[TLS] [Technical Errata Reported] RFC5288 (4694)
RFC Errata System <rfc-editor@rfc-editor.org> Sat, 14 May 2016 08:28 UTC
Return-Path: <wwwrun@rfc-editor.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ACAB712D6D8 for <tls@ietfa.amsl.com>; Sat, 14 May 2016 01:28:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -107.898
X-Spam-Level:
X-Spam-Status: No, score=-107.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.996, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, USER_IN_WHITELIST=-100] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 372fwplTg8ri for <tls@ietfa.amsl.com>; Sat, 14 May 2016 01:28:22 -0700 (PDT)
Received: from rfc-editor.org (rfc-editor.org [4.31.198.49]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1496712D0C8 for <tls@ietf.org>; Sat, 14 May 2016 01:28:22 -0700 (PDT)
Received: by rfc-editor.org (Postfix, from userid 30) id 7997D180004; Sat, 14 May 2016 01:27:17 -0700 (PDT)
To: jsalowey@cisco.com, abhijitc@cisco.com, mcgrew@cisco.com, stephen.farrell@cs.tcd.ie, Kathleen.Moriarty.ietf@gmail.com, sean+ietf@sn3rd.com, joe@salowey.net
X-PHP-Originating-Script: 30:errata_mail_lib.php
From: RFC Errata System <rfc-editor@rfc-editor.org>
Message-Id: <20160514082717.7997D180004@rfc-editor.org>
Date: Sat, 14 May 2016 01:27:17 -0700
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/pV7IzE5XmgUytI5OemV-vqjzPqE>
X-Mailman-Approved-At: Sat, 14 May 2016 15:09:36 -0700
Cc: tls@ietf.org, rfc-editor@rfc-editor.org
Subject: [TLS] [Technical Errata Reported] RFC5288 (4694)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 14 May 2016 08:28:24 -0000
The following errata report has been submitted for RFC5288, "AES Galois Counter Mode (GCM) Cipher Suites for TLS". -------------------------------------- You may review the report below and at: http://www.rfc-editor.org/errata_search.php?rfc=5288&eid=4694 -------------------------------------- Type: Technical Reported by: Aaron Zauner <azet@azet.org> Section: 6.1 Original Text ------------- AES-GCM security requires that the counter is never reused. The IV construction in Section 3 is designed to prevent counter reuse. Implementers should also understand the practical considerations of IV handling outlined in Section 9 of [GCM]. Corrected Text -------------- Security of AES-GCM requires that the "nonce" (number used once) is never reused. The IV construction in Section 3 does not prevent implementers from reusing the nonce by mistake. It is paramount that the implementer be aware of the security implications when a nonce is re-used even once. Nonce re-use in AES-GCM results in catastrophic failure of it's authenticity. Hence, TLS sessions can be effectively attacked through forgery by an adversary. In the case of e.g. HTTPS sessions content injection is possible, XSS and other attack vectors. Notes ----- Obviously the original wording is so ambiguous that implementers got it wrong in the real world. Related to: https://www.blackhat.com/us-16/briefings.html#nonce-disrespecting-adversaries-practical-forgery-attacks-on-gcm-in-tls It may be worth adding a reference to [JOUX] http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/...38.../GCM/Joux_comments.pdf and maybe the paper we're intending to release on the actual HTTPS forgery/injection attack. I'd actually like to change the nonce construction to that of the ChaCha20/Poly1305 document, but I figure this will cause massive breakage for already deployed implementations. TLS 1.3 fixes this issue per design. Instructions: ------------- This erratum is currently posted as "Reported". If necessary, please use "Reply All" to discuss whether it should be verified or rejected. When a decision is reached, the verifying party (IESG) can log in to change the status and edit the report, if necessary. -------------------------------------- RFC5288 (draft-ietf-tls-rsa-aes-gcm-03) -------------------------------------- Title : AES Galois Counter Mode (GCM) Cipher Suites for TLS Publication Date : August 2008 Author(s) : J. Salowey, A. Choudhury, D. McGrew Category : PROPOSED STANDARD Source : Transport Layer Security Area : Security Stream : IETF Verifying Party : IESG
- Re: [TLS] [Technical Errata Reported] RFC5288 (46… Aaron Zauner
- [TLS] [Technical Errata Reported] RFC5288 (4694) RFC Errata System
- Re: [TLS] [Technical Errata Reported] RFC5288 (46… Peter Gutmann
- Re: [TLS] [Technical Errata Reported] RFC5288 (46… Rick van Rein
- Re: [TLS] [Technical Errata Reported] RFC5288 (46… Peter Gutmann
- Re: [TLS] [Technical Errata Reported] RFC5288 (46… Aaron Zauner
- Re: [TLS] [Technical Errata Reported] RFC5288 (46… Aaron Zauner
- Re: [TLS] [Technical Errata Reported] RFC5288 (46… Tony Arcieri
- Re: [TLS] [Technical Errata Reported] RFC5288 (46… Joseph Salowey
- Re: [TLS] [Technical Errata Reported] RFC5288 (46… Judson Wilson
- Re: [TLS] [Technical Errata Reported] RFC5288 (46… Peter Gutmann
- Re: [TLS] [Technical Errata Reported] RFC5288 (46… Atul Luykx
- Re: [TLS] [Technical Errata Reported] RFC5288 (46… Peter Gutmann
- Re: [TLS] [Technical Errata Reported] RFC5288 (46… Yoav Nir
- Re: [TLS] [Technical Errata Reported] RFC5288 (46… Aaron Zauner
- Re: [TLS] [Technical Errata Reported] RFC5288 (46… Paterson, Kenny
- Re: [TLS] [Technical Errata Reported] RFC5288 (46… Aaron Zauner
- Re: [TLS] [Technical Errata Reported] RFC5288 (46… Paterson, Kenny
- Re: [TLS] [Technical Errata Reported] RFC5288 (46… Aaron Zauner
- Re: [TLS] [Technical Errata Reported] RFC5288 (46… Paterson, Kenny
- Re: [TLS] [Technical Errata Reported] RFC5288 (46… Aaron Zauner
- Re: [TLS] [Technical Errata Reported] RFC5288 (46… Aaron Zauner
- Re: [TLS] [Technical Errata Reported] RFC5288 (46… Aaron Zauner
- Re: [TLS] [Technical Errata Reported] RFC5288 (46… Joseph Lorenzo Hall
- Re: [TLS] [Technical Errata Reported] RFC5288 (46… Megan Ferguson
- [TLS] [Errata Verified] RFC5288 (4694) RFC Errata System
- Re: [TLS] [Errata Verified] RFC5288 (4694) Peter Gutmann