IETF Logo Mail Archive

Re: [TLS] Encrypt-then-MAC again (was Re: padding bug)

Ralf Skyper Kaiser <skyper@thc.org> Thu, 14 November 2013 16:05 UTC

Return-Path: <skyper@thc.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E5B6B21E80EE for <tls@ietfa.amsl.com>; Thu, 14 Nov 2013 08:05:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.357
X-Spam-Level: *
X-Spam-Status: No, score=1.357 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FH_RELAY_NODNS=1.451, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_PBL=0.905, RCVD_IN_SORBS_DUL=0.877, RDNS_NONE=0.1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8bi9dZYfrvbM for <tls@ietfa.amsl.com>; Thu, 14 Nov 2013 08:05:18 -0800 (PST)
Received: from mail-ie0-x22c.google.com (mail-ie0-x22c.google.com [IPv6:2607:f8b0:4001:c03::22c]) by ietfa.amsl.com (Postfix) with ESMTP id A0DBE21E80EC for <tls@ietf.org>; Thu, 14 Nov 2013 08:05:18 -0800 (PST)
Received: by mail-ie0-f172.google.com with SMTP id to1so3060287ieb.3 for <tls@ietf.org>; Thu, 14 Nov 2013 08:05:18 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=thc.org; s=google; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=FRzyi3i1z+lzecZQHMzxXUpIXQ2HzN1P5HiMH4Xkp+c=; b=MpVmAsG1V3yi5CWoSwlMQhitQAhncVet9jxHmHSAZEzKeUZl/qBtyw9BCDOSqP3jtN m/H8pGbKthMaiFAzF/isf/ewtSqXvYR4mE837R6QwEGd44mYyrdtNWkWLtDF40inAMM2 p5CGomLh1PQugU42iCa8O8m6vZ7s08v10n6HE=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=FRzyi3i1z+lzecZQHMzxXUpIXQ2HzN1P5HiMH4Xkp+c=; b=UPOKSxseLIuw1QNcUHYNvkmyFuG7mq2NRmKqW2JcxstJFi75eV1EtlqyBrQsqe4CtP 7HcYH77d8PL2VoAHIzWvKVbzAYaJjacNz6qBbEFk+HPOZ2yXTsl9pj4wNZGF5WuZhYAH Whwz6QNdsK9WhCGZn4jJc0Eccy5UPrYFK1oQAWmPHHLWL+kEDBkOWzzJ++VRRXT6DY8p l8Q7SUC1WfvY21pmBPf0rFtJl7CO/K0xrUHSEw2yEFpTDYbjWuR3Lyeh6gCI2TZk5y5H byUe9sPg1HTEyEp7/5r61xp8zOTK4MeVHPLkFgWMXTIYakO8WZp/DrggLDOOvUhEDd3m 0E2Q==
X-Gm-Message-State: ALoCoQlxjjzmgvlaQ3ciEcAncpkjIy19PmHJqqdgaMewXvE0HD50Ig8Waq1nxjVLLVUoD9OG/fX/
MIME-Version: 1.0
X-Received: by 10.50.6.99 with SMTP id z3mr1765140igz.27.1384445117742; Thu, 14 Nov 2013 08:05:17 -0800 (PST)
Received: by 10.64.108.163 with HTTP; Thu, 14 Nov 2013 08:05:17 -0800 (PST)
X-Originating-IP: [86.152.141.101]
In-Reply-To: <CAJU7za+N3KU1Mhfi3oXaAZd2kkCQOW3a59ZBrfQhdtKzVqA-6g@mail.gmail.com>
References: <007d01cee0b9$ffbe8290$ff3b87b0$@org> <20131114150531.66A001AA90@ld9781.wdf.sap.corp> <CA+BZK2pEVQY_MCU7x4ZW+UB8GDOz83sTZrmbyFdpzhrgz_t4PA@mail.gmail.com> <CAJU7za+N3KU1Mhfi3oXaAZd2kkCQOW3a59ZBrfQhdtKzVqA-6g@mail.gmail.com>
Date: Thu, 14 Nov 2013 16:05:17 +0000
Message-ID: <CA+BZK2oDFw7dQfrf-GqXRnb6aTtEGek4j5gbBxmow6C7Wj60XA@mail.gmail.com>
From: Ralf Skyper Kaiser <skyper@thc.org>
To: Nikos Mavrogiannopoulos <nmav@gnutls.org>
Content-Type: multipart/alternative; boundary="e89a8f3b9c23744a6f04eb253ff2"
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Encrypt-then-MAC again (was Re: padding bug)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Nov 2013 16:05:23 -0000

On Thu, Nov 14, 2013 at 4:00 PM, Nikos Mavrogiannopoulos <nmav@gnutls.org>wrote:

> On Thu, Nov 14, 2013 at 4:47 PM, Ralf Skyper Kaiser <skyper@thc.org>
> wrote:
>
> > 1. EtA discards a malicious packet earlier than AtE. This means the
> packet
> > is processed by less programm code and the attacker has less chance to
> > trigger a vulnerability in the program code (We are talking buffer
> overflow
> > [etc!] here as well and not just crypto-vulns).
>
> This is an often repeated argument. How many of these attacks are we
> currently seeing in TLS that doesn't use EtA? None. The difference in
> processing is really negligible to be used in a serious attack.
>
> > 2.With AtE there is a correlation between the MAC and the plaintext. This
> > turns any known-plaintext attack into a ciphertext only attack and you
> > should not have a correlation even if this correlation can not be
> exploited
> > today by public cryptanalytic means.
>
> I don't understand your point. How would they work when the MAC is
> encrypted?
>
> Both EtA and AtE have weak points, depending what you trust more, the
> cipher or the MAC. With EtA you need to trust the MAC as any attacker
> has access to the MAC and the actual authenticated data (which is the
> ciphertext).
>
>
Program code:
With EtA you need to trust the MAC. With AtE you need to trust the cipher
_and_ the MAC.

Correlation with plaintext:
I do not understand your argument. With EtA there just is no correlation.
That's a good thing. Only with AtE there is (that's a bad thing).

regards,

ralf

regards,
> Nikos
>

v2.23.0 | Report a Bug | By Email