IETF Logo Mail Archive

Re: [TLS] [Technical Errata Reported] RFC7905 (5251)

Adam Langley <agl@google.com> Thu, 22 February 2018 21:32 UTC

Return-Path: <agl@google.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 16FBE12DA49 for <tls@ietfa.amsl.com>; Thu, 22 Feb 2018 13:32:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.01
X-Spam-Level:
X-Spam-Status: No, score=-2.01 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2Y8tyz8RmGUc for <tls@ietfa.amsl.com>; Thu, 22 Feb 2018 13:32:31 -0800 (PST)
Received: from mail-wr0-x22f.google.com (mail-wr0-x22f.google.com [IPv6:2a00:1450:400c:c0c::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9CBE012DA47 for <tls@ietf.org>; Thu, 22 Feb 2018 13:32:31 -0800 (PST)
Received: by mail-wr0-x22f.google.com with SMTP id m5so12054644wrg.1 for <tls@ietf.org>; Thu, 22 Feb 2018 13:32:31 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=JhE+EBZJmnKD4KT0/Nl3n3bMBmuPO1Kz/F747ysUUOs=; b=R/2rSrREm83RIuwMsBAKATIlzAuE5gzBlgvK9yTDcLyq8HcFuu9dCsYXbIFBtDx8dw /0Clx6PAcFaBMcVnrIUg9pcuD6a1VfVx4jrN6qbkJkUIi9p/vIVvepV6vjxyWIfB6On/ RGmOAOC2CO6yU3JnIvmQjdM0jJQx8xUJkPhEXEW23VbHxgYrJxmBfYU6SwiU2+QpLJTl BGtjBgvyWzkkZjl+QIridKl45t+J+HdEDqIMqgOskkq9UwWRAIsBfPIsx9uNhPllzsvH 79mVk+QYl75ssYYxo/9+H0p2webLTrXGS5mfzvMfqXzJhmaK4lq/bMYIS7V2ShqEFg/8 B5Sg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=JhE+EBZJmnKD4KT0/Nl3n3bMBmuPO1Kz/F747ysUUOs=; b=TQAh1uDce2R5lf5unHAjo0i0JvyVSuDJWKl9M++tYOJslZOEqrJ43bxHsxfZ5KmlIr eoKMYX9CMQmrdyX5qlsR8/6sewpB/AwGK0rfknB06K1R1SDlUN9cgEbukQJc9crK+N6P Ta17FR5ijzZIUvgCC6FafH9IHkLjewgYKDczBGGvS0Zm4bkVzXjFxcPf2RH828aJgV3K 7EdSRD46mlbQ9xdwiWUHMDx84X/WkJVS3G12WYmZCa0gB6NYXKWoGA+M24VmUvVQeKR1 Y2y7ol3juYy/swsgte9RQ1QhZjb6MLzNBTmxuXol+EmJDsFeBtBMIzos+AfJDT3LlB34 Xfew==
X-Gm-Message-State: APf1xPBBU+DCctl3ZjRwN2S5qa3czthhSolR8f3pT8GfsYJNuSh/lehw dFk61VfpjYsobux/+3+1V+VR4SrWSqxJDpbAePxI4A==
X-Google-Smtp-Source: AH8x227pP6KpE3O/zuEoPutMqKm0pkUBiUUV7zWNUJW0x/vR73R5zSYpVM7cKLB5Wjn5wdTrCiTYBIkk3aN1SRhs3Fk=
X-Received: by 10.223.142.194 with SMTP id q60mr7425521wrb.113.1519335149866; Thu, 22 Feb 2018 13:32:29 -0800 (PST)
MIME-Version: 1.0
Received: by 10.28.11.12 with HTTP; Thu, 22 Feb 2018 13:32:08 -0800 (PST)
In-Reply-To: <1245150098.5877048.1518481362605.JavaMail.zimbra@inria.fr>
References: <20180201135947.77809B819EE@rfc-editor.org> <CAL9PXLxUNZHeMZYUSEsmT5YBOg6AReFbqxPozOmStY_+L1VUSg@mail.gmail.com> <1245150098.5877048.1518481362605.JavaMail.zimbra@inria.fr>
From: Adam Langley <agl@google.com>
Date: Thu, 22 Feb 2018 13:32:08 -0800
Message-ID: <CAL9PXLyyv+M0gQqAENd3T4AjU9q-LfC5ZmimXQWNLH0TyN3j-A@mail.gmail.com>
To: Xavier Bonnetain <xavier.bonnetain@inria.fr>
Cc: RFC Errata System <rfc-editor@rfc-editor.org>, Wan-Teh Chang <wtc@google.com>, Nikos Mavrogiannopoulos <nmav@redhat.com>, Joachim Strömbergson <joachim@secworks.se>, Simon Josefsson <simon@josefsson.org>, Kathleen Moriarty <Kathleen.Moriarty.ietf@gmail.com>, Eric Rescorla <ekr@rtfm.com>, Joseph Salowey <joe@salowey.net>, sean+ietf@sn3rd.com, tls@ietf.org
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/uotKiyoouQ0C8HJUTfc9xUeZBAE>
Subject: Re: [TLS] [Technical Errata Reported] RFC7905 (5251)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 22 Feb 2018 21:32:33 -0000

On Mon, Feb 12, 2018 at 4:22 PM, Xavier Bonnetain
<xavier.bonnetain@inria.fr> wrote:
> If we are in the situation C = 0, D = 1 and L=2^{14} for (D)TLS, the forgery probability may indeed not be affected (and may even be smaller). However, the explanation "Poly1305 is designed to ensure that forged messages are rejected with a probability of 1-(n/2^107), where n is the maximum length of the input to Poly1305." is presenting Poly1305 as slightly stronger than it really is (and there is an attack with success probability 2^{-106} with C=1, D=1, L=1, as the hashing key r has 106 effective bits).

I don't believe that this contradicts the equation. While it's true
that r only contains 106 bits, knowing r isn't sufficient to forge a
message unless one also has a legitimate message from which to
calculate the masking value. In the C = 0 situation, the attacker does
not have such a message. As the attacker gathers samples of legitimate
messages, their success probability does, indeed, increase.

I suspect that any simplification of the security equation is going to
have these issues.


Cheers

AGL

v2.23.0 | Report a Bug | By Email