2

SSL typically makes use of MAC-then-Encrypt technique instead of Encrypt-then-MAC (which is usually considered ideal for most of the scenarios). I myself don't have a full insight knowledge about the merits and demerits of both the techniques, but based on what I'v read and understood so far, I think using Encrypt-then-MAC in case of SSL would have made more sense.

I also think that this would have protected SSL against many attacks in the past. For example, while talking about preventing Padding Oracle attacks on SLL, @Tomas Pornin quoted in one of his answers:

One must note that if SSL had used encrypt-then-MAC, such problems would have been avoided (the faulty records would have been rejected at the MAC level, before even considering decryption).

And, even after all these attacks in the past, SSL is still NOT using Encrypt-then-MAC! So, my question is, why do we still use MAC-then-Encrypt in SSL? Why not simply use Encrypt-then-MAC for fixing the problems, instead of applying small patching band-aids everytime? What is it that is stopping us from using it in case of SSL?

Community
  • 1
Rahil Arora
  • 4,259
  • 2
  • 23
  • 41

1 Answers1

5

The various "patches" which have been applied on SSL/TLS have the nice characteristic of not changing the on-the-wire protocol: they are implementation tricks which work around the issues implied by MAC-then-encrypt. One way to say it is that it is possible to implement and use MAC-then-encrypt securely, but it is not easy.

This backward compatibility with the existing protocol allowed the patches to be implemented and distributed and used right away, whereas a new protocol would have taken years to be widely adopted. For instance, problems with CBC mode in TLS 1.0 (what the "BEAST attack" leverages) have been fixed by a new protocol version (TLS 1.1) since 2006, but browsers have begun to support it only about 2 years ago, and a large proportion of Web servers still don't support it. A new protocol which fixes issues does not do any good if you cannot use it, because it is not supported on the other side of the connection...

Apart from waiting for a yet-to-be-defined TLS 1.3, which could take some time to be specified, let alone implemented and supported, you might have some luck with TLS 1.2, which supports GCM. GCM is an encryption mode which combines symmetric encryption and a MAC, and does it properly (i.e. MAC-then-encrypt, roughly speaking). Of course, not a lot of browsers and server support it yet, but at least the specification/approval part is done for these cipher suites.

Community
  • 1
Thomas Pornin
  • 320,799
  • 57
  • 780
  • 949