Re: [TLS] Encryption of TLS 1.3 content type

Yoav Nir <ynir.ietf@gmail.com> Mon, 28 July 2014 20:04 UTC

Return-Path: <ynir.ietf@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D74001A00FE for <tls@ietfa.amsl.com>; Mon, 28 Jul 2014 13:04:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id H7Li-sCZFXPj for <tls@ietfa.amsl.com>; Mon, 28 Jul 2014 13:04:51 -0700 (PDT)
Received: from mail-wg0-x22e.google.com (mail-wg0-x22e.google.com [IPv6:2a00:1450:400c:c00::22e]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 819771A00FF for <tls@ietf.org>; Mon, 28 Jul 2014 13:04:50 -0700 (PDT)
Received: by mail-wg0-f46.google.com with SMTP id m15so7889495wgh.29 for <tls@ietf.org>; Mon, 28 Jul 2014 13:04:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=/hSEtp3O6209NT/gisWxx4kd43D9JinCSLsp6XW+taQ=; b=NFGxNKSMHLzM90zb759Rvn/Uc+ueEQVILnXpTNGy2x9uVR5jRgJ5E2JOF7Pj99KHMY 2xuN1Xt4FUaudxWbyN5ym1Pe0EzTl0Ihm94MFNIR7IiakchF3KPejdssXCHalkYhKBsE zRzfr+ekL19YbcyMwORwkgJgd3ED2hoBeLFL21Jdit34GSWeGU1BveTiRrSxYgAYLZus i8H/fNTjTkhILuOAN0GQnI6cBya0JNaEpejbuKDWkV4qsk9uC3HpxSclA4eJ39p3JlCm /M54fDSGHJSOl3q1PqAvxypi50ZchYZU9QuxQzv9cf67t6QJ/+49m3xnO84UeKqrFBYl hQHw==
X-Received: by 10.180.8.10 with SMTP id n10mr34850980wia.41.1406577888104; Mon, 28 Jul 2014 13:04:48 -0700 (PDT)
Received: from [192.168.1.104] (bzq-84-109-50-18.red.bezeqint.net. [84.109.50.18]) by mx.google.com with ESMTPSA id fs3sm34809730wic.20.2014.07.28.13.04.47 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Mon, 28 Jul 2014 13:04:47 -0700 (PDT)
Content-Type: text/plain; charset=windows-1252
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
From: Yoav Nir <ynir.ietf@gmail.com>
In-Reply-To: <m27g2x1opj.fsf@usma1mc-0csx92.kendall.corp.akamai.com>
Date: Mon, 28 Jul 2014 23:04:45 +0300
Content-Transfer-Encoding: quoted-printable
Message-Id: <58A6B704-89C8-48E1-9F87-E8BFCCA79089@gmail.com>
References: <DD255E31-FA87-40CE-AF13-0F43A7DD54CF@cisco.com> <CACsn0cnt-ry182AjOyTTZGteifs7VyRPYHaj-xDCBOf0D53w9A@mail.gmail.com> <CAAF6GDfK7awipoMT_PPyKnTe-fF1=KY1Be8kUMSYrXN0Wzb=tg@mail.gmail.com> <1406537753.2413.12.camel@dhcp-2-127.brq.redhat.com> <DEFD5756-098F-4EC5-9B1E-85B6D9338BD6@gmail.com> <m27g2x1opj.fsf@usma1mc-0csx92.kendall.corp.akamai.com>
To: Brian Sniffen <bsniffen@akamai.com>
X-Mailer: Apple Mail (2.1878.6)
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/K8kYMasyPm9u16r6yHKR2a_rSNA
Cc: "<tls@ietf.org>" <tls@ietf.org>
Subject: Re: [TLS] Encryption of TLS 1.3 content type
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 28 Jul 2014 20:04:53 -0000

On Jul 28, 2014, at 6:35 PM, Brian Sniffen <bsniffen@akamai.com> wrote:

> Yoav Nir <ynir.ietf@gmail.com> writes:
> 
>> On Jul 28, 2014, at 11:55 AM, Nikos Mavrogiannopoulos <nmav@redhat.com> wrote:
>> 
>>> Are there any pointers to these attacks? Will these attacks be countered
>>> with such a change? I believe not as alert messages consist of only two
>>> bytes and will be distinct from any other higher protocol messages
>>> transferred by the TLS record protocol. Unless TLS 1.3 intended to
>>> include a length hiding mechanism I see this change as unnecessary and I
>>> agree with Watson on that.
>> 
>> While no definite decisions were made, there was a positive response
>> to the idea of allowing arbitrary length padding to the plaintext in
>> all encrypted records, which can be used to hide alert messages.
> 
> It's not clear to me that it can be used to hide alert messages, or the
> structure of the interaction at that level at all.  Can you show me a
> model of a TLS 1.3 client state machine and a TLS 1.3 server state
> machine such that they both do padding, send messages on a clock, and
> otherwise take best-understood precautions against passive
> analysis---and then don't leak when there are alert messages?

Challenge accepted

Assume that the path is deemed wide enough to carry 3 MB/s. We will limit ourselves to slightly less than that, so let’s say 2000 records of 1400B plaintext a second in each direction.

The sender (whether client or server) has two buffers, a system buffer and a data buffer. The application writes to the data buffer. If there’s an error, or the application wishes to close, an alert is placed in the system buffer.

Every half millisecond, the TLS stack performs the following:

* if the system buffer is not empty, retrieve an alert, pad to 1400 bytes, encrypt, and send.
* else if the data buffer is empty, generate a record with 1400 pad bytes, encrypt and send.
* else if the data buffer contains at least 1400 bytes, create a 1400-byte record, remove 1400 bytes from the buffer, encrypt and send.
* else create a record with all remaining data, pad to 1400 bytes, encrypt and send.

This is assuming that the attacker can’t distinguish the number of “ifs” you ran through. Otherwise, don’t send the record, but store it and send it the next time the timer expires. That also takes care of any timing side-channel you have in your encryption function.

Note that I’m not advocating doing this with TLS. IPsec has this feature and to my knowledge nobody uses it.

Yoav