Re: [TLS] Possible timing attack on TLS 1.3 padding mechanism

Daniel Kahn Gillmor <dkg@fifthhorseman.net> Fri, 02 March 2018 00:49 UTC

Return-Path: <dkg@fifthhorseman.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CAAD9127058 for <tls@ietfa.amsl.com>; Thu, 1 Mar 2018 16:49:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ru0Xajjc2pJa for <tls@ietfa.amsl.com>; Thu, 1 Mar 2018 16:49:51 -0800 (PST)
Received: from che.mayfirst.org (che.mayfirst.org [162.247.75.118]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1E299126C2F for <tls@ietf.org>; Thu, 1 Mar 2018 16:49:51 -0800 (PST)
Received: from fifthhorseman.net (unknown [209.48.7.126]) by che.mayfirst.org (Postfix) with ESMTPSA id 82630F99E; Thu, 1 Mar 2018 19:49:47 -0500 (EST)
Received: by fifthhorseman.net (Postfix, from userid 1000) id B3BE4206A9; Thu, 1 Mar 2018 18:23:21 -0500 (EST)
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
To: "Paterson\, Kenny" <Kenny.Paterson@rhul.ac.uk>, "\<tls\@ietf.org\>" <tls@ietf.org>
In-Reply-To: <16A9FD3A-7805-4130-8438-39D0D3E7E3AB@rhul.ac.uk>
References: <16A9FD3A-7805-4130-8438-39D0D3E7E3AB@rhul.ac.uk>
Date: Thu, 01 Mar 2018 18:23:18 -0500
Message-ID: <87zi3rs7mh.fsf@fifthhorseman.net>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/ENrtyZKpskFKiJ6lB9Yztv1yut0>
Subject: Re: [TLS] Possible timing attack on TLS 1.3 padding mechanism
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 02 Mar 2018 00:49:53 -0000

On Thu 2018-03-01 21:52:51 +0000, Paterson, Kenny wrote:
> I think there's a possible timing attack on a naïve implementation of
> de-padding.

Thanks for observing this, Kenny!  I think this came up when we were
designing the padding originally, and iirc, the general consensus was:

 (a) this scheme allows people to not pad at all, which saves bytes in
     the most heavily traffic-constrained case, and

 (b) there may well be timing attacks based on the handling of the
     non-padded data too, and those are likely to be stronger timing
     effects than the effects in the padding layer.

I think with (b) we might have gotten a bit overly nihilistic -- for one
thing, depadding probably happens in the TLS layer of the implementation
itself, so any response generated by the TLS layer will have tighter
timing bounds than anything that does data handling.  And, implementers
that use any given TLS stack can control their own timing code, but
can't necessarily control the code of the TLS implementation that
they're sitting atop.  TLS implementers probably don't want to leak info
that the user has deliberately taken steps to avoid leaking!

Our implementer guidance should also already say that the best place to
pad is at the application layer, where the implementer can more
accurately design padding that meets the expected usage profile --
padding at the TLS layer is available for implementers that don't have
this option, but probably isn't the optimal solution.

> This padding scheme is quite important for TLS 1.3 because the current
> AEAD schemes do leak the length of record plaintexts.

thanks for acknowledging the value of the padding. i agree! :)

The timing-based size leak you're talking about still looks harder to
attack reliably than the direct size leakage we have without the
padding.

> 1. Do constant-time depadding - by examining every byte in the
> plaintext structure even after the first non-00 byte is encountered.

do you have concrete implementation suggestions?

I'm not sure how to convince a clever compiler to actually run this
entire loop if you count from the back -- i can easily see the tail of
the walk being optimized away since it has no bearing on the rest of the
program control or data flow.

You could of course check from the front of the plaintext, keeping every
non-zero value:

  char ptype = 0;
  for (i = 0; i < plaintext_len; i++)
    if plaintext[i]
      ptype = plaintext[i];

but iiuc, this leaks the number of zeros in the plaintext overall,
assuming that the store instruction has noticeable time.

can you tell i'm not good at devising constant-time code? :P If there's
a concrete suggestion that we think will work for common
implementations, i would have no problem including it as implementer
guidance.

> 2. Add an explicit padding length field at the end of the plaintext
> structure, and removing padding without checking its contents. (This
> should be safe because of the AEAD integrity guarantees.)
>
> Option 2 is probably a bit invasive at this late stage in the
> specification process. Maybe a sentence or two on option 1 could be
> added to the spec.

It's not only too late to take this approach, i think we explicitly
rejected this option because of the cost it imposes on unpadded packets,
as mentioned above.

        --dkg