IETF Logo Mail Archive

Re: [TLS] Encrypting record headers: practical for TLS 1.3 after all?

Hubert Kario <hkario@redhat.com> Tue, 01 December 2015 11:02 UTC

Return-Path: <hkario@redhat.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2B61E1A8A3F for <tls@ietfa.amsl.com>; Tue, 1 Dec 2015 03:02:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.311
X-Spam-Level:
X-Spam-Status: No, score=-6.311 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, J_CHICKENPOX_84=0.6, RCVD_IN_DNSWL_HI=-5, SPF_HELO_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2AmsqTukAVqg for <tls@ietfa.amsl.com>; Tue, 1 Dec 2015 03:02:11 -0800 (PST)
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EF8031A8A39 for <tls@ietf.org>; Tue, 1 Dec 2015 03:02:10 -0800 (PST)
Received: from int-mx10.intmail.prod.int.phx2.redhat.com (int-mx10.intmail.prod.int.phx2.redhat.com [10.5.11.23]) by mx1.redhat.com (Postfix) with ESMTPS id 3AFB1D69D9; Tue, 1 Dec 2015 11:02:10 +0000 (UTC)
Received: from pintsize.usersys.redhat.com (dhcp-0-114.brq.redhat.com [10.34.0.114]) by int-mx10.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id tB1B28Ho020672 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 1 Dec 2015 06:02:09 -0500
From: Hubert Kario <hkario@redhat.com>
To: Jacob Appelbaum <jacob@appelbaum.net>
Date: Tue, 01 Dec 2015 12:02:07 +0100
Message-ID: <8237123.IbIWt7fMrM@pintsize.usersys.redhat.com>
User-Agent: KMail/4.14.10 (Linux/4.2.6-200.fc22.x86_64; KDE/4.14.14; x86_64; ; )
In-Reply-To: <CAFggDF0yyMP3ErgHjNKbF1Nu3CUutCXaay+e0vEMOiDNNbKSLQ@mail.gmail.com>
References: <56586A2F.1070703@gmail.com> <2564045.EyFMgGcPZE@pintsize.usersys.redhat.com> <CAFggDF0yyMP3ErgHjNKbF1Nu3CUutCXaay+e0vEMOiDNNbKSLQ@mail.gmail.com>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="nextPart5991821.sbMHVJVuhf"; micalg="pgp-sha512"; protocol="application/pgp-signature"
X-Scanned-By: MIMEDefang 2.68 on 10.5.11.23
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/39b65OhXMsK7OmEk0AplSga_CRU>
Cc: tls@ietf.org
Subject: Re: [TLS] Encrypting record headers: practical for TLS 1.3 after all?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 01 Dec 2015 11:02:13 -0000

On Tuesday 01 December 2015 00:14:14 Jacob Appelbaum wrote:
> On 11/30/15, Hubert Kario <hkario@redhat.com> wrote:
> > On Monday 30 November 2015 10:58:48 Bryan A Ford wrote:
> >> On 11/30/15 2:40 AM, Peter Gutmann wrote:
> >> > Nikos Mavrogiannopoulos <nmav@redhat.com> writes:
> >> >> I believe your proposal is a nice example of putting the cart
> >> >> before the horse. Before proposing something it should be clear
> >> >> what do you want to protect from, what is the threat?
> >> > 
> >> > Exactly.  If you want to thwart traffic analysis, you need to do
> >> > something like what's done by designs like Aqua ("Towards
> >> > Efficient
> >> > Traffic-analysis Resistant Anonymity Networks"), or ideas from
> >> > any
> >> > of the other anti-traffic- analysis work that's emerged in the
> >> > past
> >> > decade or two.
> >> 
> >> I'm well aware of Aqua and "the other anti-traffic-analysis work
> >> that's emerged in the past decade or two": in fact I led one of the
> >> 
> >> major recent systematic projects in that space.  See for example:
> >> 	http://dedis.cs.yale.edu/dissent/
> >> 	http://cacm.acm.org/magazines/2015/10/192387-seeking-anonymity-in-> >> 	an->>> 
> >> internet-panopticon/fulltext
> >> 
> >> > You get traffic
> >> > analysis resistance by, for example, breaking data into
> >> > fixed-length
> >> > packets, using cover traffic, and messing with packet timings,
> >> > not
> >> > by
> >> > encrypting TLS headers.
> >> 
> >> Packet padding and header encryption are both important,
> >> complementary security measures: you get security benefits from
> >> each that you don't get from the other.  Yes, you need padding to
> >> obtain systematic protection from traffic analysis - when for
> >> whatever reason not all implementations are always padding to the
> >> exact same standardized record length, header encryption makes
> >> padded streams less trivially distinguishable from unpadded
> >> streams, and makes streams with different record sizes less
> >> trivially distinguishable from each other.
> > 
> > the header contains only one piece of information, and it is public
> > already - the amount of data transmitted*
> 
> I'm pretty sure TLS has a lot more data...

in TLS v1.3 no, it doesn't. All encrypted packets must have the 
plaintext record type set to Application Data[1], same for version - 
it's frozen now at 3.1 (TLS1.0)[2], both are used just as a magic value.

> > this goes well past the TLS WG charter, if only because it requires
> > very close cooperation with the application layer
> > 
> > so while the padding mechanism should be there, we really can't
> > describe how it needs to be used, as it can't be made universal nor
> > is it necessary for all use cases
> 
> I think it should be described how it needs to be used...

Yes, I misspoke. What I meant is that we can't mandate its use as it is 
an application layer issue. We definitely should describe how it needs 
to be used on TLS level.

> >  * - sure, the record layer boundaries can tell something about the
> >  data> 
> > being transmitted, but so can the presence of data transmission
> > taking place in the first place (think of a station sending reports
> > only when it detects something while keeping connection open the
> > whole time)
> Yes, they tell something and that something is better removed.

then we need Best Current Practice for applications describing to them 
how TLS needs to be used, e.g. make sure that they are doing writes as 
big as possible, checking if timing of responses doesn't leak much 
information, etc. Forcing TLS implementation to combine writes will 
easily cause serious problems with interactivity of sessions...

> >> One thing that would greatly help Tor and all similar,
> >> padded protocols is if they could "blend in" even just a little bit
> >> better with the vast bulk of ordinary TLS-encrypted Web traffic,
> >> and
> >> that's one of the big opportunities we're talking about here.
> > 
> > the initial message in handshake in TLS MUST stay the same thus it
> > is
> > impossible to make it look like Tor. Not to thwart the Pervasive
> > Monitoring threat of TLA agencies.
> 
> That Tor claim is strange and seemingly false in any case. Also, I've
> said it before quoting the RFC but I'll say it again: Pervasive
> Monitoring is an attack.

Not claiming it isn't. But some things (like compression) are best done 
at application layer, not TLS layer.
 
> >> If you think it is practical for the TLS 1.3 standard to specify a
> >> single, fixed record size that all implementations of TLS 1.3 must
> >> use (i.e., explicitly freeze not only the version field but the
> >> length field), then that would be great for traffic analysis
> >> protection and on that basis I would support that proposal.  But
> >> that frankly seems to me likely a bit too much to ask given the
> >> diversity of TLS implementations and use-cases.  Tell me if you
> >> believe otherwise.> 
> > That will just round up to a multiple of 256 bytes the data sizes
> > transmitted. Hardly an improvement over the current 16 byte blocks.
> 
> Closer to 512 bytes is better.

Either hardly helps if you're not transferring packets with null data to 
really hide the amount of data transferred.

 1 - https://tools.ietf.org/html/draft-ietf-tls-tls13-10#section-5.2.2
   opaque_type
      The outer opaque_type field of a TLSCiphertext record is always
      set to the value 23 (application_data) for outward compatibility
      with middleboxes used to parsing previous versions of TLS.  The
      actual content type of the record is found in fragment.type after
      decryption.
 2 - https://tools.ietf.org/html/draft-ietf-tls-tls13-10#section-5.2.2
   record_version
      The record_version field is identical to
      TLSPlaintext.record_version and is always { 3, 1 }.  Note that the
      handshake protocol including the ClientHello and ServerHello
      messages authenticates the protocol version, so this value is
      redundant.

-- 
Regards,
Hubert Kario
Senior Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic

v2.23.0 | Report a Bug | By Email