On 2016-03-18 09:57, Peter Gutmann wrote:
Watson Ladd<watsonbl...@gmail.com> writes:
>As written supporting this draft requires adopting the encrypt-then-MAC
>extension. But there already is a widely implemented secure way to use MACs
>in TLS: AES-GCM.
This is there as an option if you want it. Since it offers no length hiding,
it's completely unacceptable to some users, for example one protocol uses TLS
to communicate monitoring commands to remote gear, they're very short and
fixed-length, different for each command, so if you use GCM you may as well be
sending plaintext. In addition GCM is incredibly brittle, get the IV handling
wrong and you get a complete, catastrophic loss of both integrity and
confidentiality. The worst that happens with CBC, even with a complete abuse
like using an all-zero IV, is that you drop back to ECB mode.
Indeed. For instance, if VM reset attacks are a concern, GCM is arguably
a worse option than CBC, in particular if the CBC record IV generation
can be made to be random even in the case of a VM reset attack.
http://crypto.stackexchange.com/questions/32203/is-tls-secure-against-vm-reset-attacks
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
