Re: [TLS] TLS1.3
Peter Gutmann <pgut001@cs.auckland.ac.nz> Sat, 09 February 2013 00:12 UTC
Return-Path: <pgut001@cs.auckland.ac.nz>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2AF9B21F87A4 for <tls@ietfa.amsl.com>; Fri, 8 Feb 2013 16:12:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.325
X-Spam-Level:
X-Spam-Status: No, score=-2.325 tagged_above=-999 required=5 tests=[AWL=0.274, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qDTcgHTzSPt6 for <tls@ietfa.amsl.com>; Fri, 8 Feb 2013 16:12:55 -0800 (PST)
Received: from mx2.auckland.ac.nz (mx2.auckland.ac.nz [130.216.125.244]) by ietfa.amsl.com (Postfix) with ESMTP id 40D9121F853E for <tls@ietf.org>; Fri, 8 Feb 2013 16:12:54 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=auckland.ac.nz; i=pgut001@cs.auckland.ac.nz; q=dns/txt; s=uoa; t=1360368775; x=1391904775; h=from:to:subject:date:message-id: content-transfer-encoding:mime-version; bh=oERNiHQrIJQd8OYy/udLlHY/synFwMj5lJadGKI3WZk=; b=rPMWwIINGVVwwWB5SDOTJ82dCLR24xTe9KA5yzPpDDskwbNNZK9+KYls 2SsjGd8LF2Upomteg692XxfUnEuZDSf9OxOtt8kL+IEH6YfNX37P9FUj9 IFc56JwVyYe7Ny66NAIySUEcv2oWHeC/b9+BxJ/GgTMzYAgXJw0eLULtp k=;
X-IronPort-AV: E=Sophos;i="4.84,633,1355050800"; d="scan'208";a="169634809"
X-Ironport-HAT: MAIL-SERVERS - $RELAYED
X-Ironport-Source: 130.216.4.112 - Outgoing - Outgoing
Received: from uxchange10-fe1.uoa.auckland.ac.nz ([130.216.4.112]) by mx2-int.auckland.ac.nz with ESMTP/TLS/AES128-SHA; 09 Feb 2013 13:12:53 +1300
Received: from UXCN10-2.UoA.auckland.ac.nz ([169.254.2.181]) by uxchange10-fe1.UoA.auckland.ac.nz ([130.216.4.112]) with mapi id 14.02.0318.004; Sat, 9 Feb 2013 13:12:53 +1300
From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
To: "tls@ietf.org" <tls@ietf.org>
Thread-Topic: [TLS] TLS1.3
Thread-Index: Ac4GWjPkE3BF8LyaSYCDpZZUaIXB7w==
Date: Sat, 09 Feb 2013 00:12:52 +0000
Message-ID: <9A043F3CF02CD34C8E74AC1594475C73333FFF9A@uxcn10-2.UoA.auckland.ac.nz>
Accept-Language: en-GB, en-NZ, en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [130.216.158.4]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Subject: Re: [TLS] TLS1.3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 09 Feb 2013 00:12:57 -0000
Nikos Mavrogiannopoulos <nmav@gnutls.org> writes: >However, the switch from MAC-then-Encrypt to Encrypt-then-MAC mode of >operation is a radical move that does not affect only the CBC ciphers (e.g. >RC4-SHA1 is also MAC-then-Encrypt). It's actually pretty trivial. Just to provide a data point on the effects of this change, I've done a preliminary implementation and found that it's about 30 minutes work to add support for the MAC outside the encryption (I just change the position of one function call and tweak a few things here and there). In addition the net change in code is so significant (due to removing the masses of gunk I have in there to deal with side-channel attacks) that I've created a separate function unwrapPacketTLSMAC() that's a tiny fraction of the size and complexity of the original unwrapPacketSSL() and its associated side-channel functions. I estimate that, if I were to remove all the legacy code, there'd be a net increase of -500 to -1000 lines of code from adding encrypt-then-MAC, as well as taking a whole pile of potentially error- prone cruft out of the code path. As Martin has pointed out, this is such a no-brainer it could have been made years ago with TLS 1.1's explicit IV. If anyone wants to do some interop testing, let me know. Currently I just hardcode in e-then-M via a compile option for testing purposes, I haven't done the extension-negotiation bit yet, although that should be pretty trivial in any case. Peter.
- Re: [TLS] TLS1.3 Peter Gutmann
- [TLS] TLS1.3 Lewis, Nick
- Re: [TLS] TLS1.3 Lewis, Nick
- Re: [TLS] TLS1.3 Nikos Mavrogiannopoulos
- Re: [TLS] TLS1.3 Eric Rescorla
- Re: [TLS] TLS1.3 Lewis, Nick
- Re: [TLS] TLS1.3 Nikos Mavrogiannopoulos
- Re: [TLS] TLS1.3 Paterson, Kenny
- Re: [TLS] TLS1.3 Lewis, Nick
- Re: [TLS] TLS1.3 Lewis, Nick
- Re: [TLS] TLS1.3 Eric Rescorla
- Re: [TLS] TLS1.3 Lewis, Nick
- Re: [TLS] TLS1.3 Dan Harkins
- Re: [TLS] TLS1.3 Lewis, Nick
- Re: [TLS] TLS1.3 Peter Gutmann
- Re: [TLS] TLS1.3 Peter Gutmann
- Re: [TLS] TLS1.3 Peter Gutmann
- Re: [TLS] TLS1.3 Peter Gutmann
- Re: [TLS] TLS1.3 Yoav Nir
- Re: [TLS] TLS1.3 Lewis, Nick
- Re: [TLS] TLS1.3 David McGrew (mcgrew)
- Re: [TLS] TLS1.3 Nikos Mavrogiannopoulos
- Re: [TLS] TLS1.3 Paterson, Kenny
- Re: [TLS] TLS1.3 Martin Rex
- Re: [TLS] TLS1.3 Nikos Mavrogiannopoulos
- Re: [TLS] TLS1.3 Peter Gutmann
- Re: [TLS] TLS1.3 Martin Rex
- Re: [TLS] TLS1.3 Peter Gutmann
- Re: [TLS] TLS1.3 Blumenthal, Uri - 0558 - MITLL
- Re: [TLS] TLS1.3 Lewis, Nick
- Re: [TLS] TLS1.3 Paterson, Kenny
- Re: [TLS] TLS1.3 Lewis, Nick
- Re: [TLS] TLS1.3 Paterson, Kenny
- Re: [TLS] TLS1.3 Yoav Nir
- Re: [TLS] TLS1.3 Lewis, Nick
- Re: [TLS] TLS1.3 Lewis, Nick
- Re: [TLS] TLS1.3 Yoav Nir
- Re: [TLS] TLS1.3 Nikos Mavrogiannopoulos
- Re: [TLS] TLS1.3 Martin Rex
- Re: [TLS] TLS1.3 Nico Williams
- Re: [TLS] TLS1.3 Martin Rex
- Re: [TLS] TLS1.3 Russ Housley
- Re: [TLS] TLS1.3 Wan-Teh Chang
- Re: [TLS] TLS1.3 Scott Schmit
- Re: [TLS] TLS1.3 Martin Rex
- Re: [TLS] TLS1.3 Scott Schmit
- Re: [TLS] TLS1.3 Peter Gutmann