RE: Change to padding in encryption -- enabling random access

"Manger, James" <James.H.Manger@team.telstra.com> Mon, 30 January 2017 05:49 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D5BE9129979 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Sun, 29 Jan 2017 21:49:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.119
X-Spam-Level:
X-Spam-Status: No, score=-10.119 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-3.199, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=teamtelstra.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qIYPtMWTyb-c for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Sun, 29 Jan 2017 21:49:12 -0800 (PST)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 77EBE12996E for <httpbisa-archive-bis2Juki@lists.ietf.org>; Sun, 29 Jan 2017 21:49:12 -0800 (PST)
Received: from lists by frink.w3.org with local (Exim 4.80) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1cY4mm-0001Qr-Jl for ietf-http-wg-dist@listhub.w3.org; Mon, 30 Jan 2017 05:45:52 +0000
Resent-Date: Mon, 30 Jan 2017 05:45:52 +0000
Resent-Message-Id: <E1cY4mm-0001Qr-Jl@frink.w3.org>
Received: from titan.w3.org ([128.30.52.76]) by frink.w3.org with esmtps (TLS1.2:RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <James.H.Manger@team.telstra.com>) id 1cY4mf-0000T6-IL for ietf-http-wg@listhub.w3.org; Mon, 30 Jan 2017 05:45:45 +0000
Received: from ipxbno.tcif.telstra.com.au ([203.35.82.204]) by titan.w3.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from <James.H.Manger@team.telstra.com>) id 1cY4mX-00058F-LM for ietf-http-wg@w3.org; Mon, 30 Jan 2017 05:45:40 +0000
X-IronPort-AV: E=Sophos;i="5.33,310,1477918800"; d="scan'208";a="128049484"
Received: from unknown (HELO ipcani.tcif.telstra.com.au) ([10.97.216.200]) by ipobni.tcif.telstra.com.au with ESMTP; 30 Jan 2017 16:45:06 +1100
X-IronPort-AV: E=McAfee;i="5700,7163,8423"; a="277786990"
Received: from wsmsg3702.srv.dir.telstra.com ([172.49.40.170]) by ipcani.tcif.telstra.com.au with ESMTP; 30 Jan 2017 16:45:06 +1100
Received: from wsapp5863.srv.dir.telstra.com (10.75.131.32) by wsmsg3702.srv.dir.telstra.com (172.49.40.170) with Microsoft SMTP Server (TLS) id 8.3.485.1; Mon, 30 Jan 2017 16:44:58 +1100
Received: from wsapp5584.srv.dir.telstra.com (10.75.131.20) by wsapp5863.srv.dir.telstra.com (10.75.131.32) with Microsoft SMTP Server (TLS) id 15.0.1236.3; Mon, 30 Jan 2017 16:44:56 +1100
Received: from AUS01-ME1-obe.outbound.protection.outlook.com (10.172.229.125) by wsapp5584.srv.dir.telstra.com (10.75.131.20) with Microsoft SMTP Server (TLS) id 15.0.1236.3 via Frontend Transport; Mon, 30 Jan 2017 16:44:57 +1100
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=teamtelstra.onmicrosoft.com; s=selector1-team-telstra-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=RqVf0x7ghDG+29X+zFW/YaT4erR29/KqyvESnQ0bcjw=; b=AWUXmPaeWl5BQIFE7we7eyDBDNX8BbKraAYYoSQnSXBO0qEcyFQ/y8/gvORBDi9vero0kHTnsj3l2VClD66vQj+4iOLZ4q8GWrJ6ykwpAtkcEyXyCdCTXHJSZHejtKw5gojTlp8hfboZM5cfbQr5TekzHaBFr19RYOvKjERRlcM=
Received: from SYXPR01MB1615.ausprd01.prod.outlook.com (10.175.209.15) by SYXPR01MB1613.ausprd01.prod.outlook.com (10.175.209.13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.860.13; Mon, 30 Jan 2017 05:44:56 +0000
Received: from SYXPR01MB1615.ausprd01.prod.outlook.com ([10.175.209.15]) by SYXPR01MB1615.ausprd01.prod.outlook.com ([10.175.209.15]) with mapi id 15.01.0860.024; Mon, 30 Jan 2017 05:44:56 +0000
From: "Manger, James" <James.H.Manger@team.telstra.com>
To: Martin Thomson <martin.thomson@gmail.com>, HTTP Working Group <ietf-http-wg@w3.org>
Thread-Topic: Change to padding in encryption -- enabling random access
Thread-Index: AdJ6u17E6Lor8apvSIizqbE+dqcFRA==
Date: Mon, 30 Jan 2017 05:44:56 +0000
Message-ID: <SYXPR01MB1615E160116B0FABB6703DC6E54B0@SYXPR01MB1615.ausprd01.prod.outlook.com>
Accept-Language: en-AU, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=James.H.Manger@team.telstra.com;
x-originating-ip: [203.41.142.244]
x-ms-office365-filtering-correlation-id: f1455b66-6063-449d-f7b2-08d448d31f78
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:(22001);SRVR:SYXPR01MB1613;
x-microsoft-exchange-diagnostics: 1; SYXPR01MB1613; 7:Jss21BI8LGHvhQ+xR7XR1nBadQNREfntPoN75dtG0i50+xtgFpIIYDFGpYtEWebxpLFR4wRTa8iPylz68b/RuB4rGQW8hhJGTwigcFYgNLTzMPes6aQedeaeXLKi7pajMINstaPEywp7nr4IHB9VkPjXkS+VMu3aaJD9DLcXZwfdD8Ik1pc2mybbVuxL8sa5EwYWcKain0/y7KFwlpV5T9fJ5Vz9tEK1qVj05VkV+wojW/pjb/V5WaLfzjiXarWmdVJsok29hFT/C9RHB604Ky8c7ArjeU3PQTTrDdX56qAjaqzdvnTTbgiiTILMI3F2LgUt/AHTuvDuELkRs7IFVAXcKX5k/dqakQRZ6CjrUv4/P4cfDFW+IHkWPIuKCxu/j3CNyYslw9tIY8Gim8fA4t/UT1boJbgyi4qX1OOy9ItkyotTX5GzISx0VUhyJtWgRFleyQ/5S8A69ClsEb5EbA==
x-microsoft-antispam-prvs: <SYXPR01MB16139FF430985774909669C8E54B0@SYXPR01MB1613.ausprd01.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(166708455590820);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040375)(2401047)(5005006)(8121501046)(10201501046)(3002001)(6041248)(20161123555025)(20161123560025)(20161123562025)(20161123564025)(6072148); SRVR:SYXPR01MB1613; BCL:0; PCL:0; RULEID:; SRVR:SYXPR01MB1613;
x-forefront-prvs: 0203C93D51
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(7916002)(39450400003)(13464003)(189002)(199003)(377454003)(9686003)(189998001)(305945005)(99286003)(8936002)(229853002)(50986999)(54356999)(6306002)(107886002)(55016002)(106356001)(77096006)(101416001)(53936002)(3280700002)(6436002)(39060400001)(6506006)(74316002)(25786008)(38730400001)(2906002)(68736007)(97736004)(5001770100001)(105586002)(3846002)(33656002)(92566002)(7736002)(81166006)(2900100001)(66066001)(86362001)(5660300001)(3660700001)(81156014)(42882006)(8676002)(102836003)(7696004)(122556002)(6116002); DIR:OUT; SFP:1102; SCL:1; SRVR:SYXPR01MB1613; H:SYXPR01MB1615.ausprd01.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:0; LANG:en;
received-spf: None (protection.outlook.com: team.telstra.com does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-originalarrivaltime: 30 Jan 2017 05:44:56.8402 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 49dfc6a3-5fb7-49f4-adea-c54e725bb854
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SYXPR01MB1613
X-OriginatorOrg: team.telstra.com
Received-SPF: none client-ip=203.35.82.204; envelope-from=James.H.Manger@team.telstra.com; helo=ipxbno.tcif.telstra.com.au
X-W3C-Hub-Spam-Status: No, score=-2.1
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, W3C_NW=0.5
X-W3C-Scan-Sig: titan.w3.org 1cY4mX-00058F-LM 7d12eaf3df731e3cf03f797063abbaed
X-Original-To: ietf-http-wg@w3.org
Subject: RE: Change to padding in encryption -- enabling random access
Archived-At: <http://www.w3.org/mid/SYXPR01MB1615E160116B0FABB6703DC6E54B0@SYXPR01MB1615.ausprd01.prod.outlook.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/33392
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

Random access to content via a range request is almost supported by aes128gcm, but as the draft says it "could be confounded by the presence of padding". You can decrypt, say, the 100th 1KB record, but that gives you no clue how many of the earlier 99,693 bytes are content vs padding — unless you are told.

How about a flag in the padding delimiter byte that, if set, means there is no padding in earlier records?

An encryptor that wants to enable random access can easily flag this in an authentic manner.
A decryptor that doesn't care can easily ignore the flag.



Typo in PR #283:
✗ "all other octets have a padding delimiter with the value 1"
✓ "all other records have a padding delimiter with the value 1"

--
James Manger

-----Original Message-----
From: Martin Thomson [mailto:martin.thomson@gmail.com] 
Sent: Monday, 30 January 2017 3:59 PM
To: HTTP Working Group <ietf-http-wg@w3.org>
Subject: Change to padding in encryption

Based on the discussion thus far, I've put together a PR that changes
how padding works.

https://github.com/httpwg/http-extensions/pull/283