Re: [TLS] CH padding extension

Roelof duToit <r@nerd.ninja> Tue, 12 June 2018 19:21 UTC

Return-Path: <r@nerd.ninja>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 41E17130E92 for <tls@ietfa.amsl.com>; Tue, 12 Jun 2018 12:21:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nerd.ninja
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iYMiw70YW98c for <tls@ietfa.amsl.com>; Tue, 12 Jun 2018 12:21:32 -0700 (PDT)
Received: from sender-of-o52.zoho.com (sender-of-o52.zoho.com [135.84.80.217]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6D231130E91 for <tls@ietf.org>; Tue, 12 Jun 2018 12:21:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; t=1528831290; s=zoho; d=nerd.ninja; i=r@nerd.ninja; h=Content-Type:Mime-Version:Subject:From:In-Reply-To:Date:Cc:Message-Id:References:To; l=11161; bh=BWjYfD45Rf5FwgN3r5UVsAKcqWYjBBTBwP5uOhkI2sg=; b=SEKZR9n3LRwXj/B0MFVZ2mBbX3NSzut9/BE/I1mlSubNK4931IwGT+shquzZN7Uz 7p/nQzJw6SI9fXCXLcBKV6DkGmEIdJ1M2Sb47pM6loF95UEQd/u2oUKjnDU5M/P+Y+v U7sBXZTUH1TTB4F5QOMXUja7zgPZfxfws126AZbA=
Received: from roelofs-mbp.lan (dynamic-acs-24-112-242-116.zoominternet.net [24.112.242.116]) by mx.zohomail.com with SMTPS id 1528831290105395.34230972581554; Tue, 12 Jun 2018 12:21:30 -0700 (PDT)
Content-Type: multipart/alternative; boundary="Apple-Mail=_9BCBEBC9-48D0-491A-A05B-3485FF96365A"
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
From: Roelof duToit <r@nerd.ninja>
In-Reply-To: <020e7b24-1015-4b6a-817c-0c12d754875d@Spark>
Date: Tue, 12 Jun 2018 15:21:37 -0400
Cc: David Benjamin <davidben@chromium.org>, "<tls@ietf.org>" <tls@ietf.org>
Message-Id: <46BFFD29-7823-463E-A90D-7EF59AD93C61@nerd.ninja>
References: <CAO8oSXmMY6JzKrbBqqRp2KvW1qET9qTjfNhwNQ_M3PAFSBbeuQ@mail.gmail.com> <MWHPR15MB1504272D9A44F7D361DF54D2AF7F0@MWHPR15MB1504.namprd15.prod.outlook.com> <CAO8oSXnnXfo0U1vhN40bm87Riy726hgXMD_XF0aS2FqvXmz7Pg@mail.gmail.com> <CAF8qwaC5F1MY3sE=Ri9475n2aSxtii77xHONoTE3SRQCTqGzNA@mail.gmail.com> <CAO8oSXnASznQe0zk6nwBhBk1oMSk50+DXWJg=9uy4uQwiqOkmw@mail.gmail.com> <CAF8qwaBFWiN6bZkOhYoYoSC+O6xvFpDFVH9hPB8po5DMwdYAAw@mail.gmail.com> <020e7b24-1015-4b6a-817c-0c12d754875d@Spark>
To: Christopher Wood <christopherwood07@gmail.com>
X-Mailer: Apple Mail (2.3124)
X-ZohoMailClient: External
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/AGYAjbik7RRl4pIj7PWDy7gQM0c>
Subject: Re: [TLS] CH padding extension
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Jun 2018 19:21:39 -0000

You could use the existing Certificate padding mechanism.  Which mechanism?!   The one in this paragraph:

For maximum compatibility, all implementations SHOULD be prepared to handle
potentially extraneous certificates and arbitrary orderings from any
TLS version, with the exception of the end-entity certificate which
MUST be first.

I ran an experiment a while ago in which all major browsers (at that point) accepted an arbitrary X.509 certificate in the Certificate message.   In other words, you could just build a blob that looks like a DER encoded X.509 certificate and include it in the chain.

It is indeed a hack, but in all seriousness, would the client endpoint stacks even bother to change that behavior? (disclaimer: I have not checked the latest behavior).

--Roelof



> On Jun 12, 2018, at 3:07 PM, Christopher Wood <christopherwood07@gmail.com>; wrote:
> 
> Got it — thanks for the clarification! I agree with your conclusion assuming we do not want to make an incompatible wire format change. However, if we’re willing to budge on that, I think it’s worth including. I’m curious to hear what others think.
> 
> Best,
> Chris
> On Jun 12, 2018, 11:48 AM -0700, David Benjamin <davidben@chromium.org>;, wrote:
>> On Tue, Jun 12, 2018 at 2:44 PM Christopher Wood <christopherwood07@gmail.com <mailto:christopherwood07@gmail.com>> wrote:
>> On Tue, Jun 12, 2018 at 11:32 AM David Benjamin <davidben@chromium.org <mailto:davidben@chromium.org>> wrote:
>> >
>> > On Tue, Jun 12, 2018 at 2:01 PM Christopher Wood <christopherwood07@gmail.com <mailto:christopherwood07@gmail.com>> wrote:
>> >>
>> >> On Tue, Jun 12, 2018 at 10:55 AM Kyle Nekritz <knekritz@fb.com <mailto:knekritz@fb.com>> wrote:
>> >> >
>> >> > Since the Certificate message is sent in an encrypted record, the normal record padding mechanism (section 5.4) can be used, rather than sending the padding as actual handshake data.
>> >>
>> >> Of course, and that requires padding on the fly and some way for the
>> >> sender to know what is the correct amount of padding per Certificate.
>> >> Plumbing up that API seems non-trivial. In comparison, one could
>> >> imagine pre-padding wire-encoded Certificate messages a priori using
>> >> the extension. So I still think restricting padding to CH is a bit
>> >> extreme.
>> >
>> >
>> > Using the padding extension isn't going to mesh well with the compressed certificates draft. (Compression is perfectly compatible with hiding the length. If all your certificates compress well---they probably do---you can pad based on the distribution of compressed lengths you're trying to mask. Of course, this will leak whether compression happened, but that's not the information that's interesting to hide.)
>> 
>> Yep, valid point.
>> 
>> >
>> > Record-level padding is indeed kind of annoying to plumb properly though. I've always thought the excitement for padding at that layer was somewhat misplaced. I could imagine allowing handshake messages to be punctuated by no-op padding messages, but then it's just one layer to route through to get to the record layer here. I think it's more at higher up the stack where record-level padding really becomes impractical.
>> 
>> To be clear, are you suggesting that adding a padding extension to the
>> Certificate message is impractical? (I wouldn't consider this
>> record-level padding.)
>> 
>> Sorry, that was probably unclear. What I meant was: I agree that record-level padding is pretty difficult to use in general, but this particular instance is probably(?) not too bad, so it seems sufficient to use the existing mechanism rather than make a wire-incompatible change (unsolicited Certificate extensions are forbidden) at this stage.
>> 
>> Though I otherwise don't particularly object to jamming the padding extension into more places, the compressed certificates point aside.
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls