Wednesday, 9 March 2016

Understanding The Limits On Authenticated Encryption In TLS

Attacks on even the latest version (version 1.2) of Transport Layer Security (TLS)  have had considerable press recently with the publication of the DROWN attack which uses the legacy SSL v2 as the attack vector. Proof that mistakes of the past can haunt the present. So, as discussion at the Internet Engineering Task Force (IETF) group working on TLS 1.3 continue a very timely paper has emerged adding some very important technical detail on the issue of "key update" in the draft specification.

The paper from researchers at Royal Holloway demonstrates the necessity for key update.  The paper using the Galois Counter Mode (GCM) of the Advanced Encryption Standard (AES) (implemented by a whole range of organisations) to show that the more data that is transmitted using a given key the higher the probability of a successful attack on the confidentiality afforded by AES-CGM.

I personally put a great deal of store in what these authors say: Kenny Paterson was key to showing that RC4 in TLS needed attention.  It is well worth following his work.

The latest work clearly shows that if the limits are not respected when implementing (and specifying) the use of this cipher in TLS then attacks will be possible.  The key being used needs to be updated.

Formal analysis such as this is so important before a specification is issued because it prevents the specification itself being flawed.  There is no guarantee there wont be mistakes in the individual implementations but at least we now know that this feature needs to be in the TLS 1.3 standard - volumes of data transmitted using a single key could very well reach these limits and hence offer an attacker an edge.  Hopefully TLS 1.3 will emerge with the necessary addition.

However, it does leave an interesting question as to how TLS 1.2 (the current latest version) fairs in this regard?