IETF Logo Mail Archive

Re: [TLS] rfc7366: is encrypt-then-mac implemented?

mrex@sap.com (Martin Rex) Thu, 30 October 2014 00:13 UTC

Return-Path: <mrex@sap.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EF0A21ACE1E for <tls@ietfa.amsl.com>; Wed, 29 Oct 2014 17:13:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.551
X-Spam-Level:
X-Spam-Status: No, score=-6.551 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6-aC8Df3Rxch for <tls@ietfa.amsl.com>; Wed, 29 Oct 2014 17:13:49 -0700 (PDT)
Received: from smtpde01.smtp.sap-ag.de (smtpde01.smtp.sap-ag.de [155.56.68.170]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 568CD1ACE16 for <tls@ietf.org>; Wed, 29 Oct 2014 17:13:49 -0700 (PDT)
Received: from mail05.wdf.sap.corp (mail05.sap.corp [194.39.131.55]) by smtpde01.smtp.sap-ag.de (Postfix) with ESMTPS id 1C32154481; Thu, 30 Oct 2014 01:13:46 +0100 (CET)
Received: from ld9781.wdf.sap.corp (ld9781.wdf.sap.corp [10.21.82.193]) by mail05.wdf.sap.corp (Postfix) with ESMTP id BAC9A42FB9; Thu, 30 Oct 2014 01:13:46 +0100 (CET)
Received: by ld9781.wdf.sap.corp (Postfix, from userid 10159) id AF51B1AF69; Thu, 30 Oct 2014 01:13:46 +0100 (CET)
In-Reply-To: <1414598692.723.59.camel@dhcp-2-127.brq.redhat.com>
To: Nikos Mavrogiannopoulos <nmav@redhat.com>
Date: Thu, 30 Oct 2014 01:13:46 +0100
X-Mailer: ELM [version 2.4ME+ PL125 (25)]
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="ISO-8859-1"
Message-Id: <20141030001346.AF51B1AF69@ld9781.wdf.sap.corp>
From: mrex@sap.com
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/xXb-pDmVajr6W60qjYONV2PJ9b8
Cc: "<tls@ietf.org>" <tls@ietf.org>
Subject: Re: [TLS] rfc7366: is encrypt-then-mac implemented?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: mrex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 30 Oct 2014 00:13:51 -0000

Nikos Mavrogiannopoulos wrote:
> On Wed, 2014-10-29 at 15:30 +0000, Peter Gutmann wrote:
>> Manuel Pégourié-Gonnard <mpg@polarssl.org> writes:
>> 
>>>The *only* difference is (something that doesn't involve the definition of
>>>length), so the definition of the length is unchanged, therefore it's the one
>>>from RFC 5246.
>> 
>> No it isn't.  RFC 7366 moves the MAC outside the GenericXXXCipher fragment,
>> so it's no longer included.
> 
> I don't think it matter that the MAC is outside the GenericXXXCipher
> fragment.

On the contrary, this matters a whole lot.



> TLSCiphertext is defined in RFC7366 as follows:
> 
>    struct {
>           ContentType type;
>           ProtocolVersion version;
>           uint16 length;
>           GenericBlockCipher fragment;
>           opaque MAC;
>           } TLSCiphertext;
> 
> (for block ciphers at least). That TLSCiphertext.length send on the wire
> contains both fragment and MAC length, doesn't it?


This is the rfc5246 definition of TLSCiphertext and the explanation
of the "length" element within that structure:

http://tools.ietf.org/html/rfc5246#section-6.2.3

      struct {
          ContentType type;
          ProtocolVersion version;
          uint16 length;
          select (SecurityParameters.cipher_type) {
              case stream: GenericStreamCipher;
              case block:  GenericBlockCipher;
              case aead:   GenericAEADCipher;
          } fragment;
      } TLSCiphertext;

   type
      The type field is identical to TLSCompressed.type.

   version
      The version field is identical to TLSCompressed.version.

   length
      The length (in bytes) of the following TLSCiphertext.fragment.
      The length MUST NOT exceed 2^14 + 2048.

   fragment
      The encrypted form of TLSCompressed.fragment, with the MAC.


In rfc5246, the "length" element of the TLSCiphertext structure
contains the length of the "fragment" element directly following it,
and rfc7366.   But rfc7366 moves the MAC outside of the fragment,
so its length will no longer be included in the TLSCiphertext.length
count.


Curiously, rfc7366 doesn't indicate the real length of the MAC element
in the same fashion that rfc5246 does:

  rfc5246:   opaque MAC[SecurityParameters.mac_length];

  rfc7366:   opaque MAC;

...but then, rfc2246 and rfc4346 used slightly different names/terminology
for the SecurityParameters, and would use:
             opaque MAC[SecurityParameters.hash_size];



-Martin

v2.23.0 | Report a Bug | By Email