Re: [TLS] Encrypt-then-MAC again (was Re: padding bug)

mrex@sap.com (Martin Rex) Thu, 05 December 2013 06:06 UTC

Return-Path: <mrex@sap.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 305C51AE1F7 for <tls@ietfa.amsl.com>; Wed, 4 Dec 2013 22:06:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.552
X-Spam-Level:
X-Spam-Status: No, score=-6.552 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-5, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ttWTihB5T22X for <tls@ietfa.amsl.com>; Wed, 4 Dec 2013 22:06:34 -0800 (PST)
Received: from smtpde01.sap-ag.de (smtpde01.sap-ag.de [155.56.68.170]) by ietfa.amsl.com (Postfix) with ESMTP id 2A72A1AE36D for <tls@ietf.org>; Wed, 4 Dec 2013 22:06:34 -0800 (PST)
Received: from mail05.wdf.sap.corp by smtpde01.sap-ag.de (26) with ESMTP id rB566MNf003117 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Thu, 5 Dec 2013 07:06:22 +0100 (MET)
In-Reply-To: <9A043F3CF02CD34C8E74AC1594475C7365423EC2@uxcn10-6.UoA.auckland.ac.nz>
To: Peter Gutmann <p.gutmann@auckland.ac.nz>
Date: Thu, 5 Dec 2013 07:06:21 +0100 (CET)
X-Mailer: ELM [version 2.4ME+ PL125 (25)]
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="US-ASCII"
Message-Id: <20131205060621.F23521AB26@ld9781.wdf.sap.corp>
From: mrex@sap.com (Martin Rex)
X-SAP: out
Cc: "<tls@ietf.org>" <tls@ietf.org>
Subject: Re: [TLS] Encrypt-then-MAC again (was Re: padding bug)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: mrex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Dec 2013 06:06:37 -0000

Peter Gutmann wrote:
> Martin Rex <mrex@sap.com> writes:
> 
> >I'm from the "don't-fix-it-if-it-ain't-broken" camp. And the less code needs 
> >to be changed to adopt some useful feature, the more likely you will see it 
> >being adopted for patches/maintenance. I have seen *ZERO* compelling reason 
> >for switching to encrypt-then-mac in TLS. 
> 
> Uhh... what?  How have you missed ten years of attacks on TLS that take 
> advantage of MtE?

TLS using pad-mac-encrypt is proven secure and that mac-pad-encrypt
is a going to provide an attack surface was clearly pointed out by 
Serge Vaudenay in 2001.

This could have been fixed in TLSv1.1 (2006), but was ignored.
The attacks that were demonstrated were in the ballpark of what
was predicted in 2001.


The fragility of GCM worries me personally much more than the
attack surface of mac-pad-encrypt, e.g.

  Cycling Attacks on GCM, GHASH and Other Polynomial MACs and Hashes
  Markku-Juhani O. Saarinen
  http://eprint.iacr.org/2011/202.pdf


-Martin