Re: [TLS] A closer look at ROBOT, BB Attacks, timing attacks in general, and what we can do in TLS

Andrei Popov <Andrei.Popov@microsoft.com> Fri, 15 December 2017 14:57 UTC

Return-Path: <Andrei.Popov@microsoft.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 82FC2128B93 for <tls@ietfa.amsl.com>; Fri, 15 Dec 2017 06:57:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.021
X-Spam-Level:
X-Spam-Status: No, score=-2.021 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lGJEzKKpx2U8 for <tls@ietfa.amsl.com>; Fri, 15 Dec 2017 06:57:37 -0800 (PST)
Received: from NAM02-SN1-obe.outbound.protection.outlook.com (mail-sn1nam02on0118.outbound.protection.outlook.com [104.47.36.118]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 67F9B120721 for <tls@ietf.org>; Fri, 15 Dec 2017 06:57:37 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=b1leLPKPvyTKwz1jdPpk1wJpWxbtMrNAqIQVIwPQUgA=; b=Rj9my1C2i54vdmvDNLZWe296CInFeYCqhB5gUCHo0qv3hGophau/WTPHcwfsH5Ox15/4FXonOFhOLJ+DjjUg5BWkq17Mqa10FkCKGY9GlI+YROS7PBZ+pFk2iESUI84NHZN5P4cZzglUvSXjyPM5GRn4+gKJ8Z38i9slqTC4BG0=
Received: from MWHPR21MB0189.namprd21.prod.outlook.com (10.173.52.135) by MWHPR21MB0479.namprd21.prod.outlook.com (10.172.102.18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.345.2; Fri, 15 Dec 2017 14:57:34 +0000
Received: from MWHPR21MB0189.namprd21.prod.outlook.com ([10.173.52.135]) by MWHPR21MB0189.namprd21.prod.outlook.com ([10.173.52.135]) with mapi id 15.20.0345.002; Fri, 15 Dec 2017 14:57:34 +0000
From: Andrei Popov <Andrei.Popov@microsoft.com>
To: Ilari Liusvaara <ilariliusvaara@welho.com>, =?utf-8?B?Q29sbSBNYWNDw6FydGhhaWdo?= <colm@allcosts.net>
CC: "tls@ietf.org" <tls@ietf.org>
Thread-Topic: [TLS] A closer look at ROBOT, BB Attacks, timing attacks in general, and what we can do in TLS
Thread-Index: AQHTdSqavAlrna8BzEyYxpCWE2aK26NDc+uAgAAd44CAAARHAIAAATeAgADhAoCAAAcvAA==
Date: Fri, 15 Dec 2017 14:57:33 +0000
Message-ID: <MWHPR21MB01897F29048C1B2AB66EA7488C0B0@MWHPR21MB0189.namprd21.prod.outlook.com>
References: <CAAF6GDeeo2xjv1Xu7SFXVZ_zM=XUVJHT=eqH4_-G3+4UHsfvgg@mail.gmail.com> <CACsn0cmMbbT1iAfmxnXHe00dNiqBMyoNkk7e2CyTKWrcdRTtcQ@mail.gmail.com> <CAAF6GDf+GxToBAN83O3NtLO4zJ-8Qax8KjMCGhXv_EhY+NDsKg@mail.gmail.com> <20171215020116.04f9ae15@pc1> <CAAF6GDe79w9XH1GrGvvR-+=uEKfi6GczacUX3Jhy0dL_zW67-Q@mail.gmail.com> <20171215143057.GA17121@LK-Perkele-VII>
In-Reply-To: <20171215143057.GA17121@LK-Perkele-VII>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=True; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Owner=andreipo@microsoft.com; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2017-12-15T14:57:50.0660470Z; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Name=General; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Application=Microsoft Azure Information Protection; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Extended_MSFT_Method=Automatic; Sensitivity=General
x-originating-ip: [50.47.136.80]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; MWHPR21MB0479; 6:dXLMyFUx1PyNyULvTGsGlejUxb0EzWNZioGgebhBIGAVPEIZ8N8p0OfV+V8O0ehQMQ1lAc/HdOI7ef0zHZko6wrc+DKMFTlh0zHhnvGCQ0uFL6YDuGyd+c5h5TB5ZYxctlCdOy+waR3GzZSFFwa6T1sqaQZCL7juhBNMOCPjqPwbTw1XqK7ytSqcDO1Si6fyluyoT7b766UaJ+m8HjU+0blavet2vHalDXPvYVYE8qhgBlNRGW5u28HUHAwqhbV92UjFjiVOwbKbuo6CRQ2ql1IUyvr9G9KAumGtOANwgcdfPapgafpdKN+GFtjX5m0SdSgckAGMnpVM8w7uHTw+tK5N/y4PO7Z6WG2s5VE9qoE=; 5:QY+ReArpCXFWXTcLGdq9eKbnvPMBR5B6kO2LCuIpzvaJameQohELAz+u8TsmQc6jRel3+21O6408DQOKkudpCcYcxuGnwE0hc0eiBizA/EO/xXQMGqAlDkdws39sHDlw19ZQn9eyJPUzTmBgOHFrh+4eTh1eLFMtRwzyUvjgQ44=; 24:DRs1PFNVKWoYnUdGl4jTj6SOL2vmqnxmyio5vEMFgeLQYLOLshOC63mdC23ACtA2w46B1KvnrMvicgBUSueya2rvRA0q3s1FYIVmuM/Q5Yg=; 7:GvHAz0H9mH3AQiw9609s5th26qlR+LapMFQ2m1Xt0Rm6iQLDqeLVgRgLDdvLqjICIwgXyNlTcUv66FDJ3GUrrmw37Yh0VZr81N1y1395JwM10mMp9MaBFl5LBQ85rzeTy9BjluXcjl/xWTAFEHTDkMDttlNPOjhr1RNZ+jAsJLRXdMrTXnnTIyk/b9lSA425TSFKrDhuPz6yvLJ7FBrB2hZDjtdFVrOHA6pwQrWhtZApJY4+lXOHx+jgAcKYnVfj
x-ms-exchange-antispam-srfa-diagnostics: SSOS;
x-ms-office365-filtering-correlation-id: 075ff05d-a822-40af-a48b-08d543cc2c6f
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(5600026)(4604075)(4534020)(4602075)(4627115)(201703031133081)(201702281549075)(48565401081)(2017052603307); SRVR:MWHPR21MB0479;
x-ms-traffictypediagnostic: MWHPR21MB0479:
x-microsoft-antispam-prvs: <MWHPR21MB0479BBCA4BD8044D40E512818C0B0@MWHPR21MB0479.namprd21.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(189930954265078)(219752817060721);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(61425038)(6040450)(2401047)(8121501046)(5005006)(93006095)(93001095)(3231023)(10201501046)(3002001)(6055026)(61426038)(61427038)(6041248)(201703131423075)(201702281528075)(201703061421075)(201703061406153)(20161123560025)(20161123555025)(20161123562025)(20161123558100)(20161123564025)(6072148)(201708071742011); SRVR:MWHPR21MB0479; BCL:0; PCL:0; RULEID:(100000803101)(100110400095); SRVR:MWHPR21MB0479;
x-forefront-prvs: 05220145DE
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(366004)(346002)(39860400002)(396003)(376002)(13464003)(24454002)(199004)(189003)(86612001)(3280700002)(99286004)(5660300001)(7696005)(105586002)(66066001)(2900100001)(10090500001)(106356001)(53546011)(102836003)(3846002)(2950100002)(6306002)(3660700001)(9686003)(2906002)(8936002)(6506007)(110136005)(68736007)(22452003)(93886005)(6116002)(316002)(76176011)(8990500004)(55016002)(229853002)(33656002)(6436002)(72206003)(77096006)(25786009)(6246003)(81166006)(8676002)(10290500003)(478600001)(14454004)(97736004)(575784001)(86362001)(4326008)(305945005)(966005)(7736002)(74316002)(81156014)(53936002)(29543002); DIR:OUT; SFP:1102; SCL:1; SRVR:MWHPR21MB0479; H:MWHPR21MB0189.namprd21.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts)
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Andrei.Popov@microsoft.com;
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 075ff05d-a822-40af-a48b-08d543cc2c6f
X-MS-Exchange-CrossTenant-originalarrivaltime: 15 Dec 2017 14:57:33.9759 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MWHPR21MB0479
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/3xSVaPRdb3WvH1pcbsmn_kTM7ow>
Subject: Re: [TLS] A closer look at ROBOT, BB Attacks, timing attacks in general, and what we can do in TLS
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 15 Dec 2017 14:57:39 -0000

Here's an attempt to define a SHA-2 alternative: https://tools.ietf.org/html/draft-wconner-blake2sigs-01

Cheers,

Andrei

-----Original Message-----
From: TLS [mailto:tls-bounces@ietf.org] On Behalf Of Ilari Liusvaara
Sent: Friday, December 15, 2017 6:31 AM
To: Colm MacCárthaigh <colm@allcosts.net>;
Cc: tls@ietf.org
Subject: Re: [TLS] A closer look at ROBOT, BB Attacks, timing attacks in general, and what we can do in TLS

On Thu, Dec 14, 2017 at 05:05:37PM -0800, Colm MacCárthaigh wrote:

> But I do think the question
> is worth having an answer for. I think we *do* need to prepare for 
> turning off AES, there's always a chance we might have to.

Even nastier dependency: SHA-2. If that breaks, currently both TLS 1.2 and 1.3 break. There are no alternatives defined.

Yes, sure SHA-2 has taken a lot of cryptoanalysis without serious trouble (I think one reason for starting SHA-3 process was preceived weakness in SHA-2, that later turned out not to be the case). 


-Ilari

_______________________________________________
TLS mailing list
TLS@ietf.org
https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Ftls&data=04%7C01%7CAndrei.Popov%40microsoft.com%7C22779f9a38834781928208d543c87f97%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636489450805010503%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwifQ%3D%3D%7C-1&sdata=yVHsF021AGtXGR0DDpm2mV07gsCThPjk%2BGsDm8R4UyE%3D&reserved=0