Re: [TLS] draft-badra-tls-psk-new-mac-aes-gcm as WG item

[Simon Josefsson <simon@xxxxxxxxxxxxx>]

<Pasi.Eronen@xxxxxxxxx> writes:

> badra@xxxxxxxx wrote:
>
>> Dear Pasi and Eric,
>> 
>> I would like to inform you and the WG that I submitted a document
>> (draft-badra-tls-psk-new-mac-aes-gcm), which specifies combinations
>> of AES_GCM and PSK, and dsecribes a set of ciphersuites with
>> stronger digest algorithms.
>> 
>> http://www.ietf.org/internet-drafts/draft-badra-tls-psk-new-mac-aes-gcm-02.txt
>> 
>> Since the document is based and heavily borrows from
>> draft-ietf-tls-ecc-new-mac and draft-ietf-tls-rsa-aes-gcm, I would
>> like to request that the TLS WG adopts this document as a WG item.
>
> Comments from TLS WG members? (E.g., volunteers who promise to 
> contribute text during the document's development)

The document seems basically done to me, so I'm not sure anyone can
provide much additional text to it.

However, for the record, I have and will continue to review the
document.

Badra, there is a problem in the current document.  It is the same
problem I pointed out for TLS-RSA-AES-GCM: The Galois Counter mode can
fail to decrypt, and the document needs to describe how that should be
handled by implementations.  I suggest to adopt the same fix made in

http://www.ietf.org/internet-drafts/draft-ietf-tls-rsa-aes-gcm-03.txt

specifically, to add:

   Implementations MUST send TLS Alert bad_record_mac for all types of
   failures encountered in processing the AES-GCM algorithm.

Thanks,
Simon
_______________________________________________
TLS mailing list
TLS@xxxxxxxx
https://www.ietf.org/mailman/listinfo/tls