IETF Logo Mail Archive

Re: [TLS] Encrypt-then-MAC again (was Re: padding bug)

mrex@sap.com (Martin Rex) Tue, 12 November 2013 16:53 UTC

Return-Path: <mrex@sap.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3578C21E80AC for <tls@ietfa.amsl.com>; Tue, 12 Nov 2013 08:53:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.184
X-Spam-Level:
X-Spam-Status: No, score=-10.184 tagged_above=-999 required=5 tests=[AWL=0.065, BAYES_00=-2.599, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id C6U8uKBYmThx for <tls@ietfa.amsl.com>; Tue, 12 Nov 2013 08:53:47 -0800 (PST)
Received: from smtpde02.sap-ag.de (smtpde02.sap-ag.de [155.56.68.140]) by ietfa.amsl.com (Postfix) with ESMTP id 7A1A221E80A1 for <tls@ietf.org>; Tue, 12 Nov 2013 08:53:45 -0800 (PST)
Received: from mail06.wdf.sap.corp by smtpde02.sap-ag.de (26) with ESMTP id rACGrhC2003546 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Tue, 12 Nov 2013 17:53:43 +0100 (MET)
In-Reply-To: <CA+BZK2pu1F3zpRJNFX=QjFh=4JkooTgxkjDFPKBosnVCvuSonA@mail.gmail.com>
To: Ralf Skyper Kaiser <skyper@thc.org>
Date: Tue, 12 Nov 2013 17:53:43 +0100
X-Mailer: ELM [version 2.4ME+ PL125 (25)]
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="US-ASCII"
Message-Id: <20131112165343.CA1101AA80@ld9781.wdf.sap.corp>
From: mrex@sap.com
X-SAP: out
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Encrypt-then-MAC again (was Re: padding bug)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: mrex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Nov 2013 16:53:52 -0000

Ralf Skyper Kaiser wrote:
> 
> Is this preference based on security concerns or personal preference and
> ease of implementation/adaption?

  - kiss principle (least amount of protocol and code changes)
  - don't fix if it ain't broken
  - conservative design, higher security margin.
  - personal preference

Stream & AEAD ciphers use XOR for encryption and neither supports random
padding, so manipulating known plaintext can be achieved with 100% precision.
I therefore want to ensure that my integrity protection has a very high
security margin.


> 
> (Reading the Serge Vaudenary thread  suggest the latter - which is fine by
> me - its worth considering the trade off.)
> 
> Encrypt-then-mac has some other security benefits. (Among others that the
> decrypt routine never has to process bogus/bad messages
> [e.g. those where the MAC would fail in current encrypt-mac].).

Which benefits are this?

I am not aware of any security benefit for the real world from
doing EtA over AtE.

If MAC erros were common in the wild, I would know about it,
because I would get customer inquiries about it and regularly see
it in error logs from customers.  During the last 10 years there was
only one occasion where a customer had a low, but persistent amount
of MAC errors.  On investigation, it wasn't MAC errors, it was
actually RSA decryption failures, caused by a firmware bug in
that customers SSL accellerator (for which the vendor produced
a firmware patch after we reported the problem).

-Martin

v2.23.0 | Report a Bug | By Email