IETF Logo Mail Archive

[TLS] [Technical Errata Reported] RFC5288 (4694)

RFC Errata System <rfc-editor@rfc-editor.org> Sat, 14 May 2016 08:28 UTC

Return-Path: <wwwrun@rfc-editor.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ACAB712D6D8 for <tls@ietfa.amsl.com>; Sat, 14 May 2016 01:28:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -107.898
X-Spam-Level:
X-Spam-Status: No, score=-107.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.996, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, USER_IN_WHITELIST=-100] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 372fwplTg8ri for <tls@ietfa.amsl.com>; Sat, 14 May 2016 01:28:22 -0700 (PDT)
Received: from rfc-editor.org (rfc-editor.org [4.31.198.49]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1496712D0C8 for <tls@ietf.org>; Sat, 14 May 2016 01:28:22 -0700 (PDT)
Received: by rfc-editor.org (Postfix, from userid 30) id 7997D180004; Sat, 14 May 2016 01:27:17 -0700 (PDT)
To: jsalowey@cisco.com, abhijitc@cisco.com, mcgrew@cisco.com, stephen.farrell@cs.tcd.ie, Kathleen.Moriarty.ietf@gmail.com, sean+ietf@sn3rd.com, joe@salowey.net
X-PHP-Originating-Script: 30:errata_mail_lib.php
From: RFC Errata System <rfc-editor@rfc-editor.org>
Message-Id: <20160514082717.7997D180004@rfc-editor.org>
Date: Sat, 14 May 2016 01:27:17 -0700
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/pV7IzE5XmgUytI5OemV-vqjzPqE>
X-Mailman-Approved-At: Sat, 14 May 2016 15:09:36 -0700
Cc: tls@ietf.org, rfc-editor@rfc-editor.org
Subject: [TLS] [Technical Errata Reported] RFC5288 (4694)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 14 May 2016 08:28:24 -0000

The following errata report has been submitted for RFC5288,
"AES Galois Counter Mode (GCM) Cipher Suites for TLS".

--------------------------------------
You may review the report below and at:
http://www.rfc-editor.org/errata_search.php?rfc=5288&eid=4694

--------------------------------------
Type: Technical
Reported by: Aaron Zauner <azet@azet.org>

Section: 6.1

Original Text
-------------
   AES-GCM security requires that the counter is never reused.  The IV
   construction in Section 3 is designed to prevent counter reuse.

   Implementers should also understand the practical considerations of
   IV handling outlined in Section 9 of [GCM].

Corrected Text
--------------
   Security of AES-GCM requires that the "nonce" (number used once) is 
   never reused. The IV construction in Section 3 does not prevent 
   implementers from reusing the nonce by mistake. It is paramount that 
   the implementer be aware of the security implications when a nonce 
   is re-used even once. 

   Nonce re-use in AES-GCM results in catastrophic failure of it's
   authenticity. Hence, TLS sessions can be effectively attacked through
   forgery by an adversary. In the case of e.g. HTTPS sessions content
   injection is possible, XSS and other attack vectors.

Notes
-----
Obviously the original wording is so ambiguous that implementers got it wrong in the real world. Related to: https://www.blackhat.com/us-16/briefings.html#nonce-disrespecting-adversaries-practical-forgery-attacks-on-gcm-in-tls

It may be worth adding a reference to [JOUX] http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/...38.../GCM/Joux_comments.pdf and maybe the paper we're intending to release on the actual HTTPS forgery/injection attack.

I'd actually like to change the nonce construction to that of the ChaCha20/Poly1305 document, but I figure this will cause massive breakage for already deployed implementations. TLS 1.3 fixes this issue per design.

Instructions:
-------------
This erratum is currently posted as "Reported". If necessary, please
use "Reply All" to discuss whether it should be verified or
rejected. When a decision is reached, the verifying party (IESG)
can log in to change the status and edit the report, if necessary. 

--------------------------------------
RFC5288 (draft-ietf-tls-rsa-aes-gcm-03)
--------------------------------------
Title               : AES Galois Counter Mode (GCM) Cipher Suites for TLS
Publication Date    : August 2008
Author(s)           : J. Salowey, A. Choudhury, D. McGrew
Category            : PROPOSED STANDARD
Source              : Transport Layer Security
Area                : Security
Stream              : IETF
Verifying Party     : IESG

v2.23.0 | Report a Bug | By Email