IETF Logo Mail Archive

Re: [TLS] TLS1.3

Nikos Mavrogiannopoulos <nmav@gnutls.org> Mon, 11 February 2013 15:14 UTC

Return-Path: <n.mavrogiannopoulos@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6BB8D21F8AB1 for <tls@ietfa.amsl.com>; Mon, 11 Feb 2013 07:14:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.811
X-Spam-Level:
X-Spam-Status: No, score=-2.811 tagged_above=-999 required=5 tests=[AWL=0.166, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sWJkeSdjg3dY for <tls@ietfa.amsl.com>; Mon, 11 Feb 2013 07:14:41 -0800 (PST)
Received: from mail-qc0-f182.google.com (mail-qc0-f182.google.com [209.85.216.182]) by ietfa.amsl.com (Postfix) with ESMTP id 83F8321F8AB4 for <tls@ietf.org>; Mon, 11 Feb 2013 07:14:41 -0800 (PST)
Received: by mail-qc0-f182.google.com with SMTP id k19so2271924qcs.27 for <tls@ietf.org>; Mon, 11 Feb 2013 07:14:40 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:x-received:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=GMS5oGTLwUOAJ1wrRSzlvdsMJJKsFBLG2iOuAxtBrP0=; b=Ib7D3YW9lvFC1B+Kyg3xQ2BHs8qIriCd6oy6pfHoLbBx32dxZ/2dLximNNg4SABMEs FwF7N3t7V7pfMhJFcg6SFqV8cyJycnDCstME0N+9cJptt4I7qi7CCTbazQIxwIfO5K8Z eMgnSCxkJtVWLgneKzNU8fF59CdhLsFNlUoX4G4zmxauDmg6HvDIxzxox9dgQlmGXvTV DR8GpLuZvgSgXx+k+IjWyeUxuqZ3c9DxDiJYIZbro6lPq4zU7o6uhTcOuZ+tuZB7yHJ1 3OvzK5vZaihYfwGcXiQXXvkRl3jXPAoJ1p20nNOEiFNBHbn20dODnLkciI3V1jI5eyRj Sv1A==
MIME-Version: 1.0
X-Received: by 10.49.71.204 with SMTP id x12mr6225488qeu.47.1360595680808; Mon, 11 Feb 2013 07:14:40 -0800 (PST)
Sender: n.mavrogiannopoulos@gmail.com
Received: by 10.229.78.204 with HTTP; Mon, 11 Feb 2013 07:14:40 -0800 (PST)
In-Reply-To: <B132B06E59C4A540A03C3393F53BC07C408169C0@EXCH-MB01.cc.rhul.local>
References: <AAE0766F5AF36B46BAB7E0EFB9273206194A67DCDC@GBTWK10E001.Technology.local> <B132B06E59C4A540A03C3393F53BC07C408169C0@EXCH-MB01.cc.rhul.local>
Date: Mon, 11 Feb 2013 16:14:40 +0100
X-Google-Sender-Auth: xAldgepON5G-Wat5nmC9tyjofGE
Message-ID: <CAJU7zaKBJoGw2eq04faegnhJiBdHP96A8N1CRymo17pOu8LrGA@mail.gmail.com>
From: Nikos Mavrogiannopoulos <nmav@gnutls.org>
To: "Paterson, Kenny" <Kenny.Paterson@rhul.ac.uk>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Cc: "Lewis, Nick" <nick.lewis@usa.g4s.com>, "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] TLS1.3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 11 Feb 2013 15:14:42 -0000

On Mon, Feb 11, 2013 at 10:26 AM, Paterson, Kenny
<Kenny.Paterson@rhul.ac.uk> wrote:

>>  The reality of TLS though is that there are many MACs in everyday use that are not secure (based on hashes of 80bits or even 64 bits). These are currently protected from attack by being behind strong (112bit or 128 bit) crypt.
> The "usual" MAC algorithms for TLS are HMAC-MD5, HMAC-SHA-1 and HMAC-SHA-256 (HMAC-SHA-384 is also a possibility). These all have MAC tags of at least 128 bits.

Indeed but note that today we have key recovery attacks on HMAC-MD4
[1,0]. Partial key recovery attacks exist on HMAC-MD5, too. It may be
long until such an attack applies to an encrypt-then-authenticate
setup, but could someone rule that possibility out? The current
authenticate-then-encrypt mode would most likely prevent such attacks.
The encrypt-then-authenticate modes would provide any adversary with
the MACed data and the MAC in plain.

It seems like a tradeoff between concealment and integrity.

Personally, I do believe that any fix to a protocol with such
deployment should be targeted at the problem in question, unless there
are serious reasons to believe that the old mechanism is beyond
repair. I do think we are not in that case yet and a mechanism to make
the pad part of the MAC as I proposed in an earlier e-mail is
sufficient.
However, I also believe any solution is better than no solution at
all, and I do think that this WG should decide on a document to update
RFC5246, which either fixes the issue or replaces the CBC
ciphersuites.

regards,
Nikos

[0]. Contini, Scott, and Yiqun Yin. "Forgery and partial key-recovery
attacks on HMAC and NMAC using hash collisions." Advances in
Cryptology–ASIACRYPT 2006 (2006): 37-53.

[1]. Fouque, Pierre-Alain, Gaëtan Leurent, and Phong Nguyen. "Full
key-recovery attacks on HMAC/NMAC-MD4 and NMAC-MD5." Advances in
Cryptology-CRYPTO 2007 (2007): 13-30.

v2.23.0 | Report a Bug | By Email