Re: [TLS] Resolution AEAD Cipher length and padding

Bodo Moeller <bmoeller@acm.org> Mon, 21 July 2014 15:34 UTC

Return-Path: <SRS0=Mag+=4Q=acm.org=bmoeller@srs.kundenserver.de>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 36A961A0137 for <tls@ietfa.amsl.com>; Mon, 21 Jul 2014 08:34:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.929
X-Spam-Level:
X-Spam-Status: No, score=-0.929 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HELO_EQ_DE=0.35, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hWnXM5nSL8ZK for <tls@ietfa.amsl.com>; Mon, 21 Jul 2014 08:34:00 -0700 (PDT)
Received: from mout.kundenserver.de (mout.kundenserver.de [212.227.126.187]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C637A1A00B8 for <tls@ietf.org>; Mon, 21 Jul 2014 08:33:59 -0700 (PDT)
Received: from mail-yh0-f43.google.com (mail-yh0-f43.google.com [209.85.213.43]) by mrelayeu.kundenserver.de (node=mreue003) with ESMTP (Nemesis) id 0LeyRX-1WkKAk1hnz-00qmY4; Mon, 21 Jul 2014 17:33:57 +0200
Received: by mail-yh0-f43.google.com with SMTP id 29so4136037yhl.16 for <tls@ietf.org>; Mon, 21 Jul 2014 08:33:52 -0700 (PDT)
MIME-Version: 1.0
X-Received: by 10.236.223.229 with SMTP id v95mr41912074yhp.128.1405956832277; Mon, 21 Jul 2014 08:33:52 -0700 (PDT)
Received: by 10.170.129.17 with HTTP; Mon, 21 Jul 2014 08:33:52 -0700 (PDT)
In-Reply-To: <C012B5C9-52DC-4789-85F4-93BE4CF8F12F@cisco.com>
References: <2F856D8D-44B1-4319-8D61-556F3C3ADE01@cisco.com> <CALR0ui+Q+tk46Yef-OCGEX4z7y6duFfFb4xq=3t3aAE6eX8_CA@mail.gmail.com> <C012B5C9-52DC-4789-85F4-93BE4CF8F12F@cisco.com>
Date: Mon, 21 Jul 2014 11:33:52 -0400
Message-ID: <CADMpkcLmK45oViTYoGCFHFDDWPa0cpjn=_jwucJ6o1cm5U6zyQ@mail.gmail.com>
From: Bodo Moeller <bmoeller@acm.org>
To: "Joseph Salowey (jsalowey)" <jsalowey@cisco.com>
Content-Type: multipart/alternative; boundary=001a11c1ecbe8ebdbc04feb5d537
X-Provags-ID: V02:K0:jk32ipftDqGtSJDK5N5p3qY0D+Uvoug14JpdvcflZ8K vWQarrwCt2w2ISoAFNW2BCMvsJ1ihhI+IYIKtxOj3DpXq1bO0V rMXnflsCB4HeZOmg+GTW11R4w4E0l2NL7VjAETzzZzbS7G3NF4 R5bptb+Ixe+4ESDQ9U72h9fZDA4Nifdewga24yhd5KpMieRBCh 4jP3Y3VVBmc/gcy4oCCiKRoe7eaonFDliaw3s8/cwFy8HzCQrc pLBEeBpGXel31JG9wj63+dS/f1SGXxwG5yxbg0E+MMAREv1/dL VF6Yzqq7kQZzQu8B4OQ33xDYoy9ui0+fligLg51kavZTVxXs8h xy+JRBEzmgiRLtsjCgR3Y/zFYwfutoNRfDEZlyl62ilIDvXZjb 6NIXckfaxWh9QJ4EqVAPslkARHxb6SFOZXEZiUGco9vw5fMVr8 oev8P
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/jITCbXxulR4XJmssdi4V9m1u7wQ
Cc: "<tls@ietf.org>" <tls@ietf.org>, Alfredo Pironti <alfredo@pironti.eu>
Subject: Re: [TLS] Resolution AEAD Cipher length and padding
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 21 Jul 2014 15:35:29 -0000

Joseph Salowey (jsalowey) <jsalowey@cisco.com>om>:
>
>  On Jul 21, 2014, at 7:54 AM, Alfredo Pironti <alfredo@pironti.eu> wrote:
>
>  It's not clear to me what this resolution is about; could you please
> elaborate (or give pointers)?
> Is this about AEAD ciphers built on top of block-encrypt then mac? To some
> extent, current GCM and CCM ciphers are already expanding the cipher text
> length by the tag length, so I must be missing the point here. Thanks.
>
>
>  [Joe] to clarify:  current AEAD cipher modes (GCM, CCM)  do not expand
> the cipher text through padding, their cipher text length is the same as
> the clear text length.
>

I think the authentication tag (8 octets for these -- RFC 5288 or RFC 6655)
is considered part of the ciphertext for the AEAD interface (RFC 5116) as
used by TLS 1.2 (RFC 5246), so length expansion indeed already takes place.
 So unless I'm missing something, the point actually is that with these the
exact amount of length expansion is implicit (and you can recover
TLSPlaintext.length and thus determine additional_data by subtracting a
constant from the ciphertext length).

Thus, this decision is not about padding per se, but specifically about
*variable* padding, which wouldn't work with the current spec.

Bodo