IETF Logo Mail Archive

Re: [secdir] secdir review of draft-alakuijala-brotli-08

Tobias Gondrom <tobias.gondrom@gondrom.org> Tue, 12 April 2016 16:16 UTC

Return-Path: <tobias.gondrom@gondrom.org>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3594212D71D; Tue, 12 Apr 2016 09:16:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.046
X-Spam-Level:
X-Spam-Status: No, score=-101.046 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HELO_DYNAMIC_IPADDR=1.951, RP_MATCHES_RCVD=-0.996, SPF_PASS=-0.001, USER_IN_WHITELIST=-100] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); domainkeys=pass (1024-bit key) header.from=tobias.gondrom@gondrom.org header.d=gondrom.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id riH9rYpGIBnb; Tue, 12 Apr 2016 09:16:18 -0700 (PDT)
Received: from lvps5-35-241-16.dedicated.hosteurope.de (www.gondrom.org [5.35.241.16]) (using TLSv1.1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3F41512D953; Tue, 12 Apr 2016 09:16:17 -0700 (PDT)
Received: from [192.168.43.211] (ip-109-43-3-20.web.vodafone.de [109.43.3.20]) by lvps5-35-241-16.dedicated.hosteurope.de (Postfix) with ESMTPSA id 05E2F63380; Tue, 12 Apr 2016 18:16:14 +0200 (CEST)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=default; d=gondrom.org; b=gy4hswCFIRqPBKPBnKsuTIiMo5XZoNLgI+lAJxWFsQKroj5xJKQe0CKbcsIjjC99dqq94mlvPTYOPeUQgNpSBqp48EKX8Erwy2rdGSz7tEWB4JTeLDHKLRFjnV6jte1u4y+oUf3k6tECJN6gjpn5QkhPfCxkubs1WQPlerobwcg=; h=Message-ID:Date:From:User-Agent:MIME-Version:To:Subject:References:In-Reply-To:Content-Type:Content-Transfer-Encoding;
Message-ID: <570D1F4D.6010306@gondrom.org>
Date: Tue, 12 Apr 2016 18:16:13 +0200
From: Tobias Gondrom <tobias.gondrom@gondrom.org>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.5.0
MIME-Version: 1.0
To: dkg@fifthhorseman.net, frank.xialiang@huawei.com, iesg@ietf.org, secdir@ietf.org, draft-alakuijala-brotli.all@tools.ietf.org
References: <C02846B1344F344EB4FAA6FA7AF481F12AF2C416@SZXEMA502-MBS.china.huawei.com> <87bn5guq9l.fsf@alice.fifthhorseman.net>
In-Reply-To: <87bn5guq9l.fsf@alice.fifthhorseman.net>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/secdir/MgWAxIDT3WRIXsL-CRateIf_4WQ>
Subject: Re: [secdir] secdir review of draft-alakuijala-brotli-08
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Apr 2016 16:16:20 -0000

Dear Daniel,
in my understanding this ID is _only_ about a compression, not about 
encryption.
Therefore it is not even intended to be resistant to the attack you 
describe below.
(for proper confidentiality the channel would need to be encrypted.)
Best regards, Tobias



On 11/04/16 17:19, Daniel Kahn Gillmor wrote:
> On Mon 2016-04-11 01:47:40 -0400, "Xialiang (Frank)" <frank.xialiang@huawei.com> wrote:
>> This document defines a lossless compressed data format that
>> compresses data using a combination of the LZ77 algorithm and Huffman
>> coding, with efficiency comparable to the best currently available
>> general-purpose compression methods.
>   [...]
>> In general, this document specify a new compressed data format which
>> is used in the end points of a connection, which is not directly
>> subject to network security issues. In other words, the compressed
>> contents can be protected by all the existing security technologies
>> (i.e., encryption, authentication/authorization, anti-attack, etc) if
>> necessary. The main security concern is about how the bad (or faked)
>> compressed data will attack the end system, such as: buffer overflow
>> and resource consumption! Some of the concerns are covered in the
>> "Security Considerations" section.
> This list of security concerns doesn't cover a popular recent abuse of
> compression algorithms, which is an attacker getting to repeatedly mix
> arbitrary (attacker-supplied) data with secret data (passwords, cookies)
> that gets sent over an encrypted channel.  An attacker who can do this
> and observe the length of the ciphertext can potentially reconstruct the
> secret data.
>
> See for example:
>
>   https://en.wikipedia.org/wiki/CRIME
>
> If this compression algorithm is resistant to this attack (which i
> doubt), it should be stated so in the draft.  If it is not resistant to
> the attack, then the draft should at least make note of the issue and
> pointedly suggest that applications compressing sensitive data before
> encrypted transport MUST NOT mix sensitive data with non-sensitive
> (potentially-attacker-supplied) data in the same compression stream.  Or
> would separating sensitve/non-sensitive data in one stream into distinct
> meta-blocks be sufficient?  i don't understand the encryption scheme
> well enough to know.  Either way, the authors of the draft are likely in
> the best position to make that clear.
>
> Regards,
>
>      --dkg
>
> _______________________________________________
> secdir mailing list
> secdir@ietf.org
> https://www.ietf.org/mailman/listinfo/secdir
> wiki: http://tools.ietf.org/area/sec/trac/wiki/SecDirReview

v2.23.0 | Report a Bug | By Email