Re: [TLS] draft-ietf-tls-tls13-21: TLS 1.3 record padding removal leaks padding size

Colm MacCárthaigh <colm@allcosts.net> Mon, 14 August 2017 22:55 UTC

MIME-Version: 1.0
In-Reply-To: <2492694.vcgQpB2T86@pintsize.usersys.redhat.com>
References: <1502460670.3202.8.camel@redhat.com> <CABcZeBNpJ5_03VZot_3hj7KHnJ8609HX-MY62n0+HLXoRg-+=Q@mail.gmail.com> <14329E27-DBCC-4A6F-BB4C-7CFAFD7ADF53@akamai.com> <2492694.vcgQpB2T86@pintsize.usersys.redhat.com>
From: Colm MacCárthaigh <colm@allcosts.net>
Date: Tue, 15 Aug 2017 00:55:50 +0200
Message-ID: <CAAF6GDcsRpC1m2P9v9BF6=5CRiS8eP-B7awZ_x4RoUkOc09DEQ@mail.gmail.com>
To: Hubert Kario <hkario@redhat.com>
Cc: "tls@ietf.org" <tls@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/AEAgInfqymtHBjkYJ3MyL0eDhjI>
Subject: Re: [TLS] draft-ietf-tls-tls13-21: TLS 1.3 record padding removal leaks padding size
Precedence: list

On Mon, Aug 14, 2017 at 8:16 PM, Hubert Kario <hkario@redhat.com> wrote:
> the difference in processing that is equal to just few clock cycles is
> detectable over network[1]

The post you reference actually says the opposite; "20 CPU cycles is
probably too small to exploit" ... and even today with very low
latency networks and I/O schedulers it remains very difficult to
measure that kind of timing difference remotely. But per the post, the
larger point is that it is prudent to be cautious.

> When you are careful on the application level (which is fairly simple when you
> just are sending acknowledgement message), the timing will still be leaked.

There are application-level and tls-implementation-level approaches
that can prevent the network timing leak. The easiest is to only write
TLS records during fixed period slots.

For example, suppose your process can handle 100 connections
concurrently, then you can divide 1ms into 100 slots of 10
microseconds each. Every 1ms you have a writer thread or process
'visit' each connection (you may use an epoll/kqueue driven I/O loop
or similar for this) during its fixed slot and send its pending
output.

-- 
Colm

[TLS] draft-ietf-tls-tls13-21: TLS 1.3 record pad… Nikos Mavrogiannopoulos
Re: [TLS] draft-ietf-tls-tls13-21: TLS 1.3 record… Short, Todd
Re: [TLS] draft-ietf-tls-tls13-21: TLS 1.3 record… Ted Lemon
Re: [TLS] draft-ietf-tls-tls13-21: TLS 1.3 record… Nikos Mavrogiannopoulos
Re: [TLS] draft-ietf-tls-tls13-21: TLS 1.3 record… Eric Rescorla
Re: [TLS] draft-ietf-tls-tls13-21: TLS 1.3 record… Nikos Mavrogiannopoulos
Re: [TLS] draft-ietf-tls-tls13-21: TLS 1.3 record… Andrei Popov
Re: [TLS] draft-ietf-tls-tls13-21: TLS 1.3 record… Eric Rescorla
Re: [TLS] draft-ietf-tls-tls13-21: TLS 1.3 record… Short, Todd
Re: [TLS] draft-ietf-tls-tls13-21: TLS 1.3 record… Eric Rescorla
Re: [TLS] draft-ietf-tls-tls13-21: TLS 1.3 record… Short, Todd
Re: [TLS] draft-ietf-tls-tls13-21: TLS 1.3 record… Daniel Kahn Gillmor
Re: [TLS] draft-ietf-tls-tls13-21: TLS 1.3 record… Nikos Mavrogiannopoulos
Re: [TLS] draft-ietf-tls-tls13-21: TLS 1.3 record… Hubert Kario
Re: [TLS] draft-ietf-tls-tls13-21: TLS 1.3 record… Hubert Kario
Re: [TLS] draft-ietf-tls-tls13-21: TLS 1.3 record… Colm MacCárthaigh
Re: [TLS] draft-ietf-tls-tls13-21: TLS 1.3 record… Hubert Kario
Re: [TLS] draft-ietf-tls-tls13-21: TLS 1.3 record… Hubert Kario
Re: [TLS] draft-ietf-tls-tls13-21: TLS 1.3 record… Ilari Liusvaara
Re: [TLS] draft-ietf-tls-tls13-21: TLS 1.3 record… Hubert Kario
Re: [TLS] draft-ietf-tls-tls13-21: TLS 1.3 record… Eric Rescorla
Re: [TLS] draft-ietf-tls-tls13-21: TLS 1.3 record… Colm MacCárthaigh
Re: [TLS] draft-ietf-tls-tls13-21: TLS 1.3 record… Hubert Kario
Re: [TLS] draft-ietf-tls-tls13-21: TLS 1.3 record… Hubert Kario