Re: [TLS] potential attack on TLS cert compression
Ilari Liusvaara <ilariliusvaara@welho.com> Thu, 22 March 2018 17:10 UTC
Return-Path: <ilariliusvaara@welho.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A7865126D85 for <tls@ietfa.amsl.com>; Thu, 22 Mar 2018 10:10:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cUE4exksicDC for <tls@ietfa.amsl.com>; Thu, 22 Mar 2018 10:10:07 -0700 (PDT)
Received: from welho-filter3.welho.com (welho-filter3.welho.com [83.102.41.25]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 15D5F12704A for <tls@ietf.org>; Thu, 22 Mar 2018 10:10:06 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by welho-filter3.welho.com (Postfix) with ESMTP id 779ED8180C; Thu, 22 Mar 2018 19:10:04 +0200 (EET)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from welho-smtp1.welho.com ([IPv6:::ffff:83.102.41.84]) by localhost (welho-filter3.welho.com [::ffff:83.102.41.25]) (amavisd-new, port 10024) with ESMTP id KJx--UtPwJUe; Thu, 22 Mar 2018 19:10:04 +0200 (EET)
Received: from LK-Perkele-VII (87-92-19-27.bb.dnainternet.fi [87.92.19.27]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by welho-smtp1.welho.com (Postfix) with ESMTPSA id 1BFE979; Thu, 22 Mar 2018 19:10:01 +0200 (EET)
Date: Thu, 22 Mar 2018 19:10:00 +0200
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: David Benjamin <davidben@chromium.org>
Cc: Subodh Iyengar <subodh@fb.com>, "tls@ietf.org" <tls@ietf.org>
Message-ID: <20180322171000.GA23594@LK-Perkele-VII>
References: <MWHPR15MB1821D5D75667B3C8F4132A1EB6A90@MWHPR15MB1821.namprd15.prod.outlook.com> <CAF8qwaBgpMnQ=dNgMOZrQRGwQUEswQiz6hDkyNiDVJXvh36X6A@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <CAF8qwaBgpMnQ=dNgMOZrQRGwQUEswQiz6hDkyNiDVJXvh36X6A@mail.gmail.com>
User-Agent: Mutt/1.9.4 (2018-02-28)
Sender: ilariliusvaara@welho.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/ADTVzSdy8QGS4-HqeNu6Td9zil4>
Subject: Re: [TLS] potential attack on TLS cert compression
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 22 Mar 2018 17:10:14 -0000
On Thu, Mar 22, 2018 at 04:58:57PM +0000, David Benjamin wrote: > To make sure I understand the issue, the concern is that your decompression > function provides a chunk-by-chunk interface, there's a bug and the > division into chunks produces a different result? Or are you suggesting > that, with the same chunking pattern, the result is still non-deterministic > somehow? I could imagine the former kind of bug, but I'm not sure about the > latter. As I read it, it was the latter: Nondeterministic result with the same chunking. > Either way, I'm also not sure I've ever seen a TLS stack that processes > messages chunk-by-chunk. Usually the message is reassembled from multiple > records, if necessary, and then only processed when complete. I'm sure, in > the vast space of implementations, such a stack exists, but it seems the > same transcript consideration then applies without compression. Otherwise > you'd need a correct streaming version of all TLS message parsing, ASN.1, > and whatever else TLS calls into. Those are ad-hoc whereas decompression > implementations are at least intended to stream correctly. (Then again, > decompression is also a bit more complicated, probably.) I think BearSSL processes messages chunk-by-chunk. I think it even can process individual X.509 certificates chunk-by-chunk. The reason why chunk-by-chunk processing is so rare is how difficult it is to program. -Ilari
- [TLS] potential attack on TLS cert compression Subodh Iyengar
- Re: [TLS] potential attack on TLS cert compression David Benjamin
- Re: [TLS] potential attack on TLS cert compression Ilari Liusvaara
- Re: [TLS] potential attack on TLS cert compression Subodh Iyengar
- Re: [TLS] potential attack on TLS cert compression Subodh Iyengar
- Re: [TLS] potential attack on TLS cert compression Ilari Liusvaara
- Re: [TLS] potential attack on TLS cert compression Thomas Pornin
- Re: [TLS] potential attack on TLS cert compression Victor Vasiliev
- Re: [TLS] potential attack on TLS cert compression Alex C
- Re: [TLS] potential attack on TLS cert compression Salz, Rich