Re: [TLS] rfc7366: is encrypt-then-mac implemented?
Manuel Pégourié-Gonnard <mpg@polarssl.org> Thu, 30 October 2014 13:57 UTC
Return-Path: <mpg@polarssl.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6321F1AD38E for <tls@ietfa.amsl.com>; Thu, 30 Oct 2014 06:57:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.997
X-Spam-Level:
X-Spam-Status: No, score=0.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HELO_MISMATCH_COM=0.553, HOST_EQ_NL=1.545, J_CHICKENPOX_37=0.6, MIME_8BIT_HEADER=0.3, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id H6kzNMN6D1ya for <tls@ietfa.amsl.com>; Thu, 30 Oct 2014 06:57:24 -0700 (PDT)
Received: from vps2.offspark.com (vps2.brainspark.nl [141.138.204.106]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0703B1AD38C for <tls@ietf.org>; Thu, 30 Oct 2014 06:57:24 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=polarssl.org; s=exim; h=Subject:Content-Transfer-Encoding:Content-Type:In-Reply-To:References:To:MIME-Version:From:Date:Message-ID; bh=yrWX4iNdta7lCAis6A+QoVbME2/TlQMuefrd/18ahOA=; b=O+GXBXnaVe2/4P8lRmClLqPonk9gq/v6waGPknbzZt3sJYrEQ4QYHp8JwHqyzIWVnvA8RqfVowFbQ1zf2zfUk+bgqAfsj0Z7/GtKumbBIthUBDjX3Fv2g+9Ln+Gc8E87+b+fB/bdRkiCbhs3MaD174Bvyk/COcl3nZAWw1xxxgM=;
Received: from thue.elzevir.fr ([88.165.216.11] helo=[192.168.0.124]) by vps2.offspark.com with esmtpsa (TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <mpg@polarssl.org>) id 1XjqDz-000303-Di; Thu, 30 Oct 2014 14:57:15 +0100
Message-ID: <545243C0.2000802@polarssl.org>
Date: Thu, 30 Oct 2014 14:57:20 +0100
From: Manuel Pégourié-Gonnard <mpg@polarssl.org>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.2.0
MIME-Version: 1.0
To: Peter Gutmann <pgut001@cs.auckland.ac.nz>, "<tls@ietf.org>" <tls@ietf.org>
References: <9A043F3CF02CD34C8E74AC1594475C739B9DC0AA@uxcn10-5.UoA.auckland.ac.nz>
In-Reply-To: <9A043F3CF02CD34C8E74AC1594475C739B9DC0AA@uxcn10-5.UoA.auckland.ac.nz>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: 8bit
X-SA-Exim-Connect-IP: 88.165.216.11
X-SA-Exim-Mail-From: mpg@polarssl.org
X-SA-Exim-Version: 4.2.1 (built Mon, 26 Dec 2011 16:24:06 +0000)
X-SA-Exim-Scanned: Yes (on vps2.offspark.com)
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/zYBKe9L9n3tNZ_SBWn77ubLzNPs
Subject: Re: [TLS] rfc7366: is encrypt-then-mac implemented?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 30 Oct 2014 13:57:26 -0000
On 30/10/2014 14:40, Peter Gutmann wrote: > Manuel Pégourié-Gonnard <mpg@polarssl.org> writes: > >> Are you refering the "normal" (MtE) case or the EtM case here? > > The EtM case. In the MtE case what gets MAC'd is the plaintext, i.e. only > TLSCompressed.fragment. In the EtM case what gets MAC'd is the ciphertext > including padding and other stuff, so GenericBlockCipher.fragment. > Ok. I'm not sure if it's a good idea to use GenericBlockCipher.fragment to denote this. GenericBlockCipher is a struct defined with a different meaning in RFC 5246. >> MAC(MAC_write_key, seq_num + >> TLSCipherText.type + >> TLSCipherText.version + >> length of ENC(content + padding + padding_length) + >> IV + >> ENC(content + padding + padding_length)); >> >> where the length is encoded as two bytes in the usual way. > > That's still not quite right though because it excludes the length of the IV > when it's present in TLS 1.1+ (see above). You're right obviously. So I change my suggestion to: In TLS [2] notation, the MAC calculation for TLS 1.0 without the explicit Initialization Vector (IV) is: MAC(MAC_write_key, seq_num + TLSCipherText.type + TLSCipherText.version + length of (ENC(content + padding + padding_length)) + ENC(content + padding + padding_length)); and for TLS 1.1 and greater with an explicit IV is: MAC(MAC_write_key, seq_num + TLSCipherText.type + TLSCipherText.version + length of (IV + ENC(content + padding + padding_length)) + IV + ENC(content + padding + padding_length)); MAC(MAC_write_key, seq_num + TLSCipherText.type + TLSCipherText.version + length of (IV + ENC(content + padding + padding_length)) + IV + ENC(content + padding + padding_length)); where the length is encoded as two bytes in the usual way. since the text is already distinguishing between the two. > The intent of using > TLSCipherText.length was to accommodate the different protocol-version- > dependent options. > Ok. I'm afraid here we have a conflict between being concise and being unambiguous, and I'd err on the side of unambiguous. > What about defining it the other way round, instead of saying "the length used > is this and that and sometimes something else", say "the length value used for > the MAC computation is the length as encoded on the wire minus > SecurityParameters.mac_length, since the MAC value is not included in the MAC > computation"? Sounds like a good idea, but there is the minor problem that currently the length on the wire is defined after the MAC computation is defined. > So perhaps: > > Note that the value of the 'uint16 length' field in the TLSCiphertext record > differs from the length value used in the MAC calculation, since the > TLSCiphertext record contains both the ciphtertext and the MAC, while the > MAC calculation is performed only over the ciphertext. So the length value > encoded in the TLSCiphertext record is 'length' while the length value used > in the MAC calculation is 'length - SecurityParameters.mac_length'. > That sounds pretty clear to me. A belt-and-braces approach could even combine this paragraph with my above suggestion... Manuel.
- [TLS] rfc7366: is encrypt-then-mac implemented? Nikos Mavrogiannopoulos
- Re: [TLS] rfc7366: is encrypt-then-mac implemente… Manuel Pégourié-Gonnard
- Re: [TLS] rfc7366: is encrypt-then-mac implemente… Peter Gutmann
- Re: [TLS] rfc7366: is encrypt-then-mac implemente… Nikos Mavrogiannopoulos
- Re: [TLS] rfc7366: is encrypt-then-mac implemente… Manuel Pégourié-Gonnard
- Re: [TLS] rfc7366: is encrypt-then-mac implemente… Peter Gutmann
- Re: [TLS] rfc7366: is encrypt-then-mac implemente… Peter Gutmann
- Re: [TLS] rfc7366: is encrypt-then-mac implemente… Peter Gutmann
- Re: [TLS] rfc7366: is encrypt-then-mac implemente… Manuel Pégourié-Gonnard
- Re: [TLS] rfc7366: is encrypt-then-mac implemente… Peter Gutmann
- Re: [TLS] rfc7366: is encrypt-then-mac implemente… Nikos Mavrogiannopoulos
- Re: [TLS] rfc7366: is encrypt-then-mac implemente… Martin Rex
- Re: [TLS] rfc7366: is encrypt-then-mac implemente… Nikos Mavrogiannopoulos
- Re: [TLS] rfc7366: is encrypt-then-mac implemente… Manuel Pégourié-Gonnard
- Re: [TLS] rfc7366: is encrypt-then-mac implemente… Manuel Pégourié-Gonnard
- Re: [TLS] rfc7366: is encrypt-then-mac implemente… Peter Gutmann
- Re: [TLS] rfc7366: is encrypt-then-mac implemente… Manuel Pégourié-Gonnard
- Re: [TLS] rfc7366: is encrypt-then-mac implemente… Peter Gutmann
- Re: [TLS] rfc7366: is encrypt-then-mac implemente… Ilari Liusvaara
- Re: [TLS] rfc7366: is encrypt-then-mac implemente… Manuel Pégourié-Gonnard
- Re: [TLS] rfc7366: is encrypt-then-mac implemente… Manuel Pégourié-Gonnard
- Re: [TLS] rfc7366: is encrypt-then-mac implemente… Christian Kahlo
- Re: [TLS] rfc7366: is encrypt-then-mac implemente… Peter Gutmann
- Re: [TLS] rfc7366: is encrypt-then-mac implemente… Christian Kahlo
- Re: [TLS] rfc7366: is encrypt-then-mac implemente… Manuel Pégourié-Gonnard
- Re: [TLS] rfc7366: is encrypt-then-mac implemente… Peter Gutmann
- Re: [TLS] rfc7366: is encrypt-then-mac implemente… Manuel Pégourié-Gonnard
- Re: [TLS] rfc7366: is encrypt-then-mac implemente… Peter Gutmann
- Re: [TLS] rfc7366: is encrypt-then-mac implemente… Henrick Hellström
- Re: [TLS] rfc7366: is encrypt-then-mac implemente… Manuel Pégourié-Gonnard
- Re: [TLS] rfc7366: is encrypt-then-mac implemente… Manuel Pégourié-Gonnard
- Re: [TLS] rfc7366: is encrypt-then-mac implemente… Christian Kahlo
- Re: [TLS] rfc7366: is encrypt-then-mac implemente… Peter Gutmann
- Re: [TLS] rfc7366: is encrypt-then-mac implemente… Manuel Pégourié-Gonnard
- Re: [TLS] rfc7366: is encrypt-then-mac implemente… Yngve N. Pettersen
- Re: [TLS] rfc7366: is encrypt-then-mac implemente… Manuel Pégourié-Gonnard
- Re: [TLS] rfc7366: is encrypt-then-mac implemente… Christian Kahlo
- Re: [TLS] rfc7366: is encrypt-then-mac implemente… Christian Kahlo
- [TLS] record-level version number in ClientHello Manuel Pégourié-Gonnard
- Re: [TLS] rfc7366: is encrypt-then-mac implemente… Yngve N. Pettersen
- Re: [TLS] rfc7366: is encrypt-then-mac implemente… Manuel Pégourié-Gonnard
- Re: [TLS] rfc7366: is encrypt-then-mac implemente… Yngve N. Pettersen
- Re: [TLS] rfc7366: is encrypt-then-mac implemente… Manuel Pégourié-Gonnard
- Re: [TLS] rfc7366: is encrypt-then-mac implemente… Nikos Mavrogiannopoulos
- Re: [TLS] rfc7366: is encrypt-then-mac implemente… Christian Kahlo
- Re: [TLS] rfc7366: is encrypt-then-mac implemente… Christian Kahlo
- Re: [TLS] rfc7366: is encrypt-then-mac implemente… Martin Rex
- Re: [TLS] rfc7366: is encrypt-then-mac implemente… Christian Kahlo
- Re: [TLS] record-level version number in ClientHe… Martin Thomson
- Re: [TLS] rfc7366: is encrypt-then-mac implemente… Martin Rex
- Re: [TLS] rfc7366: is encrypt-then-mac implemente… Manuel Pégourié-Gonnard
- Re: [TLS] rfc7366: is encrypt-then-mac implemente… Martin Rex
- Re: [TLS] rfc7366: is encrypt-then-mac implemente… Manuel Pégourié-Gonnard
- Re: [TLS] rfc7366: is encrypt-then-mac implemente… Nikos Mavrogiannopoulos
- [TLS] rfc7366: status Nikos Mavrogiannopoulos
- Re: [TLS] rfc7366: status Martin Rex