IETF Logo Mail Archive

Re: [TLS] [Technical Errata Reported] RFC5288 (4694)

Aaron Zauner <azet@azet.org> Sun, 15 May 2016 13:50 UTC

Return-Path: <azet@azet.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D018D12D194 for <tls@ietfa.amsl.com>; Sun, 15 May 2016 06:50:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=azet.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gIP2HV_XDcBf for <tls@ietfa.amsl.com>; Sun, 15 May 2016 06:50:22 -0700 (PDT)
Received: from mail-qk0-x22c.google.com (mail-qk0-x22c.google.com [IPv6:2607:f8b0:400d:c09::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BEA8512D18F for <tls@ietf.org>; Sun, 15 May 2016 06:50:21 -0700 (PDT)
Received: by mail-qk0-x22c.google.com with SMTP id r184so83462052qkc.1 for <tls@ietf.org>; Sun, 15 May 2016 06:50:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=azet.org; s=gmail; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc; bh=dTI3PflU4xhQBg/BDO4g4eZDTgrqhFtNeu8GKPq1O/0=; b=QiVVLYId7riV8ubj9n5dhYLyF23Kwo9cp32pDNHgXyRZP5eZD9lJikiSX3lYYC3i+k 5Q/ned2SEJhCfINiiwojyBh9UyH0hX6R/Owo/vTzNsCmC2SyuNM578/JnG21cwWbGdHa 33351X5o5dkG/3Zt14aG03R4893MX4rWdRH30=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc; bh=dTI3PflU4xhQBg/BDO4g4eZDTgrqhFtNeu8GKPq1O/0=; b=X8JRnbsLtqCzxhMkgCa96PJAnFfy83OBl9IsmhJvDFrXnjOzJLUBSl6V0RbVaiyPsK lE6cq8/DmQfPKBcsU44Ox+nxndnfY8ru//KhCU3KvpmMqWnbCr0SKQb59DIapCj2nJFn jHtELRRu3cbtm3yecKigGbUem/Oxj7TclMtpnr8TXnosfosya2m1enkBfmHRELDmIbuS N84iOH85h5hkNhlzTLwb42wMkdU8+ZMbqqxlU63K1c2EPtClzcjLYqKnVmxkojNUUhaX Us0G4eX3e0ucB6KzcM/b0wcmQUC3mRyHlTmioVle7ORhYeipMxwNUye/m39rpLDcbzsc /KHw==
X-Gm-Message-State: AOPr4FWH2yPMtE8K4cSoAGrUQdrTaxBdAGlUvXSzNwwuL7iS4wmcNaErwEpMT0q+mprbEft2jdJBD73lUD/Pgw==
MIME-Version: 1.0
X-Received: by 10.55.77.202 with SMTP id a193mr26429781qkb.48.1463320220887; Sun, 15 May 2016 06:50:20 -0700 (PDT)
Received: by 10.200.40.69 with HTTP; Sun, 15 May 2016 06:50:20 -0700 (PDT)
In-Reply-To: <9A043F3CF02CD34C8E74AC1594475C73F4C80F76@uxcn10-5.UoA.auckland.ac.nz>
References: <20160514082717.7997D180004@rfc-editor.org> <9A043F3CF02CD34C8E74AC1594475C73F4C80CD0@uxcn10-5.UoA.auckland.ac.nz> <CAN8NK9EaDQ-Pugi2j=3KcXrn5G-8mcXVs4O2HGCkH7h7GSKbbA@mail.gmail.com> <9A043F3CF02CD34C8E74AC1594475C73F4C80F76@uxcn10-5.UoA.auckland.ac.nz>
Date: Sun, 15 May 2016 20:50:20 +0700
Message-ID: <CAN8NK9Gn9iK72dBq3opQ2E_HEZyVB+ysCqo5JxMH8vHhy4gEEg@mail.gmail.com>
From: Aaron Zauner <azet@azet.org>
To: Peter Gutmann <pgut001@cs.auckland.ac.nz>
Content-Type: multipart/alternative; boundary="001a11488f5ef588070532e1c9f2"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/uwDMG7diSWYApBltNFMlXpEVxlI>
X-Mailman-Approved-At: Sun, 15 May 2016 17:38:32 -0700
Cc: "sean+ietf@sn3rd.com" <sean+ietf@sn3rd.com>, "Kathleen.Moriarty.ietf@gmail.com" <Kathleen.Moriarty.ietf@gmail.com>, "mcgrew@cisco.com" <mcgrew@cisco.com>, "jsalowey@cisco.com" <jsalowey@cisco.com>, "tls@ietf.org" <tls@ietf.org>, RFC Errata System <rfc-editor@rfc-editor.org>, "abhijitc@cisco.com" <abhijitc@cisco.com>
Subject: Re: [TLS] [Technical Errata Reported] RFC5288 (4694)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 15 May 2016 13:50:24 -0000

On Sun, May 15, 2016 at 3:52 PM, Peter Gutmann <pgut001@cs.auckland.ac.nz>
wrote:

> Aaron Zauner <azet@azet.org> writes:
>
> >What do you think nonce stands for?
> >https://en.wikipedia.org/wiki/Cryptographic_nonce
>
> Well there's your first mistake, you're using Wikipedia as a reference.
> "nonce" is from medieval English, and predates modern cryptography and IVs
> by
> about 800 years.
>

Sure, I wouldn't cite Wikipedia in an academic publication, but it's what
pops up first if someone looks for "nonce" via a Google search. That was my
point. In general I think the wording should be more clear and a little
less of crypto-only nomenclature, thus -- maybe -- more convenient for
engineers. I suspect this was one of the issues with the document and why
we found vulnerable implementations in the first place. If you read
carefully and do your home-work the RFC in current form pretty much tells
you that you shouldn't re-use the nonce. Compared to TLS 1.3 and the
ChaCha20/Poly1305 document (and my OCB draft): the construction does not
prevent implementers from re-using the same nonce by mistake. Ideally it
would be handled in such a way that human error results in
non-interoperable implementations, like with said drafts and 1.3. But as
noted: it'll probably cause massive breakage among deployed implementations
and may even be the cause for more security issues with implementations to
pop up.

I know that the word "nonce" does have another meaning as well (BTW I'm not
a native english speaker, as you may have guessed). But do you think that
is really relevant in this case? If so, could you suggest better wording
for this specific paragraph?


>
> >In TLS nonce reuse allows us to attack the authentication key of GCM. Not
> the
> >actual master secret. There's no direct break of the confidentiality,
>
> If you reuse the IV/nonce in GCM (or more specifically CTR mode), you
> repeat
> the cipher stream.  An XOR makes it go away, so you lose any
> confidentiality.
>

This document is on TLS cipher-suites, not AES-GCM in general. This attack
isn't applicable here for various reasons. But I agree that the errata
could be clearer here. What'd be your suggestion as an addition or change?
I'm sure the relevant editors will be willing to amend/change my wording in
this errata.

More feedback is always appreciated. I suggest people on this list comment
as much as they think is relevant to this errata, we should get it perfect
this time around. It should be as clear as possible and be understood by
everyone - otherwise the errata doesn't make any sense.

Thanks,
Aaron

v2.23.0 | Report a Bug | By Email