Re: [TLS] Decryption_failed alert in TLS 1.1

Eric Rescorla <ekr@networkresonance.com> Thu, 30 April 2009 16:33 UTC

Return-Path: <ekr@networkresonance.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id E5BDE28C293 for <tls@core3.amsl.com>; Thu, 30 Apr 2009 09:33:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.047
X-Spam-Level:
X-Spam-Status: No, score=-1.047 tagged_above=-999 required=5 tests=[AWL=-1.065, BAYES_00=-2.599, FH_HOST_EQ_D_D_D_D=0.765, FH_HOST_EQ_D_D_D_DB=0.888, HELO_MISMATCH_COM=0.553, HOST_MISMATCH_NET=0.311, RDNS_DYNAMIC=0.1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Yj0NxeG-4Qs3 for <tls@core3.amsl.com>; Thu, 30 Apr 2009 09:33:26 -0700 (PDT)
Received: from kilo.networkresonance.com (74-95-2-169-SFBA.hfc.comcastbusiness.net [74.95.2.169]) by core3.amsl.com (Postfix) with ESMTP id 299E43A7228 for <tls@ietf.org>; Thu, 30 Apr 2009 09:33:00 -0700 (PDT)
Received: from kilo.local (unknown [127.0.0.1]) by kilo.networkresonance.com (Postfix) with ESMTP id 17D9A194FC4; Thu, 30 Apr 2009 09:37:27 -0700 (PDT)
Date: Thu, 30 Apr 2009 09:37:26 -0700
From: Eric Rescorla <ekr@networkresonance.com>
To: Pasi.Eronen@nokia.com
In-Reply-To: <808FD6E27AD4884E94820BC333B2DB7727F24D50BE@NOK-EUMSG-01.mgdnok.nokia.com>
References: <808FD6E27AD4884E94820BC333B2DB7727F24D50BE@NOK-EUMSG-01.mgdnok.nokia.com>
User-Agent: Wanderlust/2.15.5 (Almost Unreal) Emacs/22.3 Mule/5.0 (SAKAKI)
MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka")
Content-Type: text/plain; charset="US-ASCII"
Message-Id: <20090430163727.17D9A194FC4@kilo.networkresonance.com>
Cc: tls@ietf.org
Subject: Re: [TLS] Decryption_failed alert in TLS 1.1
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 30 Apr 2009 16:33:27 -0000

At Thu, 30 Apr 2009 11:41:45 +0200,
<Pasi.Eronen@nokia.com> wrote:
> 
> Hi,
> 
> I'm going through unverified errata for various SEC area RFCs,
> and came to errata ID 117 for RFC 4346 (TLS 1.1), available
> from here:
> 
> http://www.rfc-editor.org/errata_search.php?rfc=4346
> 
> Currently, Section 7.2.2 of RFC 4346 says:
> 
>    bad_record_mac
>       This alert is returned if a record is received with an incorrect
>       MAC.  This alert also MUST be returned if an alert is sent because
>       a TLSCiphertext decrypted in an invalid way: either it wasn't an
>       even multiple of the block length, or its padding values, when
>       checked, weren't correct.  This message is always fatal.
> 
> and then continues:
> 
>    decryption_failed
>       This alert MAY be returned if a TLSCiphertext decrypted in an
>       invalid way: either it wasn't an even multiple of the block
>       length, or its padding values, when checked, weren't correct.
>       This message is always fatal.
> 
>    Note: Differentiating between bad_record_mac and decryption_failed
>          alerts may permit certain attacks against CBC mode as used in
>          TLS [CBCATT].  It is preferable to uniformly use the
>          bad_record_mac alert to hide the specific type of the error.
> 
> These two contradict each other; it first says "bad_record_mac MUST be
> sent", but then says decryption_failed "MAY be returned", and using
> bad_record_mac is "preferable".
> 
> Does anyone recall what the intent here was? Early drafts (until -09) 
> said "bad_record_mac SHOULD be returned", but that was later changed 
> to "MUST". Should the errata fix this to something like this?
>
>    decryption_failed
>       This alert was used in TLS 1.0 if a TLSCiphertext decrypted
>       in an invalid way. It MUST NOT be sent in TLS 1.1.
> 
> (TLS 1.2 is very clear about this; decryption_failed MUST NOT
> be sent.)

Yeah, I think we just did s/SHOULD/MUST/ and didn't remove the
corresponding MAY

-Ekr