Re: [TLS] padding bug

[Eric Rescorla <ekr@rtfm.com>]

On Fri, Sep 20, 2013 at 8:52 AM, Eric Rescorla <ekr@rtfm.com> wrote:

>
>
>
> On Fri, Sep 20, 2013 at 6:29 AM, Peter Gutmann <pgut001@cs.auckland.ac.nz>wrote:
>
>> Eric Rescorla <ekr@rtfm.com> writes:
>>
>> >Of course, this naturally raises the question of whether this document
>> will
>> >be accepted by the TLS WG.
>>
>> It seems to be accepted by everyone except the WG chairs, who point to:
>>
>> >However, as I think recent discussion indicates, there are a number of
>> >proposed approaches and there isn't really consensus to adopt this
>> particular
>> >one
>>
>> Can you provide concrete examples of this lack of consensus?
>
>
> These messages from Nikos look negative to me:
> http://www.ietf.org/mail-archive/web/tls/current/msg09809.html
> http://www.ietf.org/mail-archive/web/tls/current/msg09520.html
>
> This looks like "meh" to me:
> http://www.ietf.org/mail-archive/web/tls/current/msg09826.html
>
> Privately, I've also heard objections to attempting to prolong the
> life of CBC as a primitive. Perhaps those who expressed this
> would speak up on the list?
>
>
>  It's already
>> present in deployed implementations (as I mentioned a while back, the
>> response
>> of one SSL library developer was "this should have been done ten years
>> ago").
>> So lets reverse this, if the WG chairs think that there are viable
>> alternative
>> approaches could they please point to *currently active RFC drafts* (not
>> an
>> expired six-month-old text but a current draft) with authors willing to
>> actively champion their approaches on the list?
>>
>
> We have drafts for AEAD w/ CBC:
> http://tools.ietf.org/html/draft-mcgrew-aead-aes-cbc-hmac-sha2-01
>
> And I have heard a variety of suggestions for pushing AEAD down into
> TLS 1.2 (there's no technical problem here). If we were to do that, the
>

This should say below TLS 1.2.

-Ekr



> draft would presumably be trivial and then we could simply directly
> adopt the McGrew draft.
>
> If we were to abandon CBC entirely we would mostly want some
> new stream ciphers. E.g.,
>
> http://tools.ietf.org/html/draft-agl-tls-chacha20poly1305-01
> http://tools.ietf.org/html/draft-josefsson-salsa20-tls-02
>
> So, certainly if we wanted to to adopt a "triage and selectively replace"
> strategy, we have the drafts to do it. In addition, we do have a
>
> Pad then encrypt then MAC draft that is recent.
> http://tools.ietf.org/html/draft-pironti-tls-length-hiding-01
>
> That is not to say that the WG could not also adopt your draft, but as I
> said
> above, it's not the only alternative.
>
> We think this would benefit from F2F discussion and I would invite you or
> someone else in favor of this draft (or another approach) to present in
> November in Vancouver. If there is WG consensus for this, we can adopt
> it then.
>
> Best,
> -Ekr
>
> P.S. I am about to go mostly offline through Monday night. Apologies in
> advance for slow/non-response.
>
>