Re: [TLS] Encrypt-then-MAC again (was Re: padding bug)

Alfredo Pironti <alfredo@pironti.eu> Sat, 30 November 2013 17:58 UTC

Return-Path: <alfredo@pironti.eu>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 91FFE1AE115 for <tls@ietfa.amsl.com>; Sat, 30 Nov 2013 09:58:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.379
X-Spam-Level:
X-Spam-Status: No, score=-1.379 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iAPXUJ98oyJc for <tls@ietfa.amsl.com>; Sat, 30 Nov 2013 09:58:32 -0800 (PST)
Received: from mail-ob0-x230.google.com (mail-ob0-x230.google.com [IPv6:2607:f8b0:4003:c01::230]) by ietfa.amsl.com (Postfix) with ESMTP id 9A21F1AE110 for <tls@ietf.org>; Sat, 30 Nov 2013 09:58:32 -0800 (PST)
Received: by mail-ob0-f176.google.com with SMTP id va2so11143662obc.35 for <tls@ietf.org>; Sat, 30 Nov 2013 09:58:31 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pironti.eu; s=google; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=NpYtV9qFOIPwi6XKIi5zL0J+ikoom8n/1PwzuAZdMsY=; b=L4OJPpRnxKRsq+w/ipfoGSc2wjQdw9i2FV93BRIfIe31Ct3ZCYpQqRgNkYDVsnpHfm /n2bAGhKZXCU4ZyelGR1d6v/UyAZEcnVWc2oMAxi35Ift9xnuxf+g7I8kWLlaYpIQfRE gBOvXru771KJpGaK5xnO6CyhtzL3m/dP+U2vU=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=NpYtV9qFOIPwi6XKIi5zL0J+ikoom8n/1PwzuAZdMsY=; b=ZgQnSKFj+CutJ4yms3+vu3zDZRzge1DpLsYaT52hzs0BBM2LLo39PnoxYNt7rM+cDg KfRR3wU1nzJj+bTTfB0HNR3Rm1q15231TTxtc4NfYMcre7CMco0WwrTF4/q5irwr1xRa KIqWwlx1ehVprzjY91X37DStW2mD9sapTRthxHdUDZ9YGSjiVlpdps0Cn55t7tR2sqWk SezU/i/W2U841C9MQTJGN0eq/P6XTN7Lrg+p3BeroFHe7EB8XY5qlzcCRC4Eyr0PEbLl kkJZZXqO8d4t/NMYd0WyxTx+tOQbiOez0w6hrQJR9RXBGDmjGHdP+EClTciN1bcJgWzk odZw==
X-Gm-Message-State: ALoCoQkLiMVGPFMDjW1Z/4xlhXFgpA9qKIt13PqXQQN0L+75ZriZLPZJQ2CaiWGRI3TCNWSiRStS
MIME-Version: 1.0
X-Received: by 10.60.45.102 with SMTP id l6mr29107791oem.36.1385834310938; Sat, 30 Nov 2013 09:58:30 -0800 (PST)
Received: by 10.76.114.194 with HTTP; Sat, 30 Nov 2013 09:58:30 -0800 (PST)
X-Originating-IP: [82.224.193.99]
In-Reply-To: <CEBFC33E.10954%kenny.paterson@rhul.ac.uk>
References: <1385826600.11639.25.camel@aspire.lan> <CEBFC33E.10954%kenny.paterson@rhul.ac.uk>
Date: Sat, 30 Nov 2013 18:58:30 +0100
Message-ID: <CALR0uiLgqeF_87THr98rgFvXrLsmiUO2Q9p+LGLxiHa==5AmCQ@mail.gmail.com>
From: Alfredo Pironti <alfredo@pironti.eu>
To: "Paterson, Kenny" <Kenny.Paterson@rhul.ac.uk>
Content-Type: text/plain; charset=UTF-8
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Encrypt-then-MAC again (was Re: padding bug)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 30 Nov 2013 17:58:33 -0000

Hi Kenny,

> But, at the risk of repeating myself, I very much prefer the simplicity
> and robustness of an Encrypt-then-MAC construction.

I agree with you. Indeed, Encrypt-then-MAC and (or within) AEAD are
the only two cipher modes I'd like to see in TLS 1.3.

In practice however, we witness the disastrous experience in widely
deploying any change which is not a small patch to TLS1.0. So I'm
afraid that to get something deployed in reasonable times we may have
to get content with such a patch, like pad-MAC-Encrypt, that makes
more robust (if not provably secure) what we already have.

Alfredo