Re: [TLS] History of TLS analysis (was Re: TLS 1.2 Long-term Support Profile draft posted)

Watson Ladd writes: >Then use a padding extension that solves all problems, instead of relying on >a side effect of CBC mode. It's not a "side-effect of CBC mode", CBC mode allows padding packets, GCM doesn't, see Colm MacCárthaigh's recent post on the topic. >Why do we want this to look diffe

Re: [TLS] TLS 1.2 Long-term Support Profile draft posted

On Friday 18 March 2016 08:57:26 Peter Gutmann wrote: > Watson Ladd writes: > >Likewise, this draft modifies the way the master secret is computed, > >despite a widely implemented different solution to the problem, > >namely the EMS triple handshake fix. > > Firstly, that solves an entirely diffe

Re: [TLS] Are the AEAD cipher suites a security trade-off win with TLS1.2?

On Wed, Mar 16, 2016 at 2:14 PM, Paterson, Kenny wrote: > Much better would be implementing an optional padding feature for the AEAD > modes. Something like this draft proposes: > > https://tools.ietf.org/html/draft-pironti-tls-length-hiding-02 I hadn't seen that! I wonder is there an appetite

Re: [TLS] Are the AEAD cipher suites a security trade-off win with TLS1.2?

Martin Rex writes: >Though it is a pretty flawed assumption. > >I've seen an AEAD cipher implementation fail badly just recently (resulting >in corrupted plaintext that went unnoticed within TLS--MACing the ciphertext >is obviously a pretty dumb idea), something that is *MUCH* more unlikely to >h

Re: [TLS] Are the AEAD cipher suites a security trade-off win with TLS1.2?

Colm MacCárthaigh wrote: > > But I take the point that AEAD modes are harder for programmers to screw > up; and that does have value. Though it is a pretty flawed assumption. I've seen an AEAD cipher implementation fail badly just recently (resulting in corrupted plaintext that went unnoticed wi

Re: [TLS] Simple, secure 0-RTT for the masses

On Wed, Mar 16, 2016 at 08:12:48AM -0400, Colm MacCárthaigh wrote: > On Wed, Mar 16, 2016 at 4:17 AM, Ilari Liusvaara > wrote: > > > > - Duplication of 0-RTT data into 1-RTT data of _different_ connection. > > > > I think using a different content type solves this; the early data is > illegal in

Re: [TLS] TLS 1.2 Long-term Support Profile draft posted

Watson Ladd writes: >As written supporting this draft requires adopting the encrypt-then-MAC >extension. But there already is a widely implemented secure way to use MACs >in TLS: AES-GCM. This is there as an option if you want it. Since it offers no length hiding, it's completely unacceptable