IETF Logo Mail Archive

Re: [TLS] [Technical Errata Reported] RFC5288 (4694)

Yoav Nir <ynir.ietf@gmail.com> Mon, 16 May 2016 05:42 UTC

Return-Path: <ynir.ietf@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 80D5A12D168 for <tls@ietfa.amsl.com>; Sun, 15 May 2016 22:42:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XVJD3BNrQ7ws for <tls@ietfa.amsl.com>; Sun, 15 May 2016 22:42:53 -0700 (PDT)
Received: from mail-wm0-x232.google.com (mail-wm0-x232.google.com [IPv6:2a00:1450:400c:c09::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AC37412B02F for <tls@ietf.org>; Sun, 15 May 2016 22:42:52 -0700 (PDT)
Received: by mail-wm0-x232.google.com with SMTP id n129so87390718wmn.1 for <tls@ietf.org>; Sun, 15 May 2016 22:42:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=5yH3wvlmdNpkojYETIhYpiHwOdFG7E2GYdkECH3FLKA=; b=Lh5PXOfqK2jUXgJI4g+JOA93U1/IOFzOzO5COaDzVtWwKDLJP4XhmhpUsBEahQhJ1O cw80gRttqseAybUiXSyYP/uaPihIooG4hNgDx38pkuMO0JBe8SCCnS9qNsPOw4s3NFUo RoR9Ls3WPbxqlX/HGjm6+xL/K6pU7ywKmspPdeLYRpeVEJDh7kh22Suj+AugKWuP6/M6 aeQcsEyXPnbCYavzzxnz4GXo88dh283dc4nfCy6v0vhScCafIJ9oou7j2NA4iHXJfKdJ /VWfzMHrWwgQAM2iMv6YxhppsuQjPdoLErhl8eyW7CuOGRzqtcw+g0C7JCPToEIgT+bI cr/Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=5yH3wvlmdNpkojYETIhYpiHwOdFG7E2GYdkECH3FLKA=; b=mROnMBfwQ3FNEAsV4flZZZcCkABloQnQZGOdTI2y9AqfYKHpgbjQDVeeXn4kRTZ9lR ug5rHU4w+YHOH7LSxPOE4c8CLDv4vGt+8tUqYpMya5gxY9sQe48vMOOzKSLB5+3meKQc LV8zJJGrqLqNJC/376+nXXo8H7PCAJpV3qsEGq7Y0hBFd3Ny2Z8rJsuTAkfd5QGMb1Fc f8CJOhtNQyQArXj5SAI7pnjeMj7hicnYX6WN+nM8c2LrSnS1g/+xA7GjaPdWrn4FbPUE 4tygKK0dCV3gV6JE6RTtpxlt7dB8Z9kKzxiR4LyWAsTC7MDii/T5Bfw9tcBdUmmXIWSj /M2w==
X-Gm-Message-State: AOPr4FUQQ8M7E9ltEpntz8sp5g2Ib5YgCaHCWQFuDW17hvmwH2H5oQlYUanHa3C++pp+uA==
X-Received: by 10.28.151.133 with SMTP id z127mr14992476wmd.79.1463377371258; Sun, 15 May 2016 22:42:51 -0700 (PDT)
Received: from [192.168.137.191] ([176.13.4.131]) by smtp.gmail.com with ESMTPSA id n66sm16456478wmn.7.2016.05.15.22.42.48 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Sun, 15 May 2016 22:42:50 -0700 (PDT)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
From: Yoav Nir <ynir.ietf@gmail.com>
In-Reply-To: <a05f1e9d02a96721479a0de75e335cc4@esat.kuleuven.be>
Date: Mon, 16 May 2016 08:42:45 +0300
Content-Transfer-Encoding: quoted-printable
Message-Id: <A1FEF4A5-AC64-4832-904A-47768E5D5AF9@gmail.com>
References: <20160514082717.7997D180004@rfc-editor.org> <9A043F3CF02CD34C8E74AC1594475C73F4C80CD0@uxcn10-5.UoA.auckland.ac.nz> <CAN8NK9EaDQ-Pugi2j=3KcXrn5G-8mcXVs4O2HGCkH7h7GSKbbA@mail.gmail.com> <9A043F3CF02CD34C8E74AC1594475C73F4C80F76@uxcn10-5.UoA.auckland.ac.nz> <CAN8NK9Gn9iK72dBq3opQ2E_HEZyVB+ysCqo5JxMH8vHhy4gEEg@mail.gmail.com> <9A043F3CF02CD34C8E74AC1594475C73F4C817BE@uxcn10-5.UoA.auckland.ac.nz> <a05f1e9d02a96721479a0de75e335cc4@esat.kuleuven.be>
To: Atul Luykx <Atul.Luykx@esat.kuleuven.be>
X-Mailer: Apple Mail (2.3124)
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/hbipORKWGymSQ6eqJDd3UIP8qBQ>
Cc: RFC Errata System <rfc-editor@rfc-editor.org>, mcgrew@cisco.com, tls@ietf.org
Subject: Re: [TLS] [Technical Errata Reported] RFC5288 (4694)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 16 May 2016 05:42:55 -0000

> On 16 May 2016, at 6:50 AM, Atul Luykx <Atul.Luykx@esat.kuleuven.be> wrote:
> 
> Here's a possible re-write of the second paragraph:
> 
> Nonce re-use in AES-GCM results in failure of both confidentiality and authenticity. Not only will confidentiality be breached by leaking the XOR of any two packets processed under the same nonce, but TLS sessions can also be attacked through forgery by an adversary. For example, in the case of HTTPS sessions content injection, XSS, and other attack vectors are possible.

s/XOR of any two packets/XOR of any two records/

This is TLS, not IPsec. And yes, this looks fine.

Yoav

> 
> 
> Original text:
> 
> Security of AES-GCM requires that the "nonce" (number used once) is
> never reused. The IV construction in Section 3 does not prevent
> implementers from reusing the nonce by mistake. It is paramount that
> the implementer be aware of the security implications when a nonce
> is re-used even once.
> 
> Nonce re-use in AES-GCM results in catastrophic failure of it's
> authenticity. Hence, TLS sessions can be effectively attacked through
> forgery by an adversary. In the case of e.g. HTTPS sessions content
> injection is possible, XSS and other attack vectors.
> 
> 
> On 2016-05-16 05:32, Peter Gutmann wrote:
>> Aaron Zauner <azet@azet.org> writes:
>>> If so, could you suggest better wording for this specific paragraph?
>> I would just leave it as "nonce", with no attempt at a definition.  If there
>> are any cryptographers who don't know what a nonce is they can look it up.  If
>> they use an authoritative source they'll get the correct definition, and if
>> they use Wikipedia they'll get Wikipedia's definition.
>>> I wouldn't cite Wikipedia in an academic publication, but it's what pops up
>>> first if someone looks for "nonce" via a Google search
>> That doesn't make it correct, it just makes it the most popular misconception.
>> For another crypto example, look up HDCP and Blom's Scheme on Wikipedia, and
>> see how much resemblance that bears to reality.
>>> This document is on TLS cipher-suites, not AES-GCM in general. This attack
>>> isn't applicable here for various reasons. But I agree that the errata could
>>> be clearer here. What'd be your suggestion as an addition or change? I'm sure
>>> the relevant editors will be willing to amend/change my wording in this
>>> errata.
>> Since the paper for the Black Hat talk hasn't been published, I don't know
>> what the actual problem is (and by extension what the various reasons are),
>> but if you reuse a nonce I can't see how it would affect auth but not
>> confidentiality, since you'd be generating a repeated cipher stream.  If
>> confidentiality isn't affected then there should probably be a note explaining
>> why, since my immediate reaction to a comment about nonce reuse would be
>> "complete failure of the entire mode".
>> Peter.
>> _______________________________________________
>> TLS mailing list
>> TLS@ietf.org
>> https://www.ietf.org/mailman/listinfo/tls
> 
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls

v2.23.0 | Report a Bug | By Email