Re: [TLS] TLS 1.3 : small fragments attack
Jitendra Lulla <lullajd@yahoo.com> Sat, 30 December 2017 05:33 UTC
Return-Path: <lullajd@yahoo.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8F073126C19 for <tls@ietfa.amsl.com>; Fri, 29 Dec 2017 21:33:16 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.011
X-Spam-Level:
X-Spam-Status: No, score=-2.011 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=yahoo.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qLrFUIW8TlP3 for <tls@ietfa.amsl.com>; Fri, 29 Dec 2017 21:33:15 -0800 (PST)
Received: from sonic310-15.consmr.mail.bf2.yahoo.com (sonic310-15.consmr.mail.bf2.yahoo.com [74.6.135.125]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0DB4C1200C5 for <tls@ietf.org>; Fri, 29 Dec 2017 21:33:14 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1514611994; bh=Wz2wtE8aYCysfAN2CJMkhoVKrCZ/xRdLpRWK1oGqKjc=; h=Date:From:Reply-To:To:Subject:References:From:Subject; b=VW6eqSNpUXF4CTLD8sdhCOVTtvp+8lM00pEt0touBuD2hFRQUCCtsUzctOsmhr99TaMvdIbMV3cEiHtvoUiQ2Is57C6exw+BkfbVDTaURfmkr9nFvd/vSIWnDcVNdo17T6Kcay0ekhgMNaLcd9w2KGWa/AWZj2Dgh54rI8k9WZxHwdYD7z25w0+yObUSAMoiBFX5R+pKlhsBcgCh5IPKVl/3BL9n2fs6FCYXnfqao2tNPuHnRQvGvvQDitoABt9opguCqE0UER1rLPxpQ4cHjCpmzrY34rHx95uzjlgJu/onSeidwwvrISgYLt08snZNqNKUeJ9eirrl+neNJIw7HQ==
X-YMail-OSG: pVmRGBsVM1mXQ0kqUZ8iaPMO5XkRXd5wqFr95qWZHYcl4thzzjA2C5nC6TIuKXi L2GkDwGRnk0gcX4FDn83cowYVxvbJE5OBt1bDqHcbGKx5CX71cR5NLJR26Pv8MSjWQ_QTU0u3ipw 5agDgZ9uGzibVrZ1FK_LU6MQc6blnjG_DWh49eGnc6HKjwUbk.22r0EEQmgvIt6sj6GQjLzHu9Iy YyrJHU214iCdPB2dw_81LmDiX7ESr4.A5b72ZSa5UpaaRKDCFL2i9OMHq.istw3WeLVF9qHQhduO raaeaLPPKpo85Yr57jDjsx5PjJ6S_U6dveCMVtBYIbzMoVyuowJMA9UXn0DI.1dqm8XWm5QGCwoG ZoCVsJsFuQEJ3QUpdAGA2foLr9qxQ8TssKRbvBg9ftl537lmGJhy4CW59utPG5I_AgdH.yxkl1u. 5F9.r3xDMkHPM5s2mF0ucMqjU04T74gYNKWW7HGiu5NLo7T_rYiWdG616nK00yTc3e.64ld6te2I 26MkQT_HTfEhXjRgN_Av166Veety9z0FmUw--
Received: from sonic.gate.mail.ne1.yahoo.com by sonic310.consmr.mail.bf2.yahoo.com with HTTP; Sat, 30 Dec 2017 05:33:14 +0000
Date: Sat, 30 Dec 2017 05:33:13 +0000
From: Jitendra Lulla <lullajd@yahoo.com>
Reply-To: Jitendra Lulla <lullajd@yahoo.com>
To: "tls@ietf.org" <tls@ietf.org>, Jitendra Lulla <lullajd@yahoo.com>, Peter Gutmann <pgut001@cs.auckland.ac.nz>
Message-ID: <779315278.6839488.1514611993150@mail.yahoo.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
References: <779315278.6839488.1514611993150.ref@mail.yahoo.com>
X-Mailer: WebService/1.1.11051 YahooMailBasic Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.84 Safari/537.36
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/B2WFZ7X1ifFc1OZPix7wS8TkNb4>
Subject: Re: [TLS] TLS 1.3 : small fragments attack
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 30 Dec 2017 05:33:16 -0000
The pattern is perfectly normal and might be assumed to be coming from an interactive terminal. But what if such records, from the same session, come in a quantity of 10000 or more per second which could be generated by uploading a 500 MB file by the client? And how about 100s of such clients targeting a server which is allowing file uploads? The server can be very easily kept busy decrypting and HMAC verifying such records just to obtain 1 real application data byte per record while the remaining 308 bytes are just overhead of securing the said byte! -------------------------------------------- On Sat, 12/30/17, Peter Gutmann <pgut001@cs.auckland.ac.nz> wrote: Subject: Re: [TLS] TLS 1.3 : small fragments attack To: "tls@ietf.org" <tls@ietf.org>, "Jitendra Lulla" <lullajd@yahoo.com> Date: Saturday, December 30, 2017, 5:03 AM Jitendra Lulla <lullajd@yahoo.com> writes: >The client can have a rogue TLS implementation with the following intentional >changes: > >0. Choose CBC with AES256-SHA56 or any other heavier (in terms of processing >power requirements) and non paralleliz'able cipher suite. > >1. After the handshake, always send all the TLS records (Application Data) >plain text fragment size which is no greater than 1 Byte. > >2. Always send a padding of max possible or big size (eg 256 Bytes) Apart from (2), that looks like interactive terminal traffic over TLS. The large padding may also be natually sent by an implementation that's trying a bit too hard to hide typing/traffic patterns. Peter.
- [TLS] TLS 1.3 : small fragments attack Jitendra Lulla
- Re: [TLS] TLS 1.3 : small fragments attack Peter Gutmann
- Re: [TLS] TLS 1.3 : small fragments attack Jitendra Lulla
- Re: [TLS] TLS 1.3 : small fragments attack Peter Gutmann
- Re: [TLS] TLS 1.3 : small fragments attack Viktor Dukhovni
- Re: [TLS] TLS 1.3 : small fragments attack Yoav Nir