Re: [TLS] padding bug
Eric Rescorla <ekr@rtfm.com> Fri, 20 September 2013 15:53 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7C7A321F9AE2 for <tls@ietfa.amsl.com>; Fri, 20 Sep 2013 08:53:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.559
X-Spam-Level:
X-Spam-Status: No, score=-102.559 tagged_above=-999 required=5 tests=[AWL=0.417, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Y7+Cn13cmuGO for <tls@ietfa.amsl.com>; Fri, 20 Sep 2013 08:53:34 -0700 (PDT)
Received: from mail-qa0-f50.google.com (mail-qa0-f50.google.com [209.85.216.50]) by ietfa.amsl.com (Postfix) with ESMTP id 303EA21F9AFE for <tls@ietf.org>; Fri, 20 Sep 2013 08:53:31 -0700 (PDT)
Received: by mail-qa0-f50.google.com with SMTP id j7so553501qaq.2 for <tls@ietf.org>; Fri, 20 Sep 2013 08:53:30 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=nYlieQuvtMKrFXsaCS+vLclQAoL99XvNXq525FIGgiE=; b=AaGUnV4YhWdH5ElpsPhVWUMte800pg7OAVD14A49WUBicV+8BK9KCFkpvKPyiR8Ctg Bv5m7vR/R+Cul66wC0Aa+nteJXyY7DAMkHtKk03sRJMmTHriIMjoFLHjPFz0jptuzA/f +COvYqCZqWVQARFQ0ZVvGEH8nnPDAWuebHYGZ22OtQZ27QDCBjybhtEMnURHBQ62Accf khrLeejF0bcF3O5c/Y5MXGkcBHdVjbORcejZ4Ux4Wn8hAnaoSNdPZEMfNFIypLBTpFmr v6bfPBVLtT72S1P+9jo1ymq4wmXwvI6tRya/kwIvJnHYrikKPxD+NbyPSvGl9ek28f56 j3Bw==
X-Gm-Message-State: ALoCoQmayFab9YSwHuAJ4XS+PXJ4oO9OKQ2x8/1aOt1kapiadOq+Pgdj5C+fbeYR7iPYMkaeUMhU
X-Received: by 10.49.3.194 with SMTP id e2mr11711741qee.21.1379692410605; Fri, 20 Sep 2013 08:53:30 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.49.42.68 with HTTP; Fri, 20 Sep 2013 08:52:50 -0700 (PDT)
X-Originating-IP: [74.95.2.168]
In-Reply-To: <9A043F3CF02CD34C8E74AC1594475C7355674A34@uxcn10-6.UoA.auckland.ac.nz>
References: <9A043F3CF02CD34C8E74AC1594475C7355674A34@uxcn10-6.UoA.auckland.ac.nz>
From: Eric Rescorla <ekr@rtfm.com>
Date: Fri, 20 Sep 2013 08:52:50 -0700
Message-ID: <CABcZeBPTiLM6-6OL8ASo6NJvGkYxc0Mn9CM51e1x0j2Em4tvig@mail.gmail.com>
To: Peter Gutmann <pgut001@cs.auckland.ac.nz>
Content-Type: multipart/alternative; boundary="047d7bb0473408a2d104e6d2ac3e"
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] padding bug
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 20 Sep 2013 15:53:53 -0000
On Fri, Sep 20, 2013 at 6:29 AM, Peter Gutmann <pgut001@cs.auckland.ac.nz>wrote: > Eric Rescorla <ekr@rtfm.com> writes: > > >Of course, this naturally raises the question of whether this document > will > >be accepted by the TLS WG. > > It seems to be accepted by everyone except the WG chairs, who point to: > > >However, as I think recent discussion indicates, there are a number of > >proposed approaches and there isn't really consensus to adopt this > particular > >one > > Can you provide concrete examples of this lack of consensus? These messages from Nikos look negative to me: http://www.ietf.org/mail-archive/web/tls/current/msg09809.html http://www.ietf.org/mail-archive/web/tls/current/msg09520.html This looks like "meh" to me: http://www.ietf.org/mail-archive/web/tls/current/msg09826.html Privately, I've also heard objections to attempting to prolong the life of CBC as a primitive. Perhaps those who expressed this would speak up on the list? It's already > present in deployed implementations (as I mentioned a while back, the > response > of one SSL library developer was "this should have been done ten years > ago"). > So lets reverse this, if the WG chairs think that there are viable > alternative > approaches could they please point to *currently active RFC drafts* (not an > expired six-month-old text but a current draft) with authors willing to > actively champion their approaches on the list? > We have drafts for AEAD w/ CBC: http://tools.ietf.org/html/draft-mcgrew-aead-aes-cbc-hmac-sha2-01 And I have heard a variety of suggestions for pushing AEAD down into TLS 1.2 (there's no technical problem here). If we were to do that, the draft would presumably be trivial and then we could simply directly adopt the McGrew draft. If we were to abandon CBC entirely we would mostly want some new stream ciphers. E.g., http://tools.ietf.org/html/draft-agl-tls-chacha20poly1305-01 http://tools.ietf.org/html/draft-josefsson-salsa20-tls-02 So, certainly if we wanted to to adopt a "triage and selectively replace" strategy, we have the drafts to do it. In addition, we do have a Pad then encrypt then MAC draft that is recent. http://tools.ietf.org/html/draft-pironti-tls-length-hiding-01 That is not to say that the WG could not also adopt your draft, but as I said above, it's not the only alternative. We think this would benefit from F2F discussion and I would invite you or someone else in favor of this draft (or another approach) to present in November in Vancouver. If there is WG consensus for this, we can adopt it then. Best, -Ekr P.S. I am about to go mostly offline through Monday night. Apologies in advance for slow/non-response.
- Re: [TLS] padding bug Peter Gutmann
- Re: [TLS] padding bug Nikos Mavrogiannopoulos
- Re: [TLS] padding bug Blumenthal, Uri - 0558 - MITLL
- Re: [TLS] padding bug Peter Gutmann
- Re: [TLS] padding bug Blumenthal, Uri - 0558 - MITLL
- Re: [TLS] padding bug Peter Gutmann
- Re: [TLS] padding bug Eric Rescorla
- Re: [TLS] padding bug Eric Rescorla
- Re: [TLS] padding bug Peter Gutmann
- Re: [TLS] padding bug Adam Langley
- Re: [TLS] padding bug Hugo Krawczyk
- Re: [TLS] padding bug Peter Gutmann
- Re: [TLS] padding bug Peter Gutmann
- Re: [TLS] padding bug Nikos Mavrogiannopoulos
- Re: [TLS] padding bug Ben Laurie
- Re: [TLS] padding bug Nikos Mavrogiannopoulos
- Re: [TLS] padding bug Ben Laurie
- Re: [TLS] padding bug Nikos Mavrogiannopoulos
- Re: [TLS] padding bug Peter Gutmann
- Re: [TLS] padding bug Blumenthal, Uri - 0558 - MITLL
- Re: [TLS] padding bug Paterson, Kenny
- Re: [TLS] padding bug Bodo Moeller
- Re: [TLS] padding bug Michael D'Errico
- Re: [TLS] padding bug Ben Laurie
- Re: [TLS] padding bug Christian Kahlo
- Re: [TLS] padding bug Hovav Shacham
- Re: [TLS] padding bug Blumenthal, Uri - 0558 - MITLL
- Re: [TLS] padding bug Martin Rex
- Re: [TLS] padding bug Andrei Popov
- Re: [TLS] padding bug Ben Laurie
- Re: [TLS] padding bug Kelly John Rose
- Re: [TLS] padding bug Lewis, Nick
- Re: [TLS] padding bug Alfredo Pironti
- Re: [TLS] padding bug Peter Gutmann
- Re: [TLS] padding bug Peter Gutmann