Re: [TLS] Are the AEAD cipher suites a security trade-off win with TLS1.2?

Eric Rescorla <ekr@rtfm.com> Sun, 20 March 2016 20:18 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 77C6D12D5AD for <tls@ietfa.amsl.com>; Sun, 20 Mar 2016 13:18:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7qbfpU52677N for <tls@ietfa.amsl.com>; Sun, 20 Mar 2016 13:18:45 -0700 (PDT)
Received: from mail-yw0-x234.google.com (mail-yw0-x234.google.com [IPv6:2607:f8b0:4002:c05::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2516812D6EA for <tls@ietf.org>; Sun, 20 Mar 2016 13:18:45 -0700 (PDT)
Received: by mail-yw0-x234.google.com with SMTP id g127so195458301ywf.2 for <tls@ietf.org>; Sun, 20 Mar 2016 13:18:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=XZDn659U/4dEiVSzt2pa+ixbUAhAHdkYlyxZVz0bunw=; b=dT8fDk6FulPoIYYugEYhsUaTXPGEBSPeN1sm1IEZWHjwNNhRZ5MP7gcxnFD8Eqd9cA K57yE1Ny3LH01rNPofv3zsLuAYvHVfRhQiNhBK3O0q/nkv4+ElnAMg9vvPu3cvpsJe21 UG6sKT2bKBxuo9cIuih5oApgzP8pwsBMmOxHIreo2yBbs5AwSqba1dk1p1cs75rKeI2g sUSkH+Xsh9tM8D73PHv7v0aiXM+SoFGhBaq6nH3iJ2lER+Zwe2ocAhPjSkvl60MkvTqw iQ1vjKINWk/8hCfOHgC+Gg93u/CVEOcRZULBpAVhYb0SucinM8x6+NLljr2oqOnXiSLl yvyA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=XZDn659U/4dEiVSzt2pa+ixbUAhAHdkYlyxZVz0bunw=; b=Bsrgw+2qPlO3MvVFUv/7m0HFwzXpb36Lv/NHAqe574Epx7f5pe7HVdrENzrhCg5wk+ poe9E+PtTLvKTFD15LlHNGrOhCkWyn5YgHtO9yic5r4ZbjWRoZfHh96SRKALsmYo1YSl viYjNTyVyGCUd43QSKKuaBpya7897ZHVMvySxmmgHX0N73dlaF51OR8AZj7VzpCIxgaX lrlXSDbRRVtFkPB2JyHMvo3rtsM3LHYEVGtMdm9IyFVcQ2gKB/IwBUhCNUpFBNp+O++o dk0NNas1/AshZ+8vBJOetROwNOzAJ0uOWxwUDzHTaxuzgvl1h/P4r2oq9bDI6dKSk0qv OOaw==
X-Gm-Message-State: AD7BkJLPwb1ALwSst/lRXmHo8+qwxPpP5s4+pLqH9VBb7DN/Qj1RLis/V1B0MkZqI5InB3SPxlRrIgZImzCdKg==
X-Received: by 10.37.230.201 with SMTP id d192mr5933562ybh.159.1458505124271; Sun, 20 Mar 2016 13:18:44 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.13.249.5 with HTTP; Sun, 20 Mar 2016 13:18:04 -0700 (PDT)
In-Reply-To: <87zitt2af9.fsf@setec.io>
References: <CAAF6GDfsMivA_LiWK2xJgyhMTf8ygFo17MN+YkAnTN2-HV8Ryw@mail.gmail.com> <20160318170854.CB0801A471@ld9781.wdf.sap.corp> <9A043F3CF02CD34C8E74AC1594475C73F4C2687E@uxcn10-tdc05.UoA.auckland.ac.nz> <87zitt2af9.fsf@setec.io>
From: Eric Rescorla <ekr@rtfm.com>
Date: Sun, 20 Mar 2016 13:18:04 -0700
Message-ID: <CABcZeBOz7n2PDXG9RWjpkgwaxiPGN3AMfK1HKsYkHkM08pnePg@mail.gmail.com>
To: Harlan Lieberman-Berg <hlieberman@setec.io>
Content-Type: multipart/alternative; boundary=94eb2c0a876ed63435052e80affa
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/y2sAwrhldbX5SwxieqohX3VqOTE>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Are the AEAD cipher suites a security trade-off win with TLS1.2?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 20 Mar 2016 20:18:51 -0000

Note: TLS 1.3 should significantly decrease the risk of this because the
record sequence number is used as the nonce, therefore if you fail to
increment the sequence number, you will quickly not interoperate with
other implementations which are correct.

-Ekr


On Sun, Mar 20, 2016 at 12:53 PM, Harlan Lieberman-Berg <hlieberman@setec.io
> wrote:

> Peter Gutmann <pgut001@cs.auckland.ac.nz>; writes:
> > This is why I referred to GCM as "brittle", you can be about as
> > abusive as you like with CBC and the worst you get is degradation to
> > ECB, while with GCM you make one mistake and you get a catastrophic
> > loss of security.
>
> Couldn't you say the same about CTR mode, or stream ciphers themselves?
> Sure -- it's definitely a lot harder to screw up "incrementing a
> counter" than it is all the stuff GCM requires you to do, but....
>
> Sincerely,
>
> --
> Harlan Lieberman-Berg
> ~hlieberman
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>