Re: [TLS] Encrypt-then-MAC again (was Re: padding bug)
"Paterson, Kenny" <Kenny.Paterson@rhul.ac.uk> Sat, 30 November 2013 17:29 UTC
Return-Path: <Kenny.Paterson@rhul.ac.uk>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6152F1AE477 for <tls@ietfa.amsl.com>; Sat, 30 Nov 2013 09:29:29 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XpfCyJidKV4w for <tls@ietfa.amsl.com>; Sat, 30 Nov 2013 09:29:26 -0800 (PST)
Received: from co9outboundpool.messaging.microsoft.com (co9ehsobe001.messaging.microsoft.com [207.46.163.24]) by ietfa.amsl.com (Postfix) with ESMTP id 8CC731AE046 for <tls@ietf.org>; Sat, 30 Nov 2013 09:29:26 -0800 (PST)
Received: from mail87-co9-R.bigfish.com (10.236.132.250) by CO9EHSOBE004.bigfish.com (10.236.130.67) with Microsoft SMTP Server id 14.1.225.22; Sat, 30 Nov 2013 17:29:24 +0000
Received: from mail87-co9 (localhost [127.0.0.1]) by mail87-co9-R.bigfish.com (Postfix) with ESMTP id A782C4C09A9; Sat, 30 Nov 2013 17:29:24 +0000 (UTC)
X-Forefront-Antispam-Report: CIP:157.56.249.149; KIP:(null); UIP:(null); IPV:NLI; H:AM2PRD0311HT003.eurprd03.prod.outlook.com; RD:none; EFVD:NLI
X-SpamScore: -4
X-BigFish: PS-4(zzbb2dI98dI936eI1432Izz1f42h208ch1ee6h1de0h1d18h1fdah2073h2146h1202h1e76h1d1ah1d2ah1fc6hzz1de098h8275bh1de097hz2dh109h2a8h839h944he5bhf0ah1220h1288h12a5h12a9h12bdh137ah13b6h1441h1504h1537h153bh162dh1631h1758h18e1h1946h19b5h19ceh1ad9h1b0ah2222h224fh1d0ch1d2eh1d3fh1dc1h1dfeh1dffh1fe8h1ff5h209eh2216h22d0h2336h1155h)
X-Forefront-Antispam-Report-Untrusted: SFV:NSPM; SFS:(377424004)(199002)(189002)(24454002)(51704005)(479174003)(63696002)(46102001)(81342001)(81686001)(74662001)(47976001)(85306002)(59766001)(65816001)(53806001)(19580395003)(19580405001)(83506001)(83322001)(76482001)(54356001)(49866001)(4396001)(81542001)(31966008)(51856001)(83072001)(81816001)(50986001)(74876001)(74706001)(80976001)(79102001)(77982001)(74366001)(47736001)(87936001)(80022001)(74502001)(56776001)(76796001)(76786001)(54316002)(2656002)(74482001)(47446002)(69226001)(76176001)(36756003)(87266001)(66066001)(56816005)(90146001); DIR:OUT; SFP:; SCL:1; SRVR:DBXPR03MB384; H:DBXPR03MB383.eurprd03.prod.outlook.com; CLIP:80.42.233.244; FPR:; RD:InfoNoRecords; A:1; MX:1; LANG:en;
Received: from mail87-co9 (localhost.localdomain [127.0.0.1]) by mail87-co9 (MessageSwitch) id 1385832561852232_27034; Sat, 30 Nov 2013 17:29:21 +0000 (UTC)
Received: from CO9EHSMHS003.bigfish.com (unknown [10.236.132.250]) by mail87-co9.bigfish.com (Postfix) with ESMTP id CB05D22003F; Sat, 30 Nov 2013 17:29:21 +0000 (UTC)
Received: from AM2PRD0311HT003.eurprd03.prod.outlook.com (157.56.249.149) by CO9EHSMHS003.bigfish.com (10.236.130.13) with Microsoft SMTP Server (TLS) id 14.16.227.3; Sat, 30 Nov 2013 17:29:21 +0000
Received: from DBXPR03MB384.eurprd03.prod.outlook.com (10.141.10.20) by AM2PRD0311HT003.eurprd03.prod.outlook.com (10.255.162.38) with Microsoft SMTP Server (TLS) id 14.16.383.1; Sat, 30 Nov 2013 17:29:19 +0000
Received: from DBXPR03MB383.eurprd03.prod.outlook.com (10.141.10.15) by DBXPR03MB384.eurprd03.prod.outlook.com (10.141.10.20) with Microsoft SMTP Server (TLS) id 15.0.820.5; Sat, 30 Nov 2013 17:29:18 +0000
Received: from DBXPR03MB383.eurprd03.prod.outlook.com ([10.141.10.15]) by DBXPR03MB383.eurprd03.prod.outlook.com ([10.141.10.15]) with mapi id 15.00.0820.005; Sat, 30 Nov 2013 17:29:18 +0000
From: "Paterson, Kenny" <Kenny.Paterson@rhul.ac.uk>
To: Nikos Mavrogiannopoulos <nmav@redhat.com>, Watson Ladd <watsonbladd@gmail.com>
Thread-Topic: [TLS] Encrypt-then-MAC again (was Re: padding bug)
Thread-Index: AQHO7R77H2f5vAeCGkOkJhCJPGzqVZo8bsWAgAA2+ACAABbXAIAAHPYAgAAhpACAAPI6AIAAG7aA
Date: Sat, 30 Nov 2013 17:29:17 +0000
Message-ID: <CEBFC33E.10954%kenny.paterson@rhul.ac.uk>
In-Reply-To: <1385826600.11639.25.camel@aspire.lan>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.3.8.130913
x-originating-ip: [80.42.233.244]
x-forefront-prvs: 00462943DE
Content-Type: text/plain; charset="us-ascii"
Content-ID: <C86F39EF2B8622459A9A908B84FCD8B3@eurprd03.prod.outlook.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: rhul.ac.uk
X-FOPE-CONNECTOR: Id%0$Dn%*$RO%0$TLS%0$FQDN%$TlsDn%
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Encrypt-then-MAC again (was Re: padding bug)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 30 Nov 2013 17:29:29 -0000
Hi Nikos, all, I've been following this discussion with great interest, but keeping rather quiet since my last contribution because I've been a bit busy with other work, and because I was told that I was contorting reality last time I tried to make a contribution...which left me somewhat disenchanted with the tenor of the debate. On 30/11/2013 15:50, "Nikos Mavrogiannopoulos" <nmav@redhat.com> wrote: >On Fri, 2013-11-29 at 17:23 -0800, Watson Ladd wrote: > >> > Contrary to popular opinion on this list AtE is a standard way of >> > operation with no flaws known unless used with an unauthenticated pad >> > (as in TLS). When SSL 3.0 was designed AtE was believed to be the >> > conservative approach comparing to EtA. >> The passive voice is doing a lot of work here. Bellare and Namparah >> showed that EtA is generically secure, >> AtE isn't. Rogaway sent out an email in 1995 pleading for EtA in TLS. >> "no flaws known"!="proved to be secure" > >Proven to be secure doesn't mean that attacks don't exist. The TLS >padding scheme was proven to be secure prior to be broken; ironically by >the same person who made the proof. Attacks work by playing outside the >requirements of the proof. I assume here that you're referring to my "Tag size matters" paper with Ristenpart and Shrimpton, and then to the Lucky 13 paper here. OK, with some of my TLS credentials established for those who don't know me, here are the key points that I take away from the TLS proof (from that paper) versus the Lucky 13 attack: The proof for MAC-then-Pad-then-Encrypt in TLS was extremely delicate and difficult to produce. Indeed, in generating it, we came up with another new attack on "TLS with short MACs" that excludes certain parameters from ever being secure. We then had to make an assumption for the proof to go through: that the decryption process does not leak the source of decryption failure (sanity check failure, bad pad, or bad MAC), or any of the timing involved in decryption. What the Lucky 13 attack showed is that achieving this "uniformity of errors" is very difficult for TLS's MAC-then-Pad-then-Encrypt construction. And this is why MAC-then-Encrypt - and its real world variants - are being given such a hard time on this list by some, including me: our bitter experience is that implementing it securely is just much too hard. Witness Adam Langley's 500 line patch for OpenSSL and NSS to get this (finally) right. (Side note - Adam deserves credit for independently discovering the same attack vector that we used in Lucky 13.) To add a bit more detail: during the Lucky 13 disclosure process, I worked with many vendors to help them get their patches ready. Very few of them were actually able to completely eliminate timing side channels completely in their implementations, and all that I know of (except for Adam) settled for a "good enough" approach. Of course, that pragmatic approach is quite justifiable. But it may still leave open small windows of opportunity for future attack. Bottom line: none of the many issues that MAC-then-Pad-then-Encrypt has had in TLS should *ever* arise for Encrypt-then-MAC, unless the implementer was extremely ill-educated. To me, the perceived dangers of exposing the MAC - dangers which neither I (nor any serious cryptographer I know) accept as being real - are far outweighed by the simplicity and robustness provided by an Encrypt-then-MAC approach. >Nevertheless, there is much more recent work on EtA vs AtE, that >actually proves AtE secure (not "generically" as you pose, you just need >a decent cipher). You may check "The order of encryption and >authentication for protecting communications (or: How secure is SSL?)". >There are even newer papers than that, it is just this that came to >mind. This is too simplistic an interpretation of that paper by Hugo Krawczyk, I'm afraid. It's an excellent piece of work, and quite ahead of its time in trying to apply provable security techniques to a real protocol. But it has two major shortcomings if you try to apply it to CBC-mode encryption as used in TLS: 1. It does not consider TLS padding whatsoever - but instead assumes data is all block-aligned. As soon as you introduce padding in-between the MAC and the encryption, i.e. as in TLS's actual construction, you run into lots of trouble - Vaudenay, Bodo Moeller's observations, Lucky 13 and all. 2. It assumes the MAC output size is the same as the block cipher's block size. Out of all mainstream TLS ciphersuites that I know, this is true only for HMAC-MD5 with AES. And I think we all agree we'd like to avoid MD5 now! On the plus side, and perhaps this is what you were referring to, Hugo's analysis works just fine for stream-cipher based ciphersuites (as long as the stream cipher is good - so not RC4 then!). The Asiacrypt 2011 paper can be seen as extending his analysis to handle the actual construction used in TLS's CBC-mode ciphersuites, but with the important, necessary, and difficult-to-achieve proviso concerning uniformity of errors. Also on the plus side, Hugo's analysis can be fairly easily extended to cover the Pad-then-MAC-then-Encrypt construction for CBC-mode encryption that you, and others, have been arguing for (still under the assumption concerning the size of the MAC tags and the block size, though it might be that this assumption can be removed with more work). So there is indeed theoretical support for this kind of construction. And maybe it can even be implemented securely, too. But, at the risk of repeating myself, I very much prefer the simplicity and robustness of an Encrypt-then-MAC construction. Of course, this is just another opinion, like many others that have been expressed on this list recently, and I cannot hope it will be the last word on the subject. But I can hope that it's accepted as an opinion born from significant experience in analysing TLS security, from a variety of perspectives (theoretical, implementation, attacks). Best wishes, Kenny
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Martin Rex
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Peter Gutmann
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Eric Rescorla
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Watson Ladd
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Juho Vähä-Herttua
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Bodo Moeller
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Nikos Mavrogiannopoulos
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Bodo Moeller
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Martin Rex
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Juho Vähä-Herttua
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Robert Ransom
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Nikos Mavrogiannopoulos
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Watson Ladd
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Juho Vähä-Herttua
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Martin Rex
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Taylor Hornby
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Martin Rex
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Nikos Mavrogiannopoulos
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Watson Ladd
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Martin Rex
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Nikos Mavrogiannopoulos
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Alfredo Pironti
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Paterson, Kenny
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Alfredo Pironti
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Watson Ladd
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Alfredo Pironti
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Martin Rex
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Wan-Teh Chang
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Paterson, Kenny
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Nikos Mavrogiannopoulos
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Paterson, Kenny
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Watson Ladd
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Martin Rex
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Peter Gutmann
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Peter Gutmann
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Peter Gutmann
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Peter Gutmann
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Trevor Perrin
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Watson Ladd