Re: [TLS] padding bug
"Blumenthal, Uri - 0558 - MITLL" <uri@ll.mit.edu> Wed, 11 September 2013 18:24 UTC
Return-Path: <prvs=2966a68272=uri@ll.mit.edu>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4A60511E80A2 for <tls@ietfa.amsl.com>; Wed, 11 Sep 2013 11:24:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.249
X-Spam-Level:
X-Spam-Status: No, score=-6.249 tagged_above=-999 required=5 tests=[AWL=0.349, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, UNPARSEABLE_RELAY=0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9VYdpmgTmDiO for <tls@ietfa.amsl.com>; Wed, 11 Sep 2013 11:24:20 -0700 (PDT)
Received: from mx2.ll.mit.edu (MX2.LL.MIT.EDU [129.55.12.46]) by ietfa.amsl.com (Postfix) with ESMTP id B39DB11E820F for <tls@ietf.org>; Wed, 11 Sep 2013 11:24:18 -0700 (PDT)
Received: from LLE2K7-HUB01.mitll.ad.local (LLE2K7-HUB01.mitll.ad.local) by mx2.ll.mit.edu (unknown) with ESMTP id r8BICmd0028888; Wed, 11 Sep 2013 14:24:08 -0400
From: "Blumenthal, Uri - 0558 - MITLL" <uri@ll.mit.edu>
To: Peter Gutmann <pgut001@cs.auckland.ac.nz>, "benl@google.com" <benl@google.com>, "tls@ietf.org" <tls@ietf.org>, Nikos Mavrogiannopoulos <nmav@gnutls.org>
Date: Wed, 11 Sep 2013 14:23:27 -0400
Thread-Topic: [TLS] padding bug
Thread-Index: Ac6vHAPhQ6+K8df9RgeSa3vF12wT5g==
Message-ID: <CE5627E4.110C3%uri@ll.mit.edu>
In-Reply-To: <9A043F3CF02CD34C8E74AC1594475C735566CD97@uxcn10-tdc06.UoA.auckland.ac.nz>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.3.7.130812
acceptlanguage: en-US
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha256"; boundary="B_3461754207_5404671"
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:5.10.8794, 1.0.431, 0.0.0000 definitions=2013-09-11_06:2013-09-11, 2013-09-11, 1970-01-01 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 suspectscore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=7.0.1-1305240000 definitions=main-1309110105
Subject: Re: [TLS] padding bug
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Sep 2013 18:24:25 -0000
On 9/11/13 2:02 , "Peter Gutmann" <pgut001@cs.auckland.ac.nz> wrote: >Nikos Mavrogiannopoulos <nmav@gnutls.org> > >>Do you have any reference for that? RFC2104 and the paper it references >>claim otherwise. > >Oh man, that'd require ploughing through 15-year-old email discussions... >to see it in effect, look at section 2 of RFC 2402. I see no presented evidence of having a clue. There's nothing in RFC 2402 that would support your (unfounded) speculation. On the other hand, section 6 of RFC 2402 refers to the two mandatory-to-implement RFC 2403 (HMAC-MD5-96) and 2404 (HMAC-SHA-1-96). RFC 2404 section 5 (Security Considerations, unsurprisingly), 4th paragraph refers to RFC 2104 and explicitly mentions ADDITIONAL SECURITY PROVIDED BY THE TRUNCATION OF THE RESULTING HASH. Finally, RFC 2104 (HMAC) section 5 (Truncated output) describes the cryptographic consequences of truncating the hash (less information on hash result available to attacker vs. fewer bits to predict), with reference to Preneel and Van Oorschot paper from Crypto'95 "Building fast MACs from hash Functions". Enough?
- Re: [TLS] padding bug Peter Gutmann
- Re: [TLS] padding bug Nikos Mavrogiannopoulos
- Re: [TLS] padding bug Blumenthal, Uri - 0558 - MITLL
- Re: [TLS] padding bug Peter Gutmann
- Re: [TLS] padding bug Blumenthal, Uri - 0558 - MITLL
- Re: [TLS] padding bug Peter Gutmann
- Re: [TLS] padding bug Eric Rescorla
- Re: [TLS] padding bug Eric Rescorla
- Re: [TLS] padding bug Peter Gutmann
- Re: [TLS] padding bug Adam Langley
- Re: [TLS] padding bug Hugo Krawczyk
- Re: [TLS] padding bug Peter Gutmann
- Re: [TLS] padding bug Peter Gutmann
- Re: [TLS] padding bug Nikos Mavrogiannopoulos
- Re: [TLS] padding bug Ben Laurie
- Re: [TLS] padding bug Nikos Mavrogiannopoulos
- Re: [TLS] padding bug Ben Laurie
- Re: [TLS] padding bug Nikos Mavrogiannopoulos
- Re: [TLS] padding bug Peter Gutmann
- Re: [TLS] padding bug Blumenthal, Uri - 0558 - MITLL
- Re: [TLS] padding bug Paterson, Kenny
- Re: [TLS] padding bug Bodo Moeller
- Re: [TLS] padding bug Michael D'Errico
- Re: [TLS] padding bug Ben Laurie
- Re: [TLS] padding bug Christian Kahlo
- Re: [TLS] padding bug Hovav Shacham
- Re: [TLS] padding bug Blumenthal, Uri - 0558 - MITLL
- Re: [TLS] padding bug Martin Rex
- Re: [TLS] padding bug Andrei Popov
- Re: [TLS] padding bug Ben Laurie
- Re: [TLS] padding bug Kelly John Rose
- Re: [TLS] padding bug Lewis, Nick
- Re: [TLS] padding bug Alfredo Pironti
- Re: [TLS] padding bug Peter Gutmann
- Re: [TLS] padding bug Peter Gutmann