IETF Logo Mail Archive

Re: [TLS] Encrypt-then-MAC again (was Re: padding bug)

Nikos Mavrogiannopoulos <nmav@gnutls.org> Tue, 12 November 2013 09:14 UTC

Return-Path: <n.mavrogiannopoulos@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B94E021E80CE for <tls@ietfa.amsl.com>; Tue, 12 Nov 2013 01:14:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.978
X-Spam-Level:
X-Spam-Status: No, score=-1.978 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ELxsU-QVDcDo for <tls@ietfa.amsl.com>; Tue, 12 Nov 2013 01:14:19 -0800 (PST)
Received: from mail-la0-x232.google.com (mail-la0-x232.google.com [IPv6:2a00:1450:4010:c03::232]) by ietfa.amsl.com (Postfix) with ESMTP id ED19421E80AC for <tls@ietf.org>; Tue, 12 Nov 2013 01:13:54 -0800 (PST)
Received: by mail-la0-f50.google.com with SMTP id eo20so5002501lab.9 for <tls@ietf.org>; Tue, 12 Nov 2013 01:13:51 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=gmNGA8AN6ZqgZ7l4SdtBiHdnqu8yF7DScmj+igV9nX4=; b=HYgarOPcMltTw6QeZsiXLKWmX/q3APPq4IVFteigYt+fx2/xhUHGRY/jGYZe2U56TW ehprYdBMxQVvhe7eG5qj3w8qgH7szq4JxE5HnQVly4Qb96/1zumw5TNnSWrAGjvBm2Q0 bXg+CsoTSSjSnUbscC49TTjmlj4HhXlBUXvT3dTWNLLajh3rqIpSCAszlkl8LSppAoxs CPqfF2DCx28oYHH86gwrjtO196cuBcAjInsJMxaIj7b+JlZ90mN08J8WFDplHU0NE0yv rvqYLvP0RrhT/R/SlurNoAOjLRCKvL/CAyJjsfGXzBoKRz3ndQ8f1U/bgcO1YmVkpnO1 EQbg==
MIME-Version: 1.0
X-Received: by 10.112.205.164 with SMTP id lh4mr25414581lbc.15.1384247631544; Tue, 12 Nov 2013 01:13:51 -0800 (PST)
Sender: n.mavrogiannopoulos@gmail.com
Received: by 10.112.133.196 with HTTP; Tue, 12 Nov 2013 01:13:51 -0800 (PST)
In-Reply-To: <20131111233350.025031AA79@ld9781.wdf.sap.corp>
References: <527FEC83.9020107@pobox.com> <20131111233350.025031AA79@ld9781.wdf.sap.corp>
Date: Tue, 12 Nov 2013 10:13:51 +0100
X-Google-Sender-Auth: 6D1NMFxDe01zRguDjDhDh5zr3Aw
Message-ID: <CAJU7zaLsJe-B3gOF9BrROKPeLSvbNdM9RzJgYxRAZtBWofc8ew@mail.gmail.com>
From: Nikos Mavrogiannopoulos <nmav@gnutls.org>
To: "mrex@sap.com" <mrex@sap.com>
Content-Type: text/plain; charset="UTF-8"
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Encrypt-then-MAC again (was Re: padding bug)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Nov 2013 09:14:19 -0000

On Tue, Nov 12, 2013 at 12:33 AM, Martin Rex <mrex@sap.com> wrote:
> Personally, I would really prefer to _not_ move the MAC outside
> of the encryption, i.e. leave it as pad-mac-encrypt like Serge Vaudenay
> originally recommended.  In particular, keeping the hands off the
> GenericStreamCipher PDU processing.

I prefer this approach too, so I've taken the parts from the
length-hiding draft and moved them to a draft that simply describes a
new padding approach to solve the padding oracles. In any case I still
believe that something needs to be done about that, whether it is
pad-encrypt-then-mac or pad-mac-then-encrypt.

http://tools.ietf.org/html/draft-mavrogiannopoulos-new-tls-padding-00

regards,
Nikos

v2.23.0 | Report a Bug | By Email