Re: [TLS] Headerless records (was: padding)

Kyle Rose <krose@krose.org> Tue, 25 August 2015 14:26 UTC

Return-Path: <krose@krose.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0B2F01B32D4 for <tls@ietfa.amsl.com>; Tue, 25 Aug 2015 07:26:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.379
X-Spam-Level:
X-Spam-Status: No, score=-1.379 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EPbEpCAvyleF for <tls@ietfa.amsl.com>; Tue, 25 Aug 2015 07:26:26 -0700 (PDT)
Received: from mail-ig0-x230.google.com (mail-ig0-x230.google.com [IPv6:2607:f8b0:4001:c05::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 819F81B32BE for <tls@ietf.org>; Tue, 25 Aug 2015 07:26:25 -0700 (PDT)
Received: by igcse8 with SMTP id se8so13751758igc.1 for <tls@ietf.org>; Tue, 25 Aug 2015 07:26:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=krose.org; s=google; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=+P0mV+81V7VRRnKBKXIppaR+Cw3rChHfEp28CX5ef6c=; b=GCfp90k14qPcdm66TQAXpMAx70q4bAXZB7NEBnzWrMfE99V2d+54bWng3kClj8LCB1 HrofVde+RKWXTcgoEXmqdCckbgOH0E9ACuMQ4q66chUKxYZreC77lx3Oa8eOkN+JrWLQ wuYe90DmvsCGMvQwLWp8SIX2S4kHN78ppegR4=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=+P0mV+81V7VRRnKBKXIppaR+Cw3rChHfEp28CX5ef6c=; b=f3U9HZO4uMtvOv6Xvp5TNxa6P0rJm1jg6s6m223jgldTXuMdn+n0X/WA6qHPyILtvp 8HnHddjNtyXp6zjSHyYDZ3oJAyVxHmTw5nSNhNWqS4zgJb/8QlUON3gEcK4ZZKX9Zchs pp0mkgxYCrndY7JFejogXoCEso2qt0Nay9VWDPMKaJj1ZoTxtpCfw+0fIJe1vs2c08WU 7iqykY/RBKZ1KNmMkPFvIivkkgIIHCB8fLqdCC01ZVFeEK0J1Nn1UAoFtVAm2SFmP1WB alsiqukUjltC0SoeRHQw/5hT+jSUTzbZSx/rE3ouvz7nZjBtEp17Eb4rQfAq/Ie0BA5O YlXw==
X-Gm-Message-State: ALoCoQnRQI/sqNLuIxvNAf6LKKiTQr+C7lYzMBkCCs0FIVnpbycKzEzuBaFaMM/Q8vZP8kldpZ7+
MIME-Version: 1.0
X-Received: by 10.50.73.98 with SMTP id k2mr2904161igv.96.1440512784840; Tue, 25 Aug 2015 07:26:24 -0700 (PDT)
Received: by 10.79.31.197 with HTTP; Tue, 25 Aug 2015 07:26:24 -0700 (PDT)
X-Originating-IP: [72.246.0.14]
In-Reply-To: <CABkgnnX+S5De7pBC_VChz15daNcSpxgF6_ofxdPAv2vhpFigSg@mail.gmail.com>
References: <CAH8yC8nQKzht4g6+FwvmN1ULCz3a+2j=0UF4h=8h71XbcVjFDQ@mail.gmail.com> <201508222028.46145.davemgarrett@gmail.com> <CA+cU71kS=x7_hVRXb8Q8m=DmqMaM65GaEn1SnzH_fQHP9mzyqA@mail.gmail.com> <201508250004.36291.davemgarrett@gmail.com> <CABkgnnX+S5De7pBC_VChz15daNcSpxgF6_ofxdPAv2vhpFigSg@mail.gmail.com>
Date: Tue, 25 Aug 2015 10:26:24 -0400
Message-ID: <CAJU8_nVd7sV-=9g231c2fo0vun52BgJ5NOxkpBXQn+Z8-RNPqg@mail.gmail.com>
From: Kyle Rose <krose@krose.org>
To: Martin Thomson <martin.thomson@gmail.com>
Content-Type: text/plain; charset=UTF-8
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/2WJma3BWkyg31vHRaTtPATzU4m4>
Cc: IETF TLS <tls@ietf.org>
Subject: Re: [TLS] Headerless records (was: padding)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 25 Aug 2015 14:26:27 -0000

>>         uint16 length = TLSPlaintext.length;
>
> You can't recover the plaintext without knowing how long it is.  This
> part at a minimum needs to be in the clear.  At which point you need
> it to be based on TLSCiphertext.length

Is that really true? You could decrypt the first block/few bytes to
get the length (without authentication, of course) and then decrypt
the remainder according to this candidate length. Then authenticate
the entire record to make sure the candidate length was correct.

(I am not claiming anything about the purity of this approach, only
that it is technically feasible.)

Kyle