[TLS] Decryption_failed alert in TLS 1.1

To: <tls at ietf.org>
Subject: [TLS] Decryption_failed alert in TLS 1.1
From: <Pasi.Eronen at nokia.com>
Date: Thu, 30 Apr 2009 11:41:45 +0200
Accept-language: en-US
Acceptlanguage: en-US
Delivered-to: tls at core3.amsl.com
List-archive: <http://www.ietf.org/mail-archive/web/tls>
List-help: <mailto:tls-request@ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-post: <mailto:tls@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
Thread-index: AcnJd9/x9Jkejm7KQJi1qtPRd3WAYw==
Thread-topic: Decryption_failed alert in TLS 1.1

Hi,

I'm going through unverified errata for various SEC area RFCs,
and came to errata ID 117 for RFC 4346 (TLS 1.1), available
from here:

http://www.rfc-editor.org/errata_search.php?rfc=4346

Currently, Section 7.2.2 of RFC 4346 says:

   bad_record_mac
      This alert is returned if a record is received with an incorrect
      MAC.  This alert also MUST be returned if an alert is sent because
      a TLSCiphertext decrypted in an invalid way: either it wasn't an
      even multiple of the block length, or its padding values, when
      checked, weren't correct.  This message is always fatal.

and then continues:

   decryption_failed
      This alert MAY be returned if a TLSCiphertext decrypted in an
      invalid way: either it wasn't an even multiple of the block
      length, or its padding values, when checked, weren't correct.
      This message is always fatal.

   Note: Differentiating between bad_record_mac and decryption_failed
         alerts may permit certain attacks against CBC mode as used in
         TLS [CBCATT].  It is preferable to uniformly use the
         bad_record_mac alert to hide the specific type of the error.

These two contradict each other; it first says "bad_record_mac MUST be
sent", but then says decryption_failed "MAY be returned", and using
bad_record_mac is "preferable".

Does anyone recall what the intent here was? Early drafts (until -09) 
said "bad_record_mac SHOULD be returned", but that was later changed 
to "MUST". Should the errata fix this to something like this?

   decryption_failed
      This alert was used in TLS 1.0 if a TLSCiphertext decrypted
      in an invalid way. It MUST NOT be sent in TLS 1.1.

(TLS 1.2 is very clear about this; decryption_failed MUST NOT
be sent.)

Best regards,
Pasi

Follow-Ups:
- Re: [TLS] Decryption_failed alert in TLS 1.1
  - From: Eric Rescorla

Prev by Date: Re: [TLS] New "Fast-Track" draft posted
Next by Date: Re: [TLS] Decryption_failed alert in TLS 1.1
Previous by thread: [TLS] Working Group Last Call for draft-ietf-tls-rfc4366-bis-04
Next by thread: Re: [TLS] Decryption_failed alert in TLS 1.1
Index(es):
- Date
- Thread

[TLS] Decryption_failed alert in TLS 1.1

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.