IETF Logo Mail Archive

Re: [TLS] rfc7366: is encrypt-then-mac implemented?

Manuel Pégourié-Gonnard <mpg@polarssl.org> Thu, 30 October 2014 11:42 UTC

Return-Path: <mpg@polarssl.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 947231AD0C9 for <tls@ietfa.amsl.com>; Thu, 30 Oct 2014 04:42:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.397
X-Spam-Level:
X-Spam-Status: No, score=0.397 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HELO_MISMATCH_COM=0.553, HOST_EQ_NL=1.545, MIME_8BIT_HEADER=0.3, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CsZr-4QXoPBU for <tls@ietfa.amsl.com>; Thu, 30 Oct 2014 04:41:56 -0700 (PDT)
Received: from vps2.offspark.com (vps2.brainspark.nl [141.138.204.106]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 742161AD0CD for <tls@ietf.org>; Thu, 30 Oct 2014 04:41:55 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=polarssl.org; s=exim; h=Subject:Content-Transfer-Encoding:Content-Type:In-Reply-To:References:To:MIME-Version:From:Date:Message-ID; bh=AiVqnis3iyZjUJDIabNjQ/XSDsPQqCvLAcnUyVEsjig=; b=aAd4zARioRrxBrAACq2Dld/OSa0iZVJkKt5D4DFnAXN9u3mPwQPFPPC4PoKAjNkf6a4FPUUvJ9MH81xkVZJfFR8gKAeDensuvnyBtLNrQG7gAjwQa1R9rI0Dr+bCR1AVYWXPJmdEAzaB/K0StuvnTJwtrjI5mdfyDOMQjdGnPqI=;
Received: from thue.elzevir.fr ([88.165.216.11] helo=[192.168.0.124]) by vps2.offspark.com with esmtpsa (TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <mpg@polarssl.org>) id 1Xjo6u-0002qC-HB; Thu, 30 Oct 2014 12:41:48 +0100
Message-ID: <54522401.8010100@polarssl.org>
Date: Thu, 30 Oct 2014 12:41:53 +0100
From: Manuel Pégourié-Gonnard <mpg@polarssl.org>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.2.0
MIME-Version: 1.0
To: Peter Gutmann <pgut001@cs.auckland.ac.nz>, "<tls@ietf.org>" <tls@ietf.org>
References: <9A043F3CF02CD34C8E74AC1594475C739B9DBF3F@uxcn10-5.UoA.auckland.ac.nz>
In-Reply-To: <9A043F3CF02CD34C8E74AC1594475C739B9DBF3F@uxcn10-5.UoA.auckland.ac.nz>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: 8bit
X-SA-Exim-Connect-IP: 88.165.216.11
X-SA-Exim-Mail-From: mpg@polarssl.org
X-SA-Exim-Version: 4.2.1 (built Mon, 26 Dec 2011 16:24:06 +0000)
X-SA-Exim-Scanned: Yes (on vps2.offspark.com)
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/gp_riJiEkctDziiqXPELBdCo_UU
Subject: Re: [TLS] rfc7366: is encrypt-then-mac implemented?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 30 Oct 2014 11:42:00 -0000

On 30/10/2014 11:44, Peter Gutmann wrote:
> Manuel Pégourié-Gonnard <mpg@polarssl.org> writes:
> 
>> Sure, I'd never think of doing that. But I can certainly tell my code to
>> compute
>>
>>  MAC_k( seq_num + type + version + length + encrypted_stuff )
>>
>> with length != length_of(encrypted_stuff). After all, for the MAC function,
>> what we call "length" is just two meaningless bytes.
> 
> Oh, so the issue isn't that you're MAC'ing extra stuff that isn't there, but
> that you're using a length value that includes stuff that isn't MAC'd?  In
> other words in the above 'length' isn't 'length of encrypted_stuff that
> follows the length value' but 'length of encrypted_stuff that follows the
> length value + length of MAC'?
> 
Precisely. It looks like we're making progress in undertanding each other.

(As a side point (since I'm not arguing that what I'm doing is The Right Thing
do to, rather that it's unclear from the text of the RFC), both options look
completely equivalent to me from a security point of view, since one needs to
know the length of the MAC to check it, anyway.)

Manuel.

v2.23.0 | Report a Bug | By Email