Re: [TLS] Fwd: New Version Notification for draft-sheffer-tls-bcp-00.txt
"Paterson, Kenny" <Kenny.Paterson@rhul.ac.uk> Sun, 08 September 2013 10:12 UTC
Return-Path: <Kenny.Paterson@rhul.ac.uk>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6C91B21F9DB4 for <tls@ietfa.amsl.com>; Sun, 8 Sep 2013 03:12:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.467
X-Spam-Level:
X-Spam-Status: No, score=-1.467 tagged_above=-999 required=5 tests=[AWL=2.000, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, UNRESOLVED_TEMPLATE=3.132]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1bbx4waXjb69 for <tls@ietfa.amsl.com>; Sun, 8 Sep 2013 03:12:48 -0700 (PDT)
Received: from co9outboundpool.messaging.microsoft.com (co9ehsobe003.messaging.microsoft.com [207.46.163.26]) by ietfa.amsl.com (Postfix) with ESMTP id 477BE21F9DA9 for <tls@ietf.org>; Sun, 8 Sep 2013 03:12:48 -0700 (PDT)
Received: from mail79-co9-R.bigfish.com (10.236.132.239) by CO9EHSOBE023.bigfish.com (10.236.130.86) with Microsoft SMTP Server id 14.1.225.22; Sun, 8 Sep 2013 10:12:47 +0000
Received: from mail79-co9 (localhost [127.0.0.1]) by mail79-co9-R.bigfish.com (Postfix) with ESMTP id C690D340200 for <tls@ietf.org>; Sun, 8 Sep 2013 10:12:47 +0000 (UTC)
X-Forefront-Antispam-Report: CIP:134.219.208.107; KIP:(null); UIP:(null); IPV:NLI; H:EXCH-HUB01.cc.rhul.local; RD:exch-hub01.rhul.ac.uk; EFVD:NLI
X-SpamScore: -28
X-BigFish: VPS-28(zf7Izbb2dI98dI936eI148cI542I1432I4015Idb82hzz1f42h208ch1ee6h1de0h1d18h1fdah2073h1202h1e76h1d1ah1d2ah1fc6hzz1de098h1033IL17326ah1de097h186068h8275bh8275dhz2dh2a8h683h839h944he5bhf0ah1220h1288h12a5h12a9h12bdh137ah13b6h1441h1504h1537h153bh162dh1631h1758h18e1h1946h19b5h1b0ah1d0ch1d2eh1d3fh1dc1h1dfeh1dffh1e1dh1fe8h1ff5h209eh1155h)
X-Forefront-Antispam-Report-Untrusted: CIP:157.56.248.133; KIP:(null); UIP:(null); (null); H:AMXPRD0310HT004.eurprd03.prod.outlook.com; R:internal; EFV:INT
Received: from mail79-co9 (localhost.localdomain [127.0.0.1]) by mail79-co9 (MessageSwitch) id 1378635165482161_31259; Sun, 8 Sep 2013 10:12:45 +0000 (UTC)
Received: from CO9EHSMHS022.bigfish.com (unknown [10.236.132.252]) by mail79-co9.bigfish.com (Postfix) with ESMTP id 67D1DA020A for <tls@ietf.org>; Sun, 8 Sep 2013 10:12:45 +0000 (UTC)
Received: from EXCH-HUB01.cc.rhul.local (134.219.208.107) by CO9EHSMHS022.bigfish.com (10.236.130.32) with Microsoft SMTP Server (TLS) id 14.16.227.3; Sun, 8 Sep 2013 10:12:44 +0000
Received: from co1outboundpool.messaging.microsoft.com (134.219.208.67) by hybrid.rhul.ac.uk (134.219.208.107) with Microsoft SMTP Server (TLS) id 14.2.328.9; Sun, 8 Sep 2013 11:12:42 +0100
Received: from mail79-co1-R.bigfish.com (10.243.78.240) by CO1EHSOBE039.bigfish.com (10.243.66.104) with Microsoft SMTP Server id 14.1.225.22; Sun, 8 Sep 2013 10:12:41 +0000
Received: from mail79-co1 (localhost [127.0.0.1]) by mail79-co1-R.bigfish.com (Postfix) with ESMTP id 541247C00F4 for <tls@ietf.org.FOPE.CONNECTOR.OVERRIDE>; Sun, 8 Sep 2013 10:12:41 +0000 (UTC)
Received: from mail79-co1 (localhost.localdomain [127.0.0.1]) by mail79-co1 (MessageSwitch) id 1378635159509823_22143; Sun, 8 Sep 2013 10:12:39 +0000 (UTC)
Received: from CO1EHSMHS025.bigfish.com (unknown [10.243.78.230]) by mail79-co1.bigfish.com (Postfix) with ESMTP id 78F254C005D; Sun, 8 Sep 2013 10:12:39 +0000 (UTC)
Received: from AMXPRD0310HT004.eurprd03.prod.outlook.com (157.56.248.133) by CO1EHSMHS025.bigfish.com (10.243.66.35) with Microsoft SMTP Server (TLS) id 14.16.227.3; Sun, 8 Sep 2013 10:12:39 +0000
Received: from AMXPRD0310MB377.eurprd03.prod.outlook.com ([169.254.2.78]) by AMXPRD0310HT004.eurprd03.prod.outlook.com ([10.255.55.39]) with mapi id 14.16.0353.003; Sun, 8 Sep 2013 10:12:37 +0000
From: "Paterson, Kenny" <Kenny.Paterson@rhul.ac.uk>
To: Yaron Sheffer <yaronf.ietf@gmail.com>, "tls@ietf.org" <tls@ietf.org>
Thread-Topic: [TLS] Fwd: New Version Notification for draft-sheffer-tls-bcp-00.txt
Thread-Index: AQHOrG1AVeDBKKwhJkSxbZHifQ8YWJm7r8UA
Date: Sun, 08 Sep 2013 10:12:36 +0000
Message-ID: <CE520750.A409%kenny.paterson@rhul.ac.uk>
In-Reply-To: <522C3497.9020301@gmail.com>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.3.6.130613
x-originating-ip: [10.255.40.4]
Content-Type: text/plain; charset="us-ascii"
Content-ID: <B501FBFC2D7B0B40839B00FFD800E491@eurprd03.prod.outlook.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-FOPE-CONNECTOR: Id%0$Dn%*$RO%0$TLS%0$FQDN%$TlsDn%
X-FOPE-CONNECTOR: Id%36694$Dn%GMAIL.COM$RO%2$TLS%5$FQDN%hybrid.rhul.ac.uk$TlsDn%hybrid.rhul.ac.uk
X-FOPE-CONNECTOR: Id%36694$Dn%IETF.ORG$RO%2$TLS%5$FQDN%hybrid.rhul.ac.uk$TlsDn%hybrid.rhul.ac.uk
X-OriginatorOrg: rhul.ac.uk
X-FOPE-CONNECTOR: Id%0$Dn%*$RO%0$TLS%0$FQDN%$TlsDn%
Subject: Re: [TLS] Fwd: New Version Notification for draft-sheffer-tls-bcp-00.txt
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 08 Sep 2013 10:12:53 -0000
Dear Yaron, Thanks for sharing this draft. Some quick points of feedback: * Firstly, you asked: [[Is it possible to affect some length hiding using TLS 1.2 as specified today, i.e. without draft-pironti-tls-length-hiding-01, and using available APIs?]] The answer is "yes, to some extent, and for some cipher suites, but it does not help much against compression attacks". Expanding: variable length padding is available for CBC-mode ciphersuites in TLS 1.0 and higher (but not widely implemented). This allows an implementation to "disguise" the underlying message size to some extent, and it can be proven to be secure providing you avoid short MAC tags as in RFC 6066 (see my paper with Ristenpart and Shrimpton from Asiacrypt 2011: http://www.isg.rhul.ac.uk/~kp/mee-comp.pdf). Such padding is not available for RC4-based ciphersuites, nor for AES-GCM, nor AES-CCM. The amount of variability this feature introduces into ciphertext lengths is not sufficient to prevent CRIME/BREACH, but only slows them down a bit (I have not quantified this; that would require a more detailed analysis which is not justified given the apparent benefit). * Secondly, concerning attacks on RC4: You mention the work of Isobe et al. from FSE 13 (as citation [RC4-Attack]). I've also been involved in parallel work which goes more deeply into the practical applications of RC4 weaknesses to breaking TLS and which includes more powerful attacks, making the case for abandoning RC4 even stronger: N.J. AlFardan, D.J. Bernstein, K.G. Paterson, B. Poettering and J.C.N. Schuldt. On the Security of RC4 in TLS. In USENIX Security Symposium 2013. https://www.usenix.org/conference/usenixsecurity13/security-rc4-tls http://www.isg.rhul.ac.uk/tls * Thirdly, a technical point concerning CRIME/BREACH: You write: "The attack is a consequence of the TLS MAC-then-encrypt approach." This is incorrect. The attacks would apply equally well to AES-GCM ciphersuites (which do not adopt the MAC-then-ecnrypt approach). Regards Kennt On 08/09/2013 09:25, "Yaron Sheffer" <yaronf.ietf@gmail.com> wrote: >This is an early version of my proposal for a BCP-like document, to >inform the industry on what can be done with existing implementations, >while TLS 1.3 is still not ready. > >I would appreciate your comments of course. Specifically, >I would like to fill in the Implementation Status table (Sec. 5) and >would be glad to receive solid information (dates, planned dates, >version numbers) from implementers. > >Thanks, > Yaron > >-------- Original Message -------- >Subject: New Version Notification for draft-sheffer-tls-bcp-00.txt >Date: Sat, 07 Sep 2013 15:46:38 -0700 >From: internet-drafts@ietf.org >To: Yaron Sheffer <yaronf.ietf@gmail.com> > > >A new version of I-D, draft-sheffer-tls-bcp-00.txt >has been successfully submitted by Yaron Sheffer and posted to the >IETF repository. > >Filename: draft-sheffer-tls-bcp >Revision: 00 >Title: Recommendations for Secure Use of TLS and DTLS >Creation date: 2013-09-08 >Group: Individual Submission >Number of pages: 8 >URL: >http://www.ietf.org/internet-drafts/draft-sheffer-tls-bcp-00.txt >Status: http://datatracker.ietf.org/doc/draft-sheffer-tls-bcp >Htmlized: http://tools.ietf.org/html/draft-sheffer-tls-bcp-00 > > >Abstract: > Over the last few years there have been several serious attacks on > TLS, including attacks on its most commonly used ciphers and modes of > operation. This document offers recommendations on securely using > the TLS and DTLS protocols, given existing standards and > implementations. > > > > > >Please note that it may take a couple of minutes from the time of >submission >until the htmlized version and diff are available at tools.ietf.org. > >The IETF Secretariat > > > >_______________________________________________ >TLS mailing list >TLS@ietf.org >https://www.ietf.org/mailman/listinfo/tls > > >
- [TLS] Fwd: New Version Notification for draft-she… Yaron Sheffer
- Re: [TLS] Fwd: New Version Notification for draft… Paterson, Kenny
- Re: [TLS] Fwd: New Version Notification for draft… Patrick Pelletier
- Re: [TLS] Fwd: New Version Notification for draft… Peter Gutmann
- Re: [TLS] Fwd: New Version Notification for draft… Patrick Pelletier
- Re: [TLS] [perpass] Fwd: New Version Notification… Yoav Nir
- Re: [TLS] [perpass] Fwd: New Version Notification… Nikos Mavrogiannopoulos
- Re: [TLS] Fwd: New Version Notification for draft… Stephen Farrell
- Re: [TLS] Fwd: New Version Notification for draft… Michael Ströder
- Re: [TLS] New Version Notification for draft-shef… Yoav Nir
- Re: [TLS] Fwd: New Version Notification for draft… Yaron Sheffer
- Re: [TLS] Fwd: New Version Notification for draft… Patrick Pelletier
- Re: [TLS] Fwd: New Version Notification for draft… Hanno Böck
- Re: [TLS] Fwd: New Version Notification for draft… Peter Gutmann
- Re: [TLS] New Version Notification for draft-shef… james hughes
- Re: [TLS] Fwd: New Version Notification for draft… Sean Turner
- Re: [TLS] Fwd: New Version Notification for draft… Yaron Sheffer