Re: [TLS] Encrypt-then-MAC again (was Re: padding bug)
mrex@sap.com (Martin Rex) Fri, 15 November 2013 23:11 UTC
Return-Path: <mrex@sap.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9B61121F9B9F for <tls@ietfa.amsl.com>; Fri, 15 Nov 2013 15:11:30 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.049
X-Spam-Level:
X-Spam-Status: No, score=-9.049 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_EQ_DE=0.35, J_CHICKENPOX_32=0.6, J_CHICKENPOX_44=0.6, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Y6m5X034jLwh for <tls@ietfa.amsl.com>; Fri, 15 Nov 2013 15:11:26 -0800 (PST)
Received: from smtpde02.sap-ag.de (smtpde02.sap-ag.de [155.56.68.140]) by ietfa.amsl.com (Postfix) with ESMTP id 21E3C11E8128 for <tls@ietf.org>; Fri, 15 Nov 2013 15:11:25 -0800 (PST)
Received: from mail06.wdf.sap.corp by smtpde02.sap-ag.de (26) with ESMTP id rAFNBOkK023921 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Sat, 16 Nov 2013 00:11:24 +0100 (MET)
In-Reply-To: <CEAB081E.EFD2%kenny.paterson@rhul.ac.uk>
To: "Paterson, Kenny" <Kenny.Paterson@rhul.ac.uk>
Date: Sat, 16 Nov 2013 00:11:24 +0100
X-Mailer: ELM [version 2.4ME+ PL125 (25)]
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="US-ASCII"
Message-Id: <20131115231124.0E9071AA9D@ld9781.wdf.sap.corp>
From: mrex@sap.com
X-SAP: out
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Encrypt-then-MAC again (was Re: padding bug)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: mrex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 15 Nov 2013 23:11:30 -0000
Paterson, Kenny wrote: > > "Martin Rex" <mrex@sap.com> wrote: > > > >The MAC provides integrity protection, the Encryption provides > >confidentiality. The quality of the MAC has exactly Zero impact > >on the confidentiality provided by the Encryption. > > The MAC is also necessary to preserve confidentiality in the face > of active attacks. That is a contortion of reality. The MAC does not preserve anything here. The purpose of the MAC in communication protocols is to mitigate the reaction/behaviour of the recipient of the communication to become an oracle that can be polled quickly, repeatedly and often to reveal fractions of bits of information that can be accumulated by an attacker into disclosure of bytes of assumed confidential data. > > If you need an example, consider the security history of IPsec's > encryption-only modes. (Am I allowed to mention IPsec on a TLS list? > Well, I just did.) The few things that I looked at were simple consequences of obviously flawed assumptions, i.e. providing an oracle to the attacker and no mechanism to stop an attacker from polling the oracle and learning. Cryptographic algorithms have specific properties, and so do protocols employing cryptographic algorithms. Silently assuming that certain properties will exist by accident/chance, rather than by explicit design, is somewhat naive. While it has been finally spelled out in rfc5246 (TLSv1.2): http://tools.ietf.org/html/rfc5246#page-16 Any protocol designed for use over TLS must be carefully designed to deal with all possible attacks against it. As a practical matter, this means that the protocol designer must be aware of what security properties TLS does and does not provide and cannot safely rely on the latter. a lot of consumers just don't get it. They want to continue using TLS as a magic pixie dust that provides universal security. > > And, as far as I know, there are no significant attacks when IPsec is > configured in encrypt-then-MAC configurations (e.g. ESP conf+auth or ESP > followed by AH). On the other hand, all the configurations of IPsec where > the MAC is applied before the encryption are broken. (Another > demonstration that MAC-then-encrypt is not a robust choice.) It is formally provable that MAC-then-encrypt for the existing symmetric ciphers is at least as safe as encrypt-then-MAC. The problem is, that this applies only to _real_ MAC-then-encrypt, not to any MAC-then-ExtendAndOtherStuff-then-Encrypt schemes that have been used in IPsec and TLS, and are still being used in CMS|S/Mime and WSSecurity, where additional unauthenticated data (e.g. padding) is added after the MAC and before encryption, and where the recipient will be offering a public decryption oracle. > > >For EtA, the characteristics&quality of the Cipher do not affect > >(and therefore can not improve) the quality of the MAC scheme > >at all. > > That's true but irrelevant, unless you don't trust your MAC algorithm. So > why do you not trust HMAC-SHA256? This isn't about the best-case scenarios, but about worst case scenarios, i.e. HMAC-MD5. The GHASH of AES-GCM by itself is weaker than HMAC-MD5, but by being encrypted, the attacker can not take advantage of this. An encrypted MAC will never be weaker than a plaintext MAC, but a plaintext MAC may be turn out to be a weakness/vulnerability. > > >Look at AES-GCM (NIST SP800-38D). They use an efficient keyed has GHASH, > >that does not have cryptographic hash properties (2nd paragraph Page 10): > > > > http://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf > > > > GHASH is a keyed hash function but not, on its own, a cryptographic > > hash function. This Recommendation only approves GHASH for use within > > the context of GCM. > > > >The use of GHASH without cryptographic protection would not be safe. > > > > Also true. But guess what? In GCM, the GHASH MAC is computed on the > ciphertext! The point is, that the AES-GCM MAC _is_ encrypted, and sending it unencrypted would not be a good idea. > > The GHASH output is then encrypted using a further invocation > of the block cipher. Where does this leave your argument in favour of > MAC-then-encrypt? The MAC in TLS'es GenericBlockCipher ought to be left encrypted. And to make code changes small, efficient and managable, going from mac-pad-encrypt to pad-mac-encrypt, as Serge Vaudenay suggested, is IMO the most reasonable way forward. -Martin
- [TLS] Requesting feedback on TACK draft Trevor Perrin
- Re: [TLS] Requesting feedback on TACK draft Peter Gutmann
- Re: [TLS] Requesting feedback on TACK draft Lewis, Nick
- [TLS] padding bug (was: Re: Requesting feedback o… Peter Saint-Andre
- Re: [TLS] padding bug Dr Stephen Henson
- Re: [TLS] padding bug Dr Stephen Henson
- Re: [TLS] padding bug Nikos Mavrogiannopoulos
- Re: [TLS] padding bug Ben Laurie
- Re: [TLS] padding bug Eric Rescorla
- Re: [TLS] padding bug (was: Re: Requesting feedba… Alfredo Pironti
- Re: [TLS] padding bug Ben Laurie
- Re: [TLS] padding bug Yaron Sheffer
- Re: [TLS] padding bug (was: Re: Requesting feedba… Paterson, Kenny
- Re: [TLS] padding bug Ben Laurie
- Re: [TLS] padding bug Adam Langley
- Re: [TLS] padding bug Ben Laurie
- Re: [TLS] padding bug Dr Stephen Henson
- Re: [TLS] padding bug Nico Williams
- Re: [TLS] padding bug Nikos Mavrogiannopoulos
- Re: [TLS] padding bug Blumenthal, Uri - 0558 - MITLL
- Re: [TLS] padding bug (was: Re: Requesting feedba… Bodo Moeller
- Re: [TLS] padding bug (was: Re: Requesting feedba… Paterson, Kenny
- Re: [TLS] padding bug Brian Smith
- Re: [TLS] padding bug Martin Rex
- [TLS] Encrypt-then-MAC again (was Re: padding bug) Michael D'Errico
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Watson Ladd
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Paterson, Kenny
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Michael D'Errico
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Martin Rex
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Nikos Mavrogiannopoulos
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Ralf Skyper Kaiser
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Martin Rex
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Martin Rex
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Ben Laurie
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Bryan C. Geraghty
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Nikos Mavrogiannopoulos
- [TLS] Would this fix RC4 again? (was Re: Encrypt-… Michael D'Errico
- Re: [TLS] Would this fix RC4 again? (was Re: Encr… Watson Ladd
- Re: [TLS] Would this fix RC4 again? (was Re: Encr… Paterson, Kenny
- Re: [TLS] Would this fix RC4 again? (was Re: Encr… Nikos Mavrogiannopoulos
- Re: [TLS] Would this fix RC4 again? (was Re: Encr… Jacob Appelbaum
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Martin Rex
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Ralf Skyper Kaiser
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Nikos Mavrogiannopoulos
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Ralf Skyper Kaiser
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Martin Rex
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Martin Rex
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Ralf Skyper Kaiser
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Alex Elsayed
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Paterson, Kenny
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Martin Rex
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Martin Rex
- [TLS] draft-mavrogiannopoulos-new-tls-padding-00 Martin Rex
- Re: [TLS] draft-mavrogiannopoulos-new-tls-padding… Nikos Mavrogiannopoulos