Re: [TLS] Encrypt-then-MAC again (was Re: padding bug)
Alfredo Pironti <alfredo@pironti.eu> Sat, 30 November 2013 17:58 UTC
Return-Path: <alfredo@pironti.eu>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 91FFE1AE115 for <tls@ietfa.amsl.com>; Sat, 30 Nov 2013 09:58:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.379
X-Spam-Level:
X-Spam-Status: No, score=-1.379 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iAPXUJ98oyJc for <tls@ietfa.amsl.com>; Sat, 30 Nov 2013 09:58:32 -0800 (PST)
Received: from mail-ob0-x230.google.com (mail-ob0-x230.google.com [IPv6:2607:f8b0:4003:c01::230]) by ietfa.amsl.com (Postfix) with ESMTP id 9A21F1AE110 for <tls@ietf.org>; Sat, 30 Nov 2013 09:58:32 -0800 (PST)
Received: by mail-ob0-f176.google.com with SMTP id va2so11143662obc.35 for <tls@ietf.org>; Sat, 30 Nov 2013 09:58:31 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pironti.eu; s=google; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=NpYtV9qFOIPwi6XKIi5zL0J+ikoom8n/1PwzuAZdMsY=; b=L4OJPpRnxKRsq+w/ipfoGSc2wjQdw9i2FV93BRIfIe31Ct3ZCYpQqRgNkYDVsnpHfm /n2bAGhKZXCU4ZyelGR1d6v/UyAZEcnVWc2oMAxi35Ift9xnuxf+g7I8kWLlaYpIQfRE gBOvXru771KJpGaK5xnO6CyhtzL3m/dP+U2vU=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=NpYtV9qFOIPwi6XKIi5zL0J+ikoom8n/1PwzuAZdMsY=; b=ZgQnSKFj+CutJ4yms3+vu3zDZRzge1DpLsYaT52hzs0BBM2LLo39PnoxYNt7rM+cDg KfRR3wU1nzJj+bTTfB0HNR3Rm1q15231TTxtc4NfYMcre7CMco0WwrTF4/q5irwr1xRa KIqWwlx1ehVprzjY91X37DStW2mD9sapTRthxHdUDZ9YGSjiVlpdps0Cn55t7tR2sqWk SezU/i/W2U841C9MQTJGN0eq/P6XTN7Lrg+p3BeroFHe7EB8XY5qlzcCRC4Eyr0PEbLl kkJZZXqO8d4t/NMYd0WyxTx+tOQbiOez0w6hrQJR9RXBGDmjGHdP+EClTciN1bcJgWzk odZw==
X-Gm-Message-State: ALoCoQkLiMVGPFMDjW1Z/4xlhXFgpA9qKIt13PqXQQN0L+75ZriZLPZJQ2CaiWGRI3TCNWSiRStS
MIME-Version: 1.0
X-Received: by 10.60.45.102 with SMTP id l6mr29107791oem.36.1385834310938; Sat, 30 Nov 2013 09:58:30 -0800 (PST)
Received: by 10.76.114.194 with HTTP; Sat, 30 Nov 2013 09:58:30 -0800 (PST)
X-Originating-IP: [82.224.193.99]
In-Reply-To: <CEBFC33E.10954%kenny.paterson@rhul.ac.uk>
References: <1385826600.11639.25.camel@aspire.lan> <CEBFC33E.10954%kenny.paterson@rhul.ac.uk>
Date: Sat, 30 Nov 2013 18:58:30 +0100
Message-ID: <CALR0uiLgqeF_87THr98rgFvXrLsmiUO2Q9p+LGLxiHa==5AmCQ@mail.gmail.com>
From: Alfredo Pironti <alfredo@pironti.eu>
To: "Paterson, Kenny" <Kenny.Paterson@rhul.ac.uk>
Content-Type: text/plain; charset="UTF-8"
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Encrypt-then-MAC again (was Re: padding bug)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 30 Nov 2013 17:58:33 -0000
Hi Kenny, > But, at the risk of repeating myself, I very much prefer the simplicity > and robustness of an Encrypt-then-MAC construction. I agree with you. Indeed, Encrypt-then-MAC and (or within) AEAD are the only two cipher modes I'd like to see in TLS 1.3. In practice however, we witness the disastrous experience in widely deploying any change which is not a small patch to TLS1.0. So I'm afraid that to get something deployed in reasonable times we may have to get content with such a patch, like pad-MAC-Encrypt, that makes more robust (if not provably secure) what we already have. Alfredo
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Martin Rex
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Peter Gutmann
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Eric Rescorla
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Watson Ladd
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Juho Vähä-Herttua
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Bodo Moeller
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Nikos Mavrogiannopoulos
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Bodo Moeller
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Martin Rex
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Juho Vähä-Herttua
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Robert Ransom
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Nikos Mavrogiannopoulos
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Watson Ladd
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Juho Vähä-Herttua
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Martin Rex
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Taylor Hornby
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Martin Rex
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Nikos Mavrogiannopoulos
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Watson Ladd
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Martin Rex
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Nikos Mavrogiannopoulos
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Alfredo Pironti
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Paterson, Kenny
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Alfredo Pironti
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Watson Ladd
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Alfredo Pironti
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Martin Rex
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Wan-Teh Chang
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Paterson, Kenny
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Nikos Mavrogiannopoulos
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Paterson, Kenny
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Watson Ladd
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Martin Rex
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Peter Gutmann
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Peter Gutmann
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Peter Gutmann
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Peter Gutmann
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Trevor Perrin
- Re: [TLS] Encrypt-then-MAC again (was Re: padding… Watson Ladd