Re: [TLS] On the possibility of AEAD modes that require padding
Watson Ladd <watsonbladd@gmail.com> Fri, 20 June 2014 18:25 UTC
Return-Path: <watsonbladd@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7BB9F1B28E7 for <tls@ietfa.amsl.com>; Fri, 20 Jun 2014 11:25:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TswS99YxfusZ for <tls@ietfa.amsl.com>; Fri, 20 Jun 2014 11:25:18 -0700 (PDT)
Received: from mail-yh0-x22a.google.com (mail-yh0-x22a.google.com [IPv6:2607:f8b0:4002:c01::22a]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 17E0A1B28CF for <tls@ietf.org>; Fri, 20 Jun 2014 11:23:59 -0700 (PDT)
Received: by mail-yh0-f42.google.com with SMTP id i57so3184878yha.1 for <tls@ietf.org>; Fri, 20 Jun 2014 11:23:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=PGTIUyH+LGyCIhZ29++pmHSNkqlvZBNdgehU1WnmkL8=; b=puLuXPYL9ELcZy1EWsYKsFFym1MRDa7xVSlEI3+xN6Jd7TXBM4xPNjGd1vJUWNtHY5 SP4wcgPUAyzpiZZ0o2WhW7+ftMR2rw2+PQ/WxnE3c7T1pP6K98lDjN1Da69W9Z8aqyu9 fyqGoYi9+ofLOo5yw/i8jFYwLN7oTh1u9nDhymHA/Ia3nFUqefRya/lkeawFEbwZpW+v SIMPxq6LOI5ntOeNSyo59B2wFNSopdopvYcZy4BPXtdyNc3f9EwEw6X5njOhnsv9XEtY xql81OBuDdfPIPLNyVvT9H5vNdoVZg8oUJlQkzdVwSIBYavyWa4aXB4H5hAyiSNuH3PC MIiA==
MIME-Version: 1.0
X-Received: by 10.236.15.133 with SMTP id f5mr7676085yhf.63.1403288638363; Fri, 20 Jun 2014 11:23:58 -0700 (PDT)
Received: by 10.170.39.136 with HTTP; Fri, 20 Jun 2014 11:23:58 -0700 (PDT)
In-Reply-To: <87k38bzc0h.fsf@alice.fifthhorseman.net>
References: <87k38bzc0h.fsf@alice.fifthhorseman.net>
Date: Fri, 20 Jun 2014 15:23:58 -0300
Message-ID: <CACsn0cn64z3r6oSZPEANPM=4bNqTNKXxVzG3uW0Wk+Kn9O_Yeg@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Content-Type: text/plain; charset="UTF-8"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/pZmJaSJbKDozDSRCs-kbiwOd_B4
Cc: IETF TLS Working Group <tls@ietf.org>
Subject: Re: [TLS] On the possibility of AEAD modes that require padding
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 20 Jun 2014 18:25:23 -0000
On Fri, Jun 20, 2014 at 3:11 PM, Daniel Kahn Gillmor <dkg@fifthhorseman.net> wrote: > hi IETF folks-- > > If an AEAD mode is ever defined that must pad its input to a blocksize > before encrypting, the current spec seems like it will break. > > This is a currently-theoretical concern, since (fixed authentication tag > notwithstanding) GCM does not pad its input, and OCB and > chacha20-poly1305 (and other AEAD modes i could find data on) also don't > pad their input. > > (note that this question is independent of the various proposals for > explicitly introducing padding into TLS, which i don't go into here) > > The 1.3 draft currently says: > >> The additional authenticated data, which we denote as additional_data, is >> defined as follows: >> >> additional_data = seq_num + TLSPlaintext.type + >> TLSPlaintext.version + TLSPlaintext.length; >> >> where "+" denotes concatenation. >> >> The aead_output consists of the ciphertext output by the AEAD encryption >> operation. The length will generally be larger than TLSPlaintext.length, but >> by an amount that varies with the AEAD cipher. Since the ciphers might >> incorporate padding, the amount of overhead could vary with different >> TLSPlaintext.length values. Each AEAD cipher MUST NOT produce an expansion of >> greater than 1024 bytes. > > It goes on to define AEAD-Decrypt this way: > >> TLSPlaintext.fragment = AEAD-Decrypt(write_key, nonce, >> AEADEncrypted, >> additional_data) > > Consider the decryption step. The decryptor knows: > > * the AEAD mode (including the taglength) > * the nonce > * the write key > * the sequence number > * the record type > * the TLS version > * the ciphertext (including its length) > > To create additional_data, it must be able to derive TLSPlaintext.length > From the above information. > > All the AEAD modes i know about have a ciphertext expansion of a > fixed-length tag. so: > > TLSPlaintext.length = TLSCiphertext.length - AEADmode.taglength > > But if an AEAD mode were to additionally pad its input ("Since the > ciphers might incorporate padding, the amount of overhead could vary > with different TLSPlaintext.length values"), there would be no clear way > to derive additional_data because the length of the plaintext is unknown > before doing the decryption. This is just a straight-up mistake: AEAD modes already protect the plaintext length without explicitly supplying it in the form of AAD. Omitting it solves the problem. > > So i think the fix is to specify that additional_data should be derived > From the padded length of the TLSPlaintext.fragment, not from > TLSPlaintext.length. For GCM (and other AEAD modes i know of) these > values are of course identical. > > Making this explicit seems like it would require a bit of gymnastics in > the spec, all for the sake of holding open the door for future modes > with variable-length ciphertext expansion. I can try to make a patch > for this change, but i want to know if we think it's necessary. > > Alternately, we could decide that we won't accept modes that require > this kind of padding (maybe stripping out the sentence about "might > incorporate padding"). > > Have i missed an obvious solution or misunderstood the situation? What > do people think we should do here? > > --dkg > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls > -- "Those who would give up Essential Liberty to purchase a little Temporary Safety deserve neither Liberty nor Safety." -- Benjamin Franklin
- [TLS] On the possibility of AEAD modes that requi… Daniel Kahn Gillmor
- Re: [TLS] On the possibility of AEAD modes that r… Adam Langley
- Re: [TLS] On the possibility of AEAD modes that r… Watson Ladd
- Re: [TLS] On the possibility of AEAD modes that r… Eric Rescorla
- Re: [TLS] On the possibility of AEAD modes that r… Daniel Kahn Gillmor
- Re: [TLS] On the possibility of AEAD modes that r… Yoav Nir