IETF Logo Mail Archive

Re: [TLS] draft-ietf-tls-tls13-21: TLS 1.3 record padding removal leaks padding size

Nikos Mavrogiannopoulos <nmav@redhat.com> Fri, 11 August 2017 16:47 UTC

Return-Path: <nmavrogi@redhat.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3B3BF131EA9 for <tls@ietfa.amsl.com>; Fri, 11 Aug 2017 09:47:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.42
X-Spam-Level:
X-Spam-Status: No, score=-1.42 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RCVD_IN_SORBS_SPAM=0.5, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oQxvUJVNuDHN for <tls@ietfa.amsl.com>; Fri, 11 Aug 2017 09:47:03 -0700 (PDT)
Received: from mail-wm0-f50.google.com (mail-wm0-f50.google.com [74.125.82.50]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 74B1A13242C for <tls@ietf.org>; Fri, 11 Aug 2017 09:47:03 -0700 (PDT)
Received: by mail-wm0-f50.google.com with SMTP id m85so45867651wma.0 for <tls@ietf.org>; Fri, 11 Aug 2017 09:47:03 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=7Nm0J1qfbou/CEE/TDDG9RvtxfqSoyF3Vw03sBJ4mWg=; b=K2zz5Q9cvZ+wU9xbJFPNQxTA4Be5vN0/00T+mo26G5GCyI5ATH4dc55IXA/Cu6OVVt Iocmle04xOVfDrUjGJdgTxl2qBbmDpccCc77lczinMPSg700NylnYhsRLhLzXWxOO9PS i34dfJYb7UCZPCvGpXLbtSTBXAUxNqQYXKcDqwmCcj+GARFlyHe65i/FNUOeIGgUwVNF mDeSqHqIW75oX+5gsvqLh4slV0SzP726+SI/QqwvDl69twtA91cX+PPT860+YhKFVlKX pj2Tgc837W3UQ59NaIuaPeWp0obQlJ6uay0Y1INfm89TLPb4QflXdQMd4t/6Shr93dpH WQ7Q==
X-Gm-Message-State: AHYfb5i6GR17CMIR0+VQfedWl3gNesgGjm+0Yb6Ej+pxk3Cec2uUSY8+ FUbnpvETVAHAFcIpfktrHJbo4kPpLi/QRq8=
X-Received: by 10.28.5.193 with SMTP id 184mr10426438wmf.108.1502470021838; Fri, 11 Aug 2017 09:47:01 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.28.24.213 with HTTP; Fri, 11 Aug 2017 09:47:01 -0700 (PDT)
In-Reply-To: <CABcZeBOmFTrCEmV20XZe9hO5owdv1SsWaWkZHhQFfpNmfou4VQ@mail.gmail.com>
References: <1502460670.3202.8.camel@redhat.com> <CABcZeBOmFTrCEmV20XZe9hO5owdv1SsWaWkZHhQFfpNmfou4VQ@mail.gmail.com>
From: Nikos Mavrogiannopoulos <nmav@redhat.com>
Date: Fri, 11 Aug 2017 18:47:01 +0200
Message-ID: <CADh2w8Trp-7WiVCDzQ6OLiHqE_Fw530bp0gZeRKCJiaGkLfb3w@mail.gmail.com>
To: Eric Rescorla <ekr@rtfm.com>
Cc: "tls@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="001a114435b8f0340a05567d0fc6"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/56fDaR5bWj44K6ir3kGXsKxFnkU>
Subject: Re: [TLS] draft-ietf-tls-tls13-21: TLS 1.3 record padding removal leaks padding size
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 11 Aug 2017 16:47:06 -0000

On Fri, Aug 11, 2017 at 5:57 PM, Eric Rescorla <ekr@rtfm.com> wrote:

>
> On Fri, Aug 11, 2017 at 7:11 AM, Nikos Mavrogiannopoulos <nmav@redhat.com>
> wrote:
>
>> Imagine the following scenario, where the server and client have this
>> repeated communication N times per day:
>>
>> client     server
>>     --X-->
>>     <--Y--
>>
>>
>> the client puts in X a message A of 1 byte or B of 1024 bytes, and pads
>> it to the maximum size of TLS record. The server replies with the
>> message "ok" (same every time), padded to the maximum size just after
>> it reads X.
>>
>> However, TLS 1.3 detects the message size by iterating through all the
>> padding bytes, and thus there is a timing leak observed by the time
>> difference between receiving X and sending Y. Thus as an adversary I
>> could take enough measurements and be able to distinguish between X
>> having the value A or B.
>>
>> While I'd expect these iterations to be unmeasurable in desktop or
>> server hardware, I am not sure about the situation in low-end IoT
>> hardware. Is the design choice for having the padding removal depending
>> on padding length intentional?
>
>
> Yes, we're aware of this, and it's an intentional design choice. The
> reasoning
> was that once you have the padding removed, you'll need to operate on/copy
> the unpadded content somewhere, and that's timing dependent anyway.
>

That is certainly an incorrect assumption. gnutls for example provides a
zero-copy API, and I guess it is not the only implementation to have that.


>
>
>> There is mentioning of possible timing channels in:
>> https://tools.ietf.org/html/draft-ietf-tls-tls13-21#appendix-E.3
>> However I don't quite understand how is this section intended to be
>> read. The sentence for example: "Because the padding is encrypted
>> alongside the actual content, an attacker cannot directly determine the
>> length of the padding, but may be able to measure it indirectly by the
>> use of timing channels exposed during record processing", what is its
>> intention? Is it to acknowledge the above timing leak?
>>
>
> Yes.
>

I am not sure if that text is sufficient to cover that issue. It seems as
if the cbc timing attack is re-introduced here and pushing the fix to
implementers. It may be better no to provide padding functionality with
this "feature", as unfortunately it will be used by applications.

regards,
Nikos

v2.23.0 | Report a Bug | By Email