decryptData( sessionInfoPtr, data, length - sessionInfoPtr->authBlocksize, &length ); In other words I swapped two lines of code. (See my earlier note about what it really entailed, which was creating a separate code path that removed several hundred lines of kludging to try and defend against side-channel attacks. So really it's a two-line swap and hundreds of lines removed, at least for the encrypt-then-MAC option). >When the encryption scheme that is used is bijective, then it will not matter >(to the confidentiality of the encryption) whether AtE or EtA is used, as >long as authentication covers the exact same information in both cases, i.e. >*ALL* of it, padding included. However you do need to to MAC the IV. If you treat it as part of the ciphertext then it's trivial, MAC the entire packet in its bits-on-the-wire form. If you're MAC'ing the plaintext then you need to special-case the IV vs. the plaintext and suddenly you're adding all sorts of kludgery to handle that. Authenticating the exact bits on the wire is both cleaner conceptually/ security-wise (you're authenticating the exact data that the attacker has access to, not some bits as seen by the attacker and some bits as seen by you after further processing), and implementation-wise (you just swap the bits of code that do auth. vs. encrypt). To quote Kenny Paterson's recent message: It fixes every problem I can conceive of. And I've thought about the analysis of TLS's current MAC-pad-encrypt construction long and hard, believe me. That's pretty unambiguous. >However, in the EtA scheme, we would have a naked keyed hash. And would an >attack on the keyed hash become somehow feasible, that attack might be easier >on a naked keyed hash than on an encrypted keyed hash. That's going to be pretty unlikely, if someone can break HMAC then we've got more serious things to worry about than forging of TLS packets. Peter. PS: Still keen to interop-test with anyone else who's made this change :-). _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
- Re: [TLS] TLS1.3 Peter Gutmann
- [TLS] TLS1.3 Lewis, Nick
- Re: [TLS] TLS1.3 Lewis, Nick
- Re: [TLS] TLS1.3 Nikos Mavrogiannopoulos
- Re: [TLS] TLS1.3 Eric Rescorla
- Re: [TLS] TLS1.3 Lewis, Nick
- Re: [TLS] TLS1.3 Nikos Mavrogiannopoulos
- Re: [TLS] TLS1.3 Paterson, Kenny
- Re: [TLS] TLS1.3 Lewis, Nick
- Re: [TLS] TLS1.3 Lewis, Nick
- Re: [TLS] TLS1.3 Eric Rescorla
- Re: [TLS] TLS1.3 Lewis, Nick
- Re: [TLS] TLS1.3 Dan Harkins
- Re: [TLS] TLS1.3 Lewis, Nick
- Re: [TLS] TLS1.3 Peter Gutmann
- Re: [TLS] TLS1.3 Peter Gutmann
- Re: [TLS] TLS1.3 Peter Gutmann
- Re: [TLS] TLS1.3 Peter Gutmann
- Re: [TLS] TLS1.3 Yoav Nir
- Re: [TLS] TLS1.3 Lewis, Nick
- Re: [TLS] TLS1.3 David McGrew (mcgrew)
- Re: [TLS] TLS1.3 Nikos Mavrogiannopoulos
- Re: [TLS] TLS1.3 Paterson, Kenny
- Re: [TLS] TLS1.3 Martin Rex
- Re: [TLS] TLS1.3 Nikos Mavrogiannopoulos
- Re: [TLS] TLS1.3 Peter Gutmann
- Re: [TLS] TLS1.3 Martin Rex
- Re: [TLS] TLS1.3 Peter Gutmann
- Re: [TLS] TLS1.3 Blumenthal, Uri - 0558 - MITLL
- Re: [TLS] TLS1.3 Lewis, Nick
- Re: [TLS] TLS1.3 Paterson, Kenny
- Re: [TLS] TLS1.3 Lewis, Nick
- Re: [TLS] TLS1.3 Paterson, Kenny
- Re: [TLS] TLS1.3 Yoav Nir
- Re: [TLS] TLS1.3 Lewis, Nick
- Re: [TLS] TLS1.3 Lewis, Nick
- Re: [TLS] TLS1.3 Yoav Nir
- Re: [TLS] TLS1.3 Nikos Mavrogiannopoulos
- Re: [TLS] TLS1.3 Martin Rex
- Re: [TLS] TLS1.3 Nico Williams
- Re: [TLS] TLS1.3 Martin Rex
- Re: [TLS] TLS1.3 Russ Housley
- Re: [TLS] TLS1.3 Wan-Teh Chang
- Re: [TLS] TLS1.3 Scott Schmit
- Re: [TLS] TLS1.3 Martin Rex
- Re: [TLS] TLS1.3 Scott Schmit
- Re: [TLS] TLS1.3 Peter Gutmann