Re: [TLS] Encrypt-then-MAC again (was Re: padding bug)
Ralf Skyper Kaiser <skyper@thc.org> Thu, 14 November 2013 16:05 UTC
Return-Path: <skyper@thc.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E5B6B21E80EE for <tls@ietfa.amsl.com>; Thu, 14 Nov 2013 08:05:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.357
X-Spam-Level: *
X-Spam-Status: No, score=1.357 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FH_RELAY_NODNS=1.451, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_PBL=0.905, RCVD_IN_SORBS_DUL=0.877, RDNS_NONE=0.1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8bi9dZYfrvbM for <tls@ietfa.amsl.com>; Thu, 14 Nov 2013 08:05:18 -0800 (PST)
Received: from mail-ie0-x22c.google.com (mail-ie0-x22c.google.com [IPv6:2607:f8b0:4001:c03::22c]) by ietfa.amsl.com (Postfix) with ESMTP id A0DBE21E80EC for <tls@ietf.org>; Thu, 14 Nov 2013 08:05:18 -0800 (PST)
Received: by mail-ie0-f172.google.com with SMTP id to1so3060287ieb.3 for <tls@ietf.org>; Thu, 14 Nov 2013 08:05:18 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=thc.org; s=google; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=FRzyi3i1z+lzecZQHMzxXUpIXQ2HzN1P5HiMH4Xkp+c=; b=MpVmAsG1V3yi5CWoSwlMQhitQAhncVet9jxHmHSAZEzKeUZl/qBtyw9BCDOSqP3jtN m/H8pGbKthMaiFAzF/isf/ewtSqXvYR4mE837R6QwEGd44mYyrdtNWkWLtDF40inAMM2 p5CGomLh1PQugU42iCa8O8m6vZ7s08v10n6HE=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=FRzyi3i1z+lzecZQHMzxXUpIXQ2HzN1P5HiMH4Xkp+c=; b=UPOKSxseLIuw1QNcUHYNvkmyFuG7mq2NRmKqW2JcxstJFi75eV1EtlqyBrQsqe4CtP 7HcYH77d8PL2VoAHIzWvKVbzAYaJjacNz6qBbEFk+HPOZ2yXTsl9pj4wNZGF5WuZhYAH Whwz6QNdsK9WhCGZn4jJc0Eccy5UPrYFK1oQAWmPHHLWL+kEDBkOWzzJ++VRRXT6DY8p l8Q7SUC1WfvY21pmBPf0rFtJl7CO/K0xrUHSEw2yEFpTDYbjWuR3Lyeh6gCI2TZk5y5H byUe9sPg1HTEyEp7/5r61xp8zOTK4MeVHPLkFgWMXTIYakO8WZp/DrggLDOOvUhEDd3m 0E2Q==
X-Gm-Message-State: ALoCoQlxjjzmgvlaQ3ciEcAncpkjIy19PmHJqqdgaMewXvE0HD50Ig8Waq1nxjVLLVUoD9OG/fX/
MIME-Version: 1.0
X-Received: by 10.50.6.99 with SMTP id z3mr1765140igz.27.1384445117742; Thu, 14 Nov 2013 08:05:17 -0800 (PST)
Received: by 10.64.108.163 with HTTP; Thu, 14 Nov 2013 08:05:17 -0800 (PST)
X-Originating-IP: [86.152.141.101]
In-Reply-To: <CAJU7za+N3KU1Mhfi3oXaAZd2kkCQOW3a59ZBrfQhdtKzVqA-6g@mail.gmail.com>
References: <007d01cee0b9$ffbe8290$ff3b87b0$@org> <20131114150531.66A001AA90@ld9781.wdf.sap.corp> <CA+BZK2pEVQY_MCU7x4ZW+UB8GDOz83sTZrmbyFdpzhrgz_t4PA@mail.gmail.com> <CAJU7za+N3KU1Mhfi3oXaAZd2kkCQOW3a59ZBrfQhdtKzVqA-6g@mail.gmail.com>
Date: Thu, 14 Nov 2013 16:05:17 +0000
Message-ID: <CA+BZK2oDFw7dQfrf-GqXRnb6aTtEGek4j5gbBxmow6C7Wj60XA@mail.gmail.com>
From: Ralf Skyper Kaiser <skyper@thc.org>
To: Nikos Mavrogiannopoulos <nmav@gnutls.org>
Content-Type: multipart/alternative; boundary="e89a8f3b9c23744a6f04eb253ff2"
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Encrypt-then-MAC again (was Re: padding bug)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Nov 2013 16:05:23 -0000
On Thu, Nov 14, 2013 at 4:00 PM, Nikos Mavrogiannopoulos <nmav@gnutls.org>wrote: > On Thu, Nov 14, 2013 at 4:47 PM, Ralf Skyper Kaiser <skyper@thc.org> > wrote: > > > 1. EtA discards a malicious packet earlier than AtE. This means the > packet > > is processed by less programm code and the attacker has less chance to > > trigger a vulnerability in the program code (We are talking buffer > overflow > > [etc!] here as well and not just crypto-vulns). > > This is an often repeated argument. How many of these attacks are we > currently seeing in TLS that doesn't use EtA? None. The difference in > processing is really negligible to be used in a serious attack. > > > 2.With AtE there is a correlation between the MAC and the plaintext. This > > turns any known-plaintext attack into a ciphertext only attack and you > > should not have a correlation even if this correlation can not be > exploited > > today by public cryptanalytic means. > > I don't understand your point. How would they work when the MAC is > encrypted? > > Both EtA and AtE have weak points, depending what you trust more, the > cipher or the MAC. With EtA you need to trust the MAC as any attacker > has access to the MAC and the actual authenticated data (which is the > ciphertext). > > Program code: With EtA you need to trust the MAC. With AtE you need to trust the cipher _and_ the MAC. Correlation with plaintext: I do not understand your argument. With EtA there just is no correlation. That's a good thing. Only with AtE there is (that's a bad thing). regards, ralf regards, > Nikos >
- [TLS] Requesting feedback on TACK draft Trevor Perrin
- Re: [TLS] Requesting feedback on TACK draft Peter Gutmann
- Re: [TLS] Requesting feedback on TACK draft Lewis, Nick
- [TLS] padding bug (was: Re: Requesting feedback o… Peter Saint-Andre
- Re: [TLS] padding bug Dr Stephen Henson
- Re: [TLS] padding bug Dr Stephen Henson
- Re: [TLS] padding bug Nikos Mavrogiannopoulos
- Re: [TLS] padding bug Ben Laurie
- Re: [TLS] padding bug Eric Rescorla
- Re: [TLS] padding bug (was: Re: Requesting feedba… Alfredo Pironti
- Re: [TLS] padding bug Ben Laurie
- Re: [TLS] padding bug Yaron Sheffer
- Re: [TLS] padding bug (was: Re: Requesting feedba… Paterson, Kenny
- Re: [TLS] padding bug Ben Laurie
- Re: [TLS] padding bug Adam Langley
- Re: [TLS] padding bug Ben Laurie
- Re: [TLS] padding bug Dr Stephen Henson
- Re: [TLS] padding bug Nico Williams
- Re: [TLS] padding bug Nikos Mavrogiannopoulos
- Re: [TLS] padding bug Blumenthal, Uri - 0558 - MITLL
- Re: [TLS] padding bug (was: Re: Requesting feedba… Bodo Moeller
- Re: [TLS] padding bug (was: Re: Requesting feedba… Paterson, Kenny
- Re: [TLS] padding bug Brian Smith
- Re: [TLS] padding bug Martin Rex
- [TLS] Encrypt-then-MAC again (was Re: padding bug) Michael D'Errico
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Watson Ladd
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Paterson, Kenny
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Michael D'Errico
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Martin Rex
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Nikos Mavrogiannopoulos
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Ralf Skyper Kaiser
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Martin Rex
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Martin Rex
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Ben Laurie
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Bryan C. Geraghty
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Nikos Mavrogiannopoulos
- [TLS] Would this fix RC4 again? (was Re: Encrypt-… Michael D'Errico
- Re: [TLS] Would this fix RC4 again? (was Re: Encr… Watson Ladd
- Re: [TLS] Would this fix RC4 again? (was Re: Encr… Paterson, Kenny
- Re: [TLS] Would this fix RC4 again? (was Re: Encr… Nikos Mavrogiannopoulos
- Re: [TLS] Would this fix RC4 again? (was Re: Encr… Jacob Appelbaum
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Martin Rex
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Ralf Skyper Kaiser
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Nikos Mavrogiannopoulos
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Ralf Skyper Kaiser
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Martin Rex
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Martin Rex
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Ralf Skyper Kaiser
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Alex Elsayed
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Paterson, Kenny
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Martin Rex
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Martin Rex
- [TLS] draft-mavrogiannopoulos-new-tls-padding-00 Martin Rex
- Re: [TLS] draft-mavrogiannopoulos-new-tls-padding… Nikos Mavrogiannopoulos