Re: [TLS] padding bug
Eric Rescorla <ekr@rtfm.com> Fri, 20 September 2013 15:57 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CA3AC21F9B66 for <tls@ietfa.amsl.com>; Fri, 20 Sep 2013 08:57:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.698
X-Spam-Level:
X-Spam-Status: No, score=-102.698 tagged_above=-999 required=5 tests=[AWL=0.278, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WeyNukRpdVkL for <tls@ietfa.amsl.com>; Fri, 20 Sep 2013 08:57:02 -0700 (PDT)
Received: from mail-qc0-f178.google.com (mail-qc0-f178.google.com [209.85.216.178]) by ietfa.amsl.com (Postfix) with ESMTP id C741E21F9A99 for <tls@ietf.org>; Fri, 20 Sep 2013 08:56:52 -0700 (PDT)
Received: by mail-qc0-f178.google.com with SMTP id r5so378230qcx.23 for <tls@ietf.org>; Fri, 20 Sep 2013 08:56:41 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=o+QD9JChB0Wpy9fXyKv4pN13l7OtpKvhJR0SAMJ/Vws=; b=gOuE8Mw8pL4IpMGc1rpSz3qMPMsCSYrch1U2A30xN6c+gaBg/J9A6iSqU7e/4RrpWF +Ra+GMD3Zp5DAe5Gof/Q9SgQgKzUbZAzGirzsvL7AW0qy1mGTDBV8g55t6Wr3eEB2PLU PWe1FlhAiF0FOdnlCr/2uhoVavze37el5aJSia3lnIKVIVnHS8jQP+lv+k3UU6I5umaL C7CC6y8mDpjCBe6JA96RGDESmjjKjrHCrISYSPNGM2HwjmXXC/G/AF3Ay22BEuGUbBMq t5oud2hSoi1HWhN3Nl2io48tRGgCdyHxwH1ajbSR1NPvxituLgcPDY6QRgwHSjyY/vxZ 130g==
X-Gm-Message-State: ALoCoQl0YDGVGrqSYAUGxX1gJuxv9CPQmPXGSZMyk1vqHxg8XmJ5OEerw5G1q7+/VKFzfYDURWaS
X-Received: by 10.224.20.132 with SMTP id f4mr6472670qab.42.1379692601776; Fri, 20 Sep 2013 08:56:41 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.49.42.68 with HTTP; Fri, 20 Sep 2013 08:56:01 -0700 (PDT)
X-Originating-IP: [74.95.2.168]
In-Reply-To: <CABcZeBPTiLM6-6OL8ASo6NJvGkYxc0Mn9CM51e1x0j2Em4tvig@mail.gmail.com>
References: <9A043F3CF02CD34C8E74AC1594475C7355674A34@uxcn10-6.UoA.auckland.ac.nz> <CABcZeBPTiLM6-6OL8ASo6NJvGkYxc0Mn9CM51e1x0j2Em4tvig@mail.gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Fri, 20 Sep 2013 08:56:01 -0700
Message-ID: <CABcZeBOgpPBWj1qiTskV1QFpx+3KXFxU65NFdLgLwYf=Sk+8CQ@mail.gmail.com>
To: Peter Gutmann <pgut001@cs.auckland.ac.nz>
Content-Type: multipart/alternative; boundary="001a113362486da0a504e6d2b751"
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] padding bug
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 20 Sep 2013 15:57:19 -0000
On Fri, Sep 20, 2013 at 8:52 AM, Eric Rescorla <ekr@rtfm.com> wrote: > > > > On Fri, Sep 20, 2013 at 6:29 AM, Peter Gutmann <pgut001@cs.auckland.ac.nz>wrote: > >> Eric Rescorla <ekr@rtfm.com> writes: >> >> >Of course, this naturally raises the question of whether this document >> will >> >be accepted by the TLS WG. >> >> It seems to be accepted by everyone except the WG chairs, who point to: >> >> >However, as I think recent discussion indicates, there are a number of >> >proposed approaches and there isn't really consensus to adopt this >> particular >> >one >> >> Can you provide concrete examples of this lack of consensus? > > > These messages from Nikos look negative to me: > http://www.ietf.org/mail-archive/web/tls/current/msg09809.html > http://www.ietf.org/mail-archive/web/tls/current/msg09520.html > > This looks like "meh" to me: > http://www.ietf.org/mail-archive/web/tls/current/msg09826.html > > Privately, I've also heard objections to attempting to prolong the > life of CBC as a primitive. Perhaps those who expressed this > would speak up on the list? > > > It's already >> present in deployed implementations (as I mentioned a while back, the >> response >> of one SSL library developer was "this should have been done ten years >> ago"). >> So lets reverse this, if the WG chairs think that there are viable >> alternative >> approaches could they please point to *currently active RFC drafts* (not >> an >> expired six-month-old text but a current draft) with authors willing to >> actively champion their approaches on the list? >> > > We have drafts for AEAD w/ CBC: > http://tools.ietf.org/html/draft-mcgrew-aead-aes-cbc-hmac-sha2-01 > > And I have heard a variety of suggestions for pushing AEAD down into > TLS 1.2 (there's no technical problem here). If we were to do that, the > This should say below TLS 1.2. -Ekr > draft would presumably be trivial and then we could simply directly > adopt the McGrew draft. > > If we were to abandon CBC entirely we would mostly want some > new stream ciphers. E.g., > > http://tools.ietf.org/html/draft-agl-tls-chacha20poly1305-01 > http://tools.ietf.org/html/draft-josefsson-salsa20-tls-02 > > So, certainly if we wanted to to adopt a "triage and selectively replace" > strategy, we have the drafts to do it. In addition, we do have a > > Pad then encrypt then MAC draft that is recent. > http://tools.ietf.org/html/draft-pironti-tls-length-hiding-01 > > That is not to say that the WG could not also adopt your draft, but as I > said > above, it's not the only alternative. > > We think this would benefit from F2F discussion and I would invite you or > someone else in favor of this draft (or another approach) to present in > November in Vancouver. If there is WG consensus for this, we can adopt > it then. > > Best, > -Ekr > > P.S. I am about to go mostly offline through Monday night. Apologies in > advance for slow/non-response. > >
- Re: [TLS] padding bug Peter Gutmann
- Re: [TLS] padding bug Nikos Mavrogiannopoulos
- Re: [TLS] padding bug Blumenthal, Uri - 0558 - MITLL
- Re: [TLS] padding bug Peter Gutmann
- Re: [TLS] padding bug Blumenthal, Uri - 0558 - MITLL
- Re: [TLS] padding bug Peter Gutmann
- Re: [TLS] padding bug Eric Rescorla
- Re: [TLS] padding bug Eric Rescorla
- Re: [TLS] padding bug Peter Gutmann
- Re: [TLS] padding bug Adam Langley
- Re: [TLS] padding bug Hugo Krawczyk
- Re: [TLS] padding bug Peter Gutmann
- Re: [TLS] padding bug Peter Gutmann
- Re: [TLS] padding bug Nikos Mavrogiannopoulos
- Re: [TLS] padding bug Ben Laurie
- Re: [TLS] padding bug Nikos Mavrogiannopoulos
- Re: [TLS] padding bug Ben Laurie
- Re: [TLS] padding bug Nikos Mavrogiannopoulos
- Re: [TLS] padding bug Peter Gutmann
- Re: [TLS] padding bug Blumenthal, Uri - 0558 - MITLL
- Re: [TLS] padding bug Paterson, Kenny
- Re: [TLS] padding bug Bodo Moeller
- Re: [TLS] padding bug Michael D'Errico
- Re: [TLS] padding bug Ben Laurie
- Re: [TLS] padding bug Christian Kahlo
- Re: [TLS] padding bug Hovav Shacham
- Re: [TLS] padding bug Blumenthal, Uri - 0558 - MITLL
- Re: [TLS] padding bug Martin Rex
- Re: [TLS] padding bug Andrei Popov
- Re: [TLS] padding bug Ben Laurie
- Re: [TLS] padding bug Kelly John Rose
- Re: [TLS] padding bug Lewis, Nick
- Re: [TLS] padding bug Alfredo Pironti
- Re: [TLS] padding bug Peter Gutmann
- Re: [TLS] padding bug Peter Gutmann