Re: [TLS] Comments/Questions on draft-gutmann-tls-encrypt-then-mac-00.txt

Nikos Mavrogiannopoulos <nmav@gnutls.org> Mon, 23 September 2013 07:03 UTC

Return-Path: <n.mavrogiannopoulos@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 81EC121F9E96 for <tls@ietfa.amsl.com>; Mon, 23 Sep 2013 00:03:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.392
X-Spam-Level:
X-Spam-Status: No, score=-2.392 tagged_above=-999 required=5 tests=[AWL=0.207, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LiHcYcRpLohJ for <tls@ietfa.amsl.com>; Mon, 23 Sep 2013 00:03:26 -0700 (PDT)
Received: from mail-ee0-x22c.google.com (mail-ee0-x22c.google.com [IPv6:2a00:1450:4013:c00::22c]) by ietfa.amsl.com (Postfix) with ESMTP id F3DE521F9E9F for <tls@ietf.org>; Mon, 23 Sep 2013 00:03:25 -0700 (PDT)
Received: by mail-ee0-f44.google.com with SMTP id b47so1490845eek.17 for <tls@ietf.org>; Mon, 23 Sep 2013 00:03:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=sender:message-id:date:from:user-agent:mime-version:to:subject :references:in-reply-to:openpgp:content-type :content-transfer-encoding; bh=Aw02dNQlpJHVAt4OTQorWKYWVH8YJI8hAbeJwPoYWiw=; b=Wzk15vXeAMfJ+/Uppz97ZiIszRfe0XWXYjqCfuGLehgyS/L3nK/061GpXzconHCMOT SV8LURpD0B4fIUIFdAjGczAFbPATyEebFED+TLqrxBL9AGN2Va07pH1N8mAxxGoT+86+ ynA7QMWObt0TzyYkSdUG2jiBsqNjz5GNOY5rh/oVBNG+7ehLeB5Q7uOKLPghPhWpnkvk 7e07eJqYYsQUrRmf/4ouctIrJKQ8On6CrWzfRzfslReHc0DM2Q3/79svyKA4lcm6pv5X RQIZQObUP6nPOhN4pVmx64Hpxz4OCX1LgOslsLscI4Akia1dKOrPVV4tCim9vYdbgixK CRbA==
X-Received: by 10.14.5.3 with SMTP id 3mr1501082eek.49.1379919804868; Mon, 23 Sep 2013 00:03:24 -0700 (PDT)
Received: from [10.100.2.17] (94-224-103-174.access.telenet.be. [94.224.103.174]) by mx.google.com with ESMTPSA id r48sm39492054eev.14.1969.12.31.16.00.00 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Mon, 23 Sep 2013 00:03:24 -0700 (PDT)
Sender: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
Message-ID: <523FE7B6.10501@gnutls.org>
Date: Mon, 23 Sep 2013 09:03:18 +0200
From: Nikos Mavrogiannopoulos <nmav@gnutls.org>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130630 Icedove/17.0.7
MIME-Version: 1.0
To: tls@ietf.org
References: <CABcZeBN+0hX1-cb0V4AyaO3FrwaGrtjbRO3BGOV0KBSjRkNwkw@mail.gmail.com> <523c738f.0733cc0a.41a0.3096@mx.google.com> <523F383A.20803@drh-consultancy.co.uk>
In-Reply-To: <523F383A.20803@drh-consultancy.co.uk>
X-Enigmail-Version: 1.5.1
OpenPGP: id=96865171
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Subject: Re: [TLS] Comments/Questions on draft-gutmann-tls-encrypt-then-mac-00.txt
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 23 Sep 2013 07:03:27 -0000

On 09/22/2013 08:34 PM, Dr Stephen Henson wrote:

> This has some interesting parallels with FIPS 140-2. Currently the only approved
> symmetric algorithms for FIPS 140-2 and TLS are AES-GCM, AES-CBC and DES3-CBC.
> If you can't deploy TLS 1.2 you're then stuck with CBC.
[...]
> spec, as it doesn't need any new algorithms, could be
> deployed as soon as it is approved.
> 
> I'm not saying that we don't approve new algorithms and ciphers suites. I'm
> saying we need ETM as well.

What we need is a solution for the issue with the unauthenticated
padding in the CBC ciphersuites. ETM is not the only way to solve the
issue, and even if it is used, it would be highly recommendable to
follow the existing good practices. TLS isn't the first protocol to use
this mode, thus there isn't a need to innovate.

regards,
Nikos