Re: [TLS] RFC 7366 on Encrypt-then-MAC for Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS)
Hugo Krawczyk <hugo@ee.technion.ac.il> Thu, 18 September 2014 13:19 UTC
Return-Path: <hugokraw@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BEAE11A00F5 for <tls@ietfa.amsl.com>; Thu, 18 Sep 2014 06:19:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.977
X-Spam-Level:
X-Spam-Status: No, score=-0.977 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, MIME_8BIT_HEADER=0.3, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id e66FGqg-UQeI for <tls@ietfa.amsl.com>; Thu, 18 Sep 2014 06:19:04 -0700 (PDT)
Received: from mail-la0-x229.google.com (mail-la0-x229.google.com [IPv6:2a00:1450:4010:c03::229]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 04C2B1A8799 for <tls@ietf.org>; Thu, 18 Sep 2014 06:19:02 -0700 (PDT)
Received: by mail-la0-f41.google.com with SMTP id s18so1132839lam.28 for <tls@ietf.org>; Thu, 18 Sep 2014 06:19:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc:content-type; bh=QDeV9Z6DNuiLYyDB/r8FURPEA/SK63LhopKRHm8ZphA=; b=YRz2LMgIld+CGZrCwQX2cA6sl4WfBJVksm7oKdztUYO4SsX9l4B1ygv9kZrooBa0f3 bg+x2p5SUk9krDxXlEuiiRm2ryeJ6ZoyMfqnHPmIRHL8CKeEqgvSYZb37kQ0nJdb1R76 oKKiVZHtuJQO5xp6mfYl8cdTrRoCjpk2fty73Cfrr4xKcIK0B/1T+iRDNmRq254iibrp G8xz7H4ayv1EwRQ1lv7Rrp7tUjLOCZpA6uRQTyb+5DkVUyjGDgR1DdK2Q8fLhvQy6iDe zXhdF2PIY1Uq8zy0crmfnYIoLpREvqWglswilytRzkFreaNtGX1p2tODWVHoXvyNRiSu /wDg==
X-Received: by 10.112.53.230 with SMTP id e6mr3252046lbp.100.1411046341317; Thu, 18 Sep 2014 06:19:01 -0700 (PDT)
MIME-Version: 1.0
Sender: hugokraw@gmail.com
Received: by 10.25.16.135 with HTTP; Thu, 18 Sep 2014 06:18:31 -0700 (PDT)
In-Reply-To: <CADMpkcK1tAjk7-vp6Ee7b2YL5o_Xak9P7uQq0u6szoR+FTZxMg@mail.gmail.com>
References: <CAO7N=i1=oKqwNSXC4_=DgyHrKVXn1hM7ZjW_fYgxo0gaZSs9QQ@mail.gmail.com> <F1A1C3D1-50F9-4715-A1E4-D8ED42B16367@rhul.ac.uk> <CAO7N=i0UM2NwgkjSjZVgOU5PGpMjr8hGk0hqk_pVAeyCe2pTgg@mail.gmail.com> <CADMpkcK1tAjk7-vp6Ee7b2YL5o_Xak9P7uQq0u6szoR+FTZxMg@mail.gmail.com>
From: Hugo Krawczyk <hugo@ee.technion.ac.il>
Date: Thu, 18 Sep 2014 09:18:31 -0400
X-Google-Sender-Auth: 1gDmX0EqBGNjuN___26iELbnA5k
Message-ID: <CADi0yUNeW4tpx2NGn_Tj95mtud1jE4K4-WNUum84ZVma+bs9eQ@mail.gmail.com>
To: Bodo Möller <bodomoeller@gmail.com>
Content-Type: multipart/alternative; boundary="001a11c3c96cef9bc3050356d3fd"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/yClfb0g-YrYQTAYaSxABKQZJx48
Cc: "tls@ietf.org" <tls@ietf.org>, Ryan Carboni <ryacko@gmail.com>
Subject: Re: [TLS] RFC 7366 on Encrypt-then-MAC for Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 18 Sep 2014 13:19:05 -0000
What that reference shows is that for authenticate-then-encrypt mode to be secure with cbc and otp encryption (or stream cipher), you must apply the MAC to the plaintext after any encoding (including padding) and, in the case of cbc, in full blocks (and, of course, with unpredictable IVs). Unfortunately, TLS did not do it this way for cbc and that's why all these attacks were possible. The example in the paper, while artificial, explains well why authenticate-then-encrypt with unauthenticated encoding can go wrong. So the math in the paper is correct - the conclusion that TLS does it right is wrong. It doesn't. Hugo On Tue, Sep 16, 2014 at 6:26 PM, Bodo Möller <bodomoeller@gmail.com> wrote: > Ryan Carboni <ryacko@gmail.com>: > > >> If you're upgrading specifications, why not switch to SHA-3, which is >> constant time (AFAIK)? >> > > Part of the problem is that in TLS MAC-then-Encrypt, the position of the > MAC tag depends on the amount of padding -- so *nothing* is constant-time > without considerable effort. > > (It's funny that one of the references provided in the new RFC shows how > MAC-then-Encrypt in TLS is supposedly secure, when the RFC came to be > because actually it isn't.) > > Bodo > > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls > >
- [TLS] RFC 7366 on Encrypt-then-MAC for Transport … rfc-editor
- [TLS] RFC 7366 on Encrypt-then-MAC for Transport … Ryan Carboni
- Re: [TLS] RFC 7366 on Encrypt-then-MAC for Transp… Paterson, Kenny
- Re: [TLS] RFC 7366 on Encrypt-then-MAC for Transp… Ryan Carboni
- Re: [TLS] RFC 7366 on Encrypt-then-MAC for Transp… Adam Langley
- Re: [TLS] RFC 7366 on Encrypt-then-MAC for Transp… Ryan Carboni
- Re: [TLS] RFC 7366 on Encrypt-then-MAC for Transp… Adam Langley
- Re: [TLS] RFC 7366 on Encrypt-then-MAC for Transp… Bodo Möller
- Re: [TLS] RFC 7366 on Encrypt-then-MAC for Transp… Hugo Krawczyk