Re: [TLS] AAED ciphers: AES-GCM vs AES-EAX/AES-CCM: a meta-analysis

Watson Ladd <watsonbladd@gmail.com> Tue, 13 January 2015 18:23 UTC

Return-Path: <watsonbladd@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B77211A9034 for <tls@ietfa.amsl.com>; Tue, 13 Jan 2015 10:23:30 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yIXwF1q_wguS for <tls@ietfa.amsl.com>; Tue, 13 Jan 2015 10:23:28 -0800 (PST)
Received: from mail-yh0-x22f.google.com (mail-yh0-x22f.google.com [IPv6:2607:f8b0:4002:c01::22f]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 46FDB1A902D for <tls@ietf.org>; Tue, 13 Jan 2015 10:23:28 -0800 (PST)
Received: by mail-yh0-f47.google.com with SMTP id f73so2262535yha.6 for <tls@ietf.org>; Tue, 13 Jan 2015 10:23:27 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=wIrqWR9YL/raeReQ36UUBjNAg+IYY/+VLoZfQNQadW0=; b=zdnoDmctUbzW0BwwVQ89buVKwH+0b88HTC6oHfeLeF4bCRneET5mZhwWx9nYA1SIFk Aaz6f8QRQt5HKXJ1EefxgZIwtvKGaa9GuoS8jDJ8VpipNNX0OlFAe4YlfkI6w3/9BOFe mSeXhZhkecswL/31qOeZ7VsV7U2WZKl94nFwwV0n4Ld+PjxA9BiR0coGu/R2zdyC3IsM WnBni7/a+kwP6KCMX0yVNn8Zt14yqXq3JvYpcdOp33mf7zSgJh7ZvhGevWTAGGliRPJA BAKGx6cg3HJEuwNYoXWffwcd6kR8g78dKE7901wzfDLjSCeIRGjzzUx+w/PrOshNIzAI U4Pw==
MIME-Version: 1.0
X-Received: by 10.170.128.73 with SMTP id u70mr32274423ykb.19.1421173407606; Tue, 13 Jan 2015 10:23:27 -0800 (PST)
Received: by 10.170.207.6 with HTTP; Tue, 13 Jan 2015 10:23:27 -0800 (PST)
In-Reply-To: <D0DB1039.3C5D9%kenny.paterson@rhul.ac.uk>
References: <9A043F3CF02CD34C8E74AC1594475C73AAF525B9@uxcn10-tdc05.UoA.auckland.ac.nz> <D0D16976.3BD1D%kenny.paterson@rhul.ac.uk> <54B54A5F.7020401@polarssl.org> <D0DB0820.3C588%kenny.paterson@rhul.ac.uk> <CACsn0c=oYuUhkPi2QO=qPy95X4v+xXViTyi+XzyRrO1BKLnnLg@mail.gmail.com> <D0DB1039.3C5D9%kenny.paterson@rhul.ac.uk>
Date: Tue, 13 Jan 2015 10:23:27 -0800
Message-ID: <CACsn0ck-2_348SkASvkCrP7r3HoD-G8t590WRzWkQpj6TjBMqg@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: "Paterson, Kenny" <Kenny.Paterson@rhul.ac.uk>
Content-Type: text/plain; charset=UTF-8
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/vmPfP8z7T9MaDzPfKvLUHjKjHpY>
Cc: =?UTF-8?Q?Manuel_P=C3=A9gouri=C3=A9=2DGonnard?= <mpg@polarssl.org>, "<tls@ietf.org>" <tls@ietf.org>
Subject: Re: [TLS] AAED ciphers: AES-GCM vs AES-EAX/AES-CCM: a meta-analysis
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Jan 2015 18:23:30 -0000

On Tue, Jan 13, 2015 at 10:15 AM, Paterson, Kenny
<Kenny.Paterson@rhul.ac.uk>; wrote:
> Hi Watson,
>
> On 13/01/2015 18:09, "Watson Ladd" <watsonbladd@gmail.com>; wrote:
>
> >From what I understand, when AES-GCM is used there isn't any padding,
>>and the length of the encrypted record is equal to the unencrypted one
>>plus the tag,
>
> True.
>
>>so this attack still works.
>
> Actually, it's an even simpler, passive attack for AES-GCM - you just
> observe the ciphertext length and you are done. The attack on CBC mode
> requires an activity adversary and leads to closure of the TLS session
> half of the time.
>
>>So if we accept this attack
>>(and I think we should), then the way AEAD ciphers are used in TLS are
>>also insecure. I believe this attack got used to determine autofill
>>entries in the Google search bar via passive observation, but I've not
>>dug up the paper, so my memory may be wrong.
>
> That would be an interesting reference to have to hand. Please dig!

https://eprint.iacr.org/2014/959.pdf is the paper I was thinking of.

>
>>To fix this we need to add padding in TLS 1.3 and TLS 1.2 for AEAD modes.
>
> https://tools.ietf.org/html/draft-pironti-tls-length-hiding-01 would be a
> good starting point, no?

Seem to be, although I don't remember it being discussed on the list
before. We should fix this problem.

>
>
> Cheers
>
> Kenny
>



-- 
"Those who would give up Essential Liberty to purchase a little
Temporary Safety deserve neither  Liberty nor Safety."
-- Benjamin Franklin