Re: [TLS] Encryption of TLS 1.3 content type

Viktor Dukhovni <> Mon, 28 July 2014 15:25 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 9DBB51B28B9 for <>; Mon, 28 Jul 2014 08:25:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 7M1avOGJHPTI for <>; Mon, 28 Jul 2014 08:25:35 -0700 (PDT)
Received: from ( []) (using TLSv1.1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 03BC21B28B5 for <>; Mon, 28 Jul 2014 08:25:33 -0700 (PDT)
Received: by (Postfix, from userid 1034) id 57F3A2AB2AE; Mon, 28 Jul 2014 15:25:26 +0000 (UTC)
Date: Mon, 28 Jul 2014 15:25:26 +0000
From: Viktor Dukhovni <>
Message-ID: <>
References: <> <> <> <> <> <>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <>
User-Agent: Mutt/1.5.23 (2014-03-12)
Subject: Re: [TLS] Encryption of TLS 1.3 content type
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 28 Jul 2014 15:25:39 -0000

On Mon, Jul 28, 2014 at 05:14:16PM +0200, Nikos Mavrogiannopoulos wrote:

> On the contrary, all _new_ ciphers are stream (GCM, CCM) and every
> future AEAD cipher will be a stream one (due to limitations of the AEAD
> construction in TLS). Furthermore, even if you assume that only AES-CBC
> is going to be used, do you really consider a 16-byte alert packet
> fuzzed? Do you know many application protocols that transfer such short
> packets?

[ Note, I far from convinced that encrypting the record type is useful ]

Yes, some application application protocols do send short messages,
for example SMTP an server may reply "250 2.0.0 OK\r\n".  However,
(fatal) alerts often terminate the connection and are easily
distinguished from routine traffic.

In chatty protocols, like SMTP, TLS masks the specific content,
but not the overall flow or size of messages.  One can often tell
which application data messages carry "EHLO", "MAIL", "RCPT", "DATA"
and the message payload, despite the use of TLS.  The attacker does
not learn very much, but may be able to estimate the recipient
count, even with ESMTP PIPELINING and of course can estimate the
message size fairly well.

Defending against traffic analysis is very difficult, and I don't
think that TLS can (or should attempt to) do the job.