IETF Logo Mail Archive

Re: [TLS] TLS1.3

Peter Gutmann <pgut001@cs.auckland.ac.nz> Fri, 08 February 2013 10:48 UTC

Return-Path: <pgut001@cs.auckland.ac.nz>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 079E921F8700 for <tls@ietfa.amsl.com>; Fri, 8 Feb 2013 02:48:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.323
X-Spam-Level:
X-Spam-Status: No, score=-1.323 tagged_above=-999 required=5 tests=[AWL=-0.801, BAYES_00=-2.599, SUBJ_ALL_CAPS=2.077]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oDI++j9cgD3u for <tls@ietfa.amsl.com>; Fri, 8 Feb 2013 02:48:54 -0800 (PST)
Received: from mx2.auckland.ac.nz (mx2.auckland.ac.nz [130.216.125.244]) by ietfa.amsl.com (Postfix) with ESMTP id 600F521F86C9 for <tls@ietf.org>; Fri, 8 Feb 2013 02:48:54 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=auckland.ac.nz; i=pgut001@cs.auckland.ac.nz; q=dns/txt; s=uoa; t=1360320534; x=1391856534; h=from:to:subject:date:message-id: content-transfer-encoding:mime-version; bh=Oh52+2djwXQuk37rkgiAanNi1zxUF+lEWByl32FQsoY=; b=XO8qb5IYUroTMKHKUUv98zoNYDx+X9r0dD7PEaV/1WRdxj2DHpe6oNVD nYbl+SbEEWWJaDK9Z81fqOAOW3NFsN+GA1e6a25eqiJc/8VVvY7JwN9Q2 wu51WVTm2oSOt2o9UPQ1gGApghlbiI83TBp7g7G+JyDxuITOC8eCPgrNc U=;
X-IronPort-AV: E=Sophos;i="4.84,628,1355050800"; d="scan'208";a="169577775"
X-Ironport-HAT: MAIL-SERVERS - $RELAYED
X-Ironport-Source: 130.216.4.106 - Outgoing - Outgoing
Received: from uxchange10-fe2.uoa.auckland.ac.nz ([130.216.4.106]) by mx2-int.auckland.ac.nz with ESMTP/TLS/AES128-SHA; 08 Feb 2013 23:48:53 +1300
Received: from UXCN10-2.UoA.auckland.ac.nz ([169.254.2.181]) by uxchange10-fe2.UoA.auckland.ac.nz ([130.216.4.106]) with mapi id 14.02.0318.004; Fri, 8 Feb 2013 23:48:53 +1300
From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
To: "tls@ietf.org" <tls@ietf.org>
Thread-Topic: [TLS] TLS1.3
Thread-Index: Ac4F6eKT/YVINa7TTgWA4EvE46WVCA==
Date: Fri, 08 Feb 2013 10:48:52 +0000
Message-ID: <9A043F3CF02CD34C8E74AC1594475C73333FEAF0@uxcn10-2.UoA.auckland.ac.nz>
Accept-Language: en-GB, en-NZ, en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [130.216.158.4]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Subject: Re: [TLS] TLS1.3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 08 Feb 2013 10:48:55 -0000

"Lewis, Nick" <nick.lewis@usa.g4s.com> writes:

>Is this really ok for all cipher suites?

Can't see why it wouldn't be.

>In those cases that the hash is weak e.g. MD5-HMAC maybe the underlying key
>could be exposed?

Problems with MD5 don't affect HMAC-MD5.

>Padding the plain text up to a multiple of the cipher block size (minus the
>hash size) ahead of doing the MAC is a more modest change that may be more
>widely applicable to existing cipher suites - with a "pad-then MAC" client
>hello

That won't help against the current attack.  The only proper fix for the
various attacks that target the encryption is to protect everything with the
MAC, i.e. switch to encrypt-then-MAC.  The definitive reference for this is
Hugo Krawczyk's "The Order of Encryption and Authentication for Protecting
Communications (Or: How Secure is SSL?)".

Peter.

v2.23.0 | Report a Bug | By Email