Re: [TLS] AAED ciphers: AES-GCM vs AES-EAX/AES-CCM: a meta-analysis
Watson Ladd <watsonbladd@gmail.com> Tue, 13 January 2015 18:23 UTC
Return-Path: <watsonbladd@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B77211A9034 for <tls@ietfa.amsl.com>; Tue, 13 Jan 2015 10:23:30 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yIXwF1q_wguS for <tls@ietfa.amsl.com>; Tue, 13 Jan 2015 10:23:28 -0800 (PST)
Received: from mail-yh0-x22f.google.com (mail-yh0-x22f.google.com [IPv6:2607:f8b0:4002:c01::22f]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 46FDB1A902D for <tls@ietf.org>; Tue, 13 Jan 2015 10:23:28 -0800 (PST)
Received: by mail-yh0-f47.google.com with SMTP id f73so2262535yha.6 for <tls@ietf.org>; Tue, 13 Jan 2015 10:23:27 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=wIrqWR9YL/raeReQ36UUBjNAg+IYY/+VLoZfQNQadW0=; b=zdnoDmctUbzW0BwwVQ89buVKwH+0b88HTC6oHfeLeF4bCRneET5mZhwWx9nYA1SIFk Aaz6f8QRQt5HKXJ1EefxgZIwtvKGaa9GuoS8jDJ8VpipNNX0OlFAe4YlfkI6w3/9BOFe mSeXhZhkecswL/31qOeZ7VsV7U2WZKl94nFwwV0n4Ld+PjxA9BiR0coGu/R2zdyC3IsM WnBni7/a+kwP6KCMX0yVNn8Zt14yqXq3JvYpcdOp33mf7zSgJh7ZvhGevWTAGGliRPJA BAKGx6cg3HJEuwNYoXWffwcd6kR8g78dKE7901wzfDLjSCeIRGjzzUx+w/PrOshNIzAI U4Pw==
MIME-Version: 1.0
X-Received: by 10.170.128.73 with SMTP id u70mr32274423ykb.19.1421173407606; Tue, 13 Jan 2015 10:23:27 -0800 (PST)
Received: by 10.170.207.6 with HTTP; Tue, 13 Jan 2015 10:23:27 -0800 (PST)
In-Reply-To: <D0DB1039.3C5D9%kenny.paterson@rhul.ac.uk>
References: <9A043F3CF02CD34C8E74AC1594475C73AAF525B9@uxcn10-tdc05.UoA.auckland.ac.nz> <D0D16976.3BD1D%kenny.paterson@rhul.ac.uk> <54B54A5F.7020401@polarssl.org> <D0DB0820.3C588%kenny.paterson@rhul.ac.uk> <CACsn0c=oYuUhkPi2QO=qPy95X4v+xXViTyi+XzyRrO1BKLnnLg@mail.gmail.com> <D0DB1039.3C5D9%kenny.paterson@rhul.ac.uk>
Date: Tue, 13 Jan 2015 10:23:27 -0800
Message-ID: <CACsn0ck-2_348SkASvkCrP7r3HoD-G8t590WRzWkQpj6TjBMqg@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: "Paterson, Kenny" <Kenny.Paterson@rhul.ac.uk>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/vmPfP8z7T9MaDzPfKvLUHjKjHpY>
Cc: Manuel Pégourié-Gonnard <mpg@polarssl.org>, "<tls@ietf.org>" <tls@ietf.org>
Subject: Re: [TLS] AAED ciphers: AES-GCM vs AES-EAX/AES-CCM: a meta-analysis
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Jan 2015 18:23:30 -0000
On Tue, Jan 13, 2015 at 10:15 AM, Paterson, Kenny <Kenny.Paterson@rhul.ac.uk> wrote: > Hi Watson, > > On 13/01/2015 18:09, "Watson Ladd" <watsonbladd@gmail.com> wrote: > > >From what I understand, when AES-GCM is used there isn't any padding, >>and the length of the encrypted record is equal to the unencrypted one >>plus the tag, > > True. > >>so this attack still works. > > Actually, it's an even simpler, passive attack for AES-GCM - you just > observe the ciphertext length and you are done. The attack on CBC mode > requires an activity adversary and leads to closure of the TLS session > half of the time. > >>So if we accept this attack >>(and I think we should), then the way AEAD ciphers are used in TLS are >>also insecure. I believe this attack got used to determine autofill >>entries in the Google search bar via passive observation, but I've not >>dug up the paper, so my memory may be wrong. > > That would be an interesting reference to have to hand. Please dig! https://eprint.iacr.org/2014/959.pdf is the paper I was thinking of. > >>To fix this we need to add padding in TLS 1.3 and TLS 1.2 for AEAD modes. > > https://tools.ietf.org/html/draft-pironti-tls-length-hiding-01 would be a > good starting point, no? Seem to be, although I don't remember it being discussed on the list before. We should fix this problem. > > > Cheers > > Kenny > -- "Those who would give up Essential Liberty to purchase a little Temporary Safety deserve neither Liberty nor Safety." -- Benjamin Franklin
- [TLS] AAED ciphers: AES-GCM vs AES-EAX/AES-CCM: a… Michael Clark
- Re: [TLS] AAED ciphers: AES-GCM vs AES-EAX/AES-CC… Tapio Sokura
- Re: [TLS] AAED ciphers: AES-GCM vs AES-EAX/AES-CC… Michael Clark
- Re: [TLS] AAED ciphers: AES-GCM vs AES-EAX/AES-CC… Jeffrey Walton
- Re: [TLS] AAED ciphers: AES-GCM vs AES-EAX/AES-CC… Peter Gutmann
- Re: [TLS] AAED ciphers: AES-GCM vs AES-EAX/AES-CC… Michael Clark
- Re: [TLS] AAED ciphers: AES-GCM vs AES-EAX/AES-CC… Michael Clark
- Re: [TLS] AAED ciphers: AES-GCM vs AES-EAX/AES-CC… Russ Housley
- Re: [TLS] AAED ciphers: AES-GCM vs AES-EAX/AES-CC… Michael Clark
- Re: [TLS] AAED ciphers: AES-GCM vs AES-EAX/AES-CC… Michael Clark
- Re: [TLS] AAED ciphers: AES-GCM vs AES-EAX/AES-CC… Michael Clark
- Re: [TLS] AAED ciphers: AES-GCM vs AES-EAX/AES-CC… Watson Ladd
- Re: [TLS] AAED ciphers: AES-GCM vs AES-EAX/AES-CC… Michael Clark
- Re: [TLS] AAED ciphers: AES-GCM vs AES-EAX/AES-CC… Ilari Liusvaara
- Re: [TLS] AAED ciphers: AES-GCM vs AES-EAX/AES-CC… Yoav Nir
- Re: [TLS] AAED ciphers: AES-GCM vs AES-EAX/AES-CC… Peter Gutmann
- Re: [TLS] AAED ciphers: AES-GCM vs AES-EAX/AES-CC… Peter Gutmann
- Re: [TLS] AAED ciphers: AES-GCM vs AES-EAX/AES-CC… Paterson, Kenny
- Re: [TLS] AAED ciphers: AES-GCM vs AES-EAX/AES-CC… Peter Gutmann
- Re: [TLS] AAED ciphers: AES-GCM vs AES-EAX/AES-CC… Michael Clark
- Re: [TLS] AAED ciphers: AES-GCM vs AES-EAX/AES-CC… Manuel Pégourié-Gonnard
- Re: [TLS] AAED ciphers: AES-GCM vs AES-EAX/AES-CC… Paterson, Kenny
- Re: [TLS] AAED ciphers: AES-GCM vs AES-EAX/AES-CC… Watson Ladd
- Re: [TLS] AAED ciphers: AES-GCM vs AES-EAX/AES-CC… Watson Ladd
- Re: [TLS] AAED ciphers: AES-GCM vs AES-EAX/AES-CC… Paterson, Kenny
- Re: [TLS] AAED ciphers: AES-GCM vs AES-EAX/AES-CC… Martin Thomson
- Re: [TLS] AAED ciphers: AES-GCM vs AES-EAX/AES-CC… Michael Clark
- Re: [TLS] AAED ciphers: AES-GCM vs AES-EAX/AES-CC… Martin Thomson
- Re: [TLS] AAED ciphers: AES-GCM vs AES-EAX/AES-CC… Tom Ritter
- Re: [TLS] AAED ciphers: AES-GCM vs AES-EAX/AES-CC… Martin Rex
- Re: [TLS] AAED ciphers: AES-GCM vs AES-EAX/AES-CC… Joe Hall
- Re: [TLS] AAED ciphers: AES-GCM vs AES-EAX/AES-CC… Tom Ritter
- Re: [TLS] AAED ciphers: AES-GCM vs AES-EAX/AES-CC… Martin Thomson
- Re: [TLS] AAED ciphers: AES-GCM vs AES-EAX/AES-CC… Nikos Mavrogiannopoulos
- Re: [TLS] AAED ciphers: AES-GCM vs AES-EAX/AES-CC… Tom Ritter