Re: [TLS] AAED ciphers: AES-GCM vs AES-EAX/AES-CCM: a meta-analysis

"Paterson, Kenny" <> Tue, 13 January 2015 18:28 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 512541A902D for <>; Tue, 13 Jan 2015 10:28:14 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id VFA0M5rnU_Af for <>; Tue, 13 Jan 2015 10:28:11 -0800 (PST)
Received: from ( [IPv6:2a01:111:f400:fe00::686]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id E63001A906D for <>; Tue, 13 Jan 2015 10:28:08 -0800 (PST)
Received: from ( by ( with Microsoft SMTP Server (TLS) id; Tue, 13 Jan 2015 18:15:14 +0000
Received: from ([]) by ([]) with mapi id 15.01.0053.000; Tue, 13 Jan 2015 18:15:15 +0000
From: "Paterson, Kenny" <>
To: Watson Ladd <>
Thread-Topic: [TLS] AAED ciphers: AES-GCM vs AES-EAX/AES-CCM: a meta-analysis
Thread-Index: AdApm1DpFjNg+4muRmKsYOSI8dViWQAASE0AAWzH8IAAAojMgAAAmS+AAAAwugA=
Date: Tue, 13 Jan 2015 18:15:15 +0000
Message-ID: <>
References: <> <> <> <> <>
In-Reply-To: <>
Accept-Language: en-GB, en-US
Content-Language: en-US
user-agent: Microsoft-MacOutlook/
x-originating-ip: []
authentication-results: spf=none (sender IP is );
x-dmarcaction-test: None
x-microsoft-antispam: BCL:0;PCL:0;RULEID:(3005003);SRVR:DBXPR03MB384;
x-exchange-antispam-report-test: UriScan:;
x-exchange-antispam-report-cfa-test: BCL:0;PCL:0;RULEID:;SRVR:DBXPR03MB384;
x-forefront-prvs: 045584D28C
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(6009001)(479174004)(24454002)(189002)(199003)(36756003)(2900100001)(122556002)(40100003)(68736005)(106356001)(105586002)(15975445007)(102836002)(93886004)(83506001)(110136001)(2950100001)(19580405001)(46102003)(74482002)(66066001)(87936001)(2656002)(77156002)(97736003)(86362001)(101416001)(19580395003)(77096005)(50986999)(1411001)(64706001)(62966003)(92566002)(76176999)(54356999); DIR:OUT; SFP:1101; SCL:1; SRVR:DBXPR03MB384;; FPR:; SPF:None; MLV:sfv; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
received-spf: None ( does not designate permitted sender hosts)
Content-Type: text/plain; charset="iso-8859-1"
Content-ID: <>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-originalarrivaltime: 13 Jan 2015 18:15:15.0027 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 2efd699a-1922-4e69-b601-108008d28a2e
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DBXPR03MB384
Archived-At: <>
Cc: Manuel Pégourié-Gonnard <>, "<>" <>
Subject: Re: [TLS] AAED ciphers: AES-GCM vs AES-EAX/AES-CCM: a meta-analysis
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 13 Jan 2015 18:28:14 -0000

Hi Watson,

On 13/01/2015 18:09, "Watson Ladd" <> wrote:

>From what I understand, when AES-GCM is used there isn't any padding,
>and the length of the encrypted record is equal to the unencrypted one
>plus the tag, 


>so this attack still works.

Actually, it's an even simpler, passive attack for AES-GCM - you just
observe the ciphertext length and you are done. The attack on CBC mode
requires an activity adversary and leads to closure of the TLS session
half of the time.

>So if we accept this attack
>(and I think we should), then the way AEAD ciphers are used in TLS are
>also insecure. I believe this attack got used to determine autofill
>entries in the Google search bar via passive observation, but I've not
>dug up the paper, so my memory may be wrong.

That would be an interesting reference to have to hand. Please dig!

>To fix this we need to add padding in TLS 1.3 and TLS 1.2 for AEAD modes. would be a
good starting point, no?