Re: [TLS] Decryption_failed alert in TLS 1.1

To: <ekr at networkresonance.com>
Subject: Re: [TLS] Decryption_failed alert in TLS 1.1
From: <Pasi.Eronen at nokia.com>
Date: Fri, 25 Sep 2009 09:19:46 +0200
Accept-language: en-US
Acceptlanguage: en-US
Cc: tls at ietf.org
Delivered-to: tls at core3.amsl.com
In-reply-to: <20090430163727.17D9A194FC4 at kilo.networkresonance.com>
List-archive: <http://www.ietf.org/mail-archive/web/tls>
List-help: <mailto:tls-request@ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-post: <mailto:tls@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
References: <808FD6E27AD4884E94820BC333B2DB7727F24D50BE at NOK-EUMSG-01.mgdnok.nokia.com> <20090430163727.17D9A194FC4 at kilo.networkresonance.com>
Thread-index: AcnJsYvQ+I/CT+uWReiAwKtlCgEV7hz/oICA
Thread-topic: [TLS] Decryption_failed alert in TLS 1.1

(catching up on some messages I hadn't replied to yet..)

Thanks for the clarification, Eric! I have now split off this issue to
a separate Errata ID (all the other issues in #117 are editorial):

http://www.rfc-editor.org/errata_search.php?eid=1896

The errata text now says:

Section 7.2.2 says:

   decryption_failed
      This alert MAY be returned if a TLSCiphertext decrypted in an
      invalid way: either it wasn't an even multiple of the block
      length, or its padding values, when checked, weren't correct.
      This message is always fatal.

   Note: Differentiating between bad_record_mac and decryption_failed
         alerts may permit certain attacks against CBC mode as used in
         TLS [CBCATT].  It is preferable to uniformly use the
         bad_record_mac alert to hide the specific type of the error.

It should say:

   decryption_failed
      This alert was used in TLS version 1.0, and MUST NOT be sent in
      TLS 1.1.

   Note: Differentiating between bad_record_mac and decryption_failed
         alerts may have permitted certain attacks against CBC mode 
         as used in TLS 1.0 [CBCATT].  It is preferable to uniformly 
         use the bad_record_mac alert to hide the specific type of 
         the error.

Notes:

   (split off from Errata ID 117 )

   The original text contradicted the text for bad_record_mac
   ("This alert also MUST be returned if an alert is sent because
   a TLSCiphertext decrypted in an invalid way").

Unless I hear any objections soon, I will mark this as "Verified",
and Errata ID 117 as "Held for Document Update".

Best regards,
Pasi

> -----Original Message-----
> From: ext Eric Rescorla [mailto:ekr at networkresonance.com]
> Sent: 30 April, 2009 19:37
> To: Eronen Pasi (Nokia-NRC/Helsinki)
> Cc: tls at ietf.org
> Subject: Re: [TLS] Decryption_failed alert in TLS 1.1
> 
> At Thu, 30 Apr 2009 11:41:45 +0200,
> <Pasi.Eronen at nokia.com> wrote:
> >
> > Hi,
> >
> > I'm going through unverified errata for various SEC area RFCs,
> > and came to errata ID 117 for RFC 4346 (TLS 1.1), available
> > from here:
> >
> > http://www.rfc-editor.org/errata_search.php?rfc=4346
> >
> > Currently, Section 7.2.2 of RFC 4346 says:
> >
> >    bad_record_mac
> >       This alert is returned if a record is received with an
> incorrect
> >       MAC.  This alert also MUST be returned if an alert is sent
> because
> >       a TLSCiphertext decrypted in an invalid way: either it wasn't
> an
> >       even multiple of the block length, or its padding values, when
> >       checked, weren't correct.  This message is always fatal.
> >
> > and then continues:
> >
> >    decryption_failed
> >       This alert MAY be returned if a TLSCiphertext decrypted in an
> >       invalid way: either it wasn't an even multiple of the block
> >       length, or its padding values, when checked, weren't correct.
> >       This message is always fatal.
> >
> >    Note: Differentiating between bad_record_mac and decryption_failed
> >          alerts may permit certain attacks against CBC mode as used
> in
> >          TLS [CBCATT].  It is preferable to uniformly use the
> >          bad_record_mac alert to hide the specific type of the error.
> >
> > These two contradict each other; it first says "bad_record_mac MUST
> be
> > sent", but then says decryption_failed "MAY be returned", and using
> > bad_record_mac is "preferable".
> >
> > Does anyone recall what the intent here was? Early drafts (until -09)
> > said "bad_record_mac SHOULD be returned", but that was later changed
> > to "MUST". Should the errata fix this to something like this?
> >
> >    decryption_failed
> >       This alert was used in TLS 1.0 if a TLSCiphertext decrypted
> >       in an invalid way. It MUST NOT be sent in TLS 1.1.
> >
> > (TLS 1.2 is very clear about this; decryption_failed MUST NOT
> > be sent.)
> 
> Yeah, I think we just did s/SHOULD/MUST/ and didn't remove the
> corresponding MAY
> 
> -Ekr

Follow-Ups:
- Re: [TLS] Decryption_failed alert in TLS 1.1
  - From: Pasi.Eronen

References:
- [TLS] Decryption_failed alert in TLS 1.1
  - From: Pasi.Eronen
- Re: [TLS] Decryption_failed alert in TLS 1.1
  - From: Eric Rescorla

Prev by Date: Re: [TLS] Last Call: draft-ietf-tls-rfc4366-bis (Transport Layer Security (TLS) Extensions: Extension Definitions) to Proposed Standard
Next by Date: Re: [TLS] Last Call: draft-ietf-tls-rfc4366-bis (Transport Layer Security (TLS) Extensions: Extension Definitions) to Proposed Standard
Previous by thread: Re: [TLS] Decryption_failed alert in TLS 1.1
Next by thread: Re: [TLS] Decryption_failed alert in TLS 1.1
Index(es):
- Date
- Thread

Re: [TLS] Decryption_failed alert in TLS 1.1

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.