IETF Logo Mail Archive

Re: [TLS] Rethink TLS 1.3

Nikos Mavrogiannopoulos <nmav@redhat.com> Fri, 28 November 2014 10:18 UTC

Return-Path: <nmav@redhat.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 598C51A1ADC for <tls@ietfa.amsl.com>; Fri, 28 Nov 2014 02:18:48 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.912
X-Spam-Level:
X-Spam-Status: No, score=-6.912 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RTdnEq5InKIv for <tls@ietfa.amsl.com>; Fri, 28 Nov 2014 02:18:46 -0800 (PST)
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ABE6A1A1ADB for <tls@ietf.org>; Fri, 28 Nov 2014 02:18:46 -0800 (PST)
Received: from int-mx09.intmail.prod.int.phx2.redhat.com (int-mx09.intmail.prod.int.phx2.redhat.com [10.5.11.22]) by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id sASAIi2c021133 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Fri, 28 Nov 2014 05:18:44 -0500
Received: from [10.34.2.127] (dhcp-2-127.brq.redhat.com [10.34.2.127]) by int-mx09.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id sASAIgS3016324 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=NO); Fri, 28 Nov 2014 05:18:43 -0500
Message-ID: <1417169921.6779.18.camel@dhcp-2-127.brq.redhat.com>
From: Nikos Mavrogiannopoulos <nmav@redhat.com>
To: Watson Ladd <watsonbladd@gmail.com>
Date: Fri, 28 Nov 2014 11:18:41 +0100
In-Reply-To: <CACsn0cnAYgWeXmH3mTd9v=jVXYX70trOhdQxv4hsFk=OxD48bg@mail.gmail.com>
References: <20141124105948.GH3200@localhost> <20141124165601.0E7A71B004@ld9781.wdf.sap.corp> <CACsn0ckcpNYJbnb+vd=nazXQhN5m3=L1DxO+KnLXMVyWOQ-PUQ@mail.gmail.com> <3283678.0WkSFC7mCs@pintsize.usersys.redhat.com> <CACsn0c=7fzAmshr7qamiLZdRUNs8kexQPR4E6n3teqNi4HzOjQ@mail.gmail.com> <CAOgPGoAEyH4MRAjGHyUg1c9PuY2c6SmfB+6jgBegRi6dvVchDQ@mail.gmail.com> <CACsn0ckqZOf7mrXsjcCh0NGx=MDyoAcK7GT+_TxFe1Do7Xtuyw@mail.gmail.com> <24500329.3561152.1416988006072.JavaMail.zimbra@redhat.com> <CACsn0c=K0fBcQU3S5qv7yUtz+KP5vAQDpxVHKMwVpP_iS1tWHQ@mail.gmail.com> <1417079088.11680.7.camel@dhcp-2-127.brq.redhat.com> <CACsn0cnAYgWeXmH3mTd9v=jVXYX70trOhdQxv4hsFk=OxD48bg@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"
Mime-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Scanned-By: MIMEDefang 2.68 on 10.5.11.22
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/0p6Bp2M5u_b0mYipKGfs0MnauHM
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Rethink TLS 1.3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 28 Nov 2014 10:18:48 -0000

On Thu, 2014-11-27 at 15:01 -0800, Watson Ladd wrote:
> On Thu, Nov 27, 2014 at 1:04 AM, Nikos Mavrogiannopoulos
> <nmav@redhat.com> wrote:
> > On Wed, 2014-11-26 at 16:03 -0800, Watson Ladd wrote:
> >
> >> >> Parsing TLS is one of the biggest issues in implementations. I can't
> >> >> promise to write the tool to auto-generate the parser, but we should be
> >> >> sufficiently chastised by all those who tried and failed to parse TLS
> >> >> records with handwritten C to consider not doing it ourselves.
> >> > Where does this come from? TLS is one of the easiest protocols to parse.
> >> OpenSSL couldn't parse an echo request correctly.
> >
> > This is a TLS extension and is known to be unnecessarily complex. It
> > proves nothing about the TLS parsing complexity that you mention.
> 
> The construct of a heartbeat payload is a vector. It's simpler, not
> more complex, than many structures in TLS.

Then you may not have seen many structures in TLS. The heartbeat
structure is unlike _any_ other structure in TLS. 
   struct {
      HeartbeatMessageType type;
      uint16 payload_length;
      opaque payload[HeartbeatMessage.payload_length];
      opaque padding[padding_length];
   } HeartbeatMessage;

So you have a length, and two payloads. One is padding with separate non
explicit length, defined as "padding_length = TLSPlaintext.length -
payload_length - 3", and the other is supposed to have the previously
mentioned length. That construction is unique on the TLS protocol, and
has interesting properties, such as the padding length affecting the
TLSPlaintext.length it depends on it. It is no surprise it has caused
bugs.

A simple structure according to the TLS rules is:
   struct {
      HeartbeatMessageType type;
      opaque payload<0..2^16-1>;
   } HeartbeatMessage;

With the latter you can reuse any parser already created for TLS
messages, and you have no interplay between different lengths. The
former requires a special parser. So really have you actual read, or
tried to implement the documents that you claim are simple or complex?

regards,
Nikos

v2.23.0 | Report a Bug | By Email