[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [TLS] Serious crypto problem fixed by envelope HMAC method instead of currently used prefix

To: "EKR" <ekr@xxxxxxxxxxxxxxxxxxxx>
Subject: Re: [TLS] Serious crypto problem fixed by envelope HMAC method instead of currently used prefix
From: "Omirjan Batyrbaev" <batyr@xxxxxxxxxxxx>
Date: Mon, 20 Nov 2006 10:08:35 -0500
Cc: TLS@xxxxxxxxxxxxxx
List-archive: <http://www1.ietf.org/pipermail/tls>
List-help: <mailto:tls-request@lists.ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-post: <mailto:tls@lists.ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
References: <> <86lkm6rdau.fsf@xxxxxxxxxxxxxx>

Hi, please see inserted:
----- Original Message ----- 
From: "EKR" <ekr@xxxxxxxxxxxxxxxxxxxx>
To: "Omirjan Batyrbaev" <batyr@xxxxxxxxxxxx>
Cc: <TLS@xxxxxxxxxxxxxx>
Sent: Sunday, November 19, 2006 10:45 PM
Subject: Re: [TLS] Serious crypto problem fixed by envelope HMAC method
instead of currently used prefix


> "Omirjan Batyrbaev" <batyr@xxxxxxxxxxxx> writes:
>
> > Hi,
> >
> > I propose to use envelope method instead of currently used prefix method
in
> > HMAC. The measure is important especially since it was pointed out that
the
> > NULL cipher suites have a real use and since some ciphers are
intentionally
> > weak. With the NULL cipher (or the 40 bits cipher) the current HMAC
> > construct is exploitable by an active attacker who appends to the
message
> > and substitutes the new message and the newly generated HMAC value for
the
> > original. On the server side the HMAC operation will succeed. Of course
it
> > can be the server message that gets compromised this way. This attack is
> > well known in the crypto community and is well documented in HAC
(Handbook
> > of Applied Cryptography). The book is available online and I can send
you a
> > page reference if you are not familiar with the attack on the HMAC
prefix
> > method.
>
>
> Even if there were an appending attack on HMAC, because the length
> value is included in the MAC, I don't believe you can apply the
> attack in the context of TLS.

I agree that the inclusion of the length value has merit. But only if the
peer checks the length value.
With the proposed envelope method even if the peer does not check the length
value the MAC can not be forged.
Isn't it better to use a more robust envelope method instead? It is a small
change to the spec and implementations.

>
> -Ekr
>


_______________________________________________
TLS mailing list
TLS@xxxxxxxxxxxxxx
https://www1.ietf.org/mailman/listinfo/tls

Follow-Ups:
- Re: [TLS] Serious crypto problem fixed by envelope HMAC method instead of currently used prefix
  - From: Bodo Moeller
- Re: [TLS] Serious crypto problem fixed by envelope HMAC method instead of currently used prefix
  - From: Eric Rescorla

References:
- [TLS] Serious crypto problem fixed by envelope HMAC method instead of currently used prefix
  - From: Omirjan Batyrbaev
- Re: [TLS] Serious crypto problem fixed by envelope HMAC method instead of currently used prefix
  - From: EKR

Prev by Date: RE: [TLS] PRF proposal
Next by Date: Re: [TLS] draft-ietf-tls-rfc4346-bis-02.txt
Previous by thread: Re: [TLS] Serious crypto problem fixed by envelope HMAC method instead of currently used prefix
Next by thread: Re: [TLS] Serious crypto problem fixed by envelope HMAC method instead of currently used prefix
Index(es):
- Date
- Thread