Re: [TLS] Encrypting record headers: practical for TLS 1.3 after all?

Bryan A Ford <> Mon, 30 November 2015 09:58 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id C34661A897F for <>; Mon, 30 Nov 2015 01:58:54 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id bhZuLKJZEO4G for <>; Mon, 30 Nov 2015 01:58:52 -0800 (PST)
Received: from ( [IPv6:2a00:1450:400c:c09::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 3E74C1A897E for <>; Mon, 30 Nov 2015 01:58:52 -0800 (PST)
Received: by wmvv187 with SMTP id v187so147874344wmv.1 for <>; Mon, 30 Nov 2015 01:58:50 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=subject:to:references:cc:from:message-id:date:user-agent :mime-version:in-reply-to:content-type; bh=hU/yqjfROvSNx3xdXMs8/DD1wqf39v6wep2NTxR1zFg=; b=ZpCxFLNvT8khp5DD92LWwytyeKXVMuyCVTTuBK1erSWzl5bWIHNNbfCOD917aJ+wRU gdfg6a94CL7JktUpsrh6ElaOceoye4GpbeMUF/KRV6fglwhGRTMgndZN/TQYlbWHep6O sFRb5B1Vzj0q5ftRWF0dXA8fqkp+K764ItCyG8kG8mgirK4DNQmHbnK/Su0v/QAiIUoW HM+Rqt1g/Vn+lJlEn4Iv6nk2uR0l9PjPCQTciRw7HF7x12I8tdyFjpCZt+GCcdQ91x0h LGQW705p/WMelgrrSqzbFYgYYMy1Eztz/KZMa+svlI233BvZjQP7J0xiukIYU7MIgq8Z OEYQ==
X-Received: by with SMTP id kf3mr59888070wjb.139.1448877530827; Mon, 30 Nov 2015 01:58:50 -0800 (PST)
Received: from ( []) by with ESMTPSA id vu4sm45945706wjc.2.2015. (version=TLSv1/SSLv3 cipher=OTHER); Mon, 30 Nov 2015 01:58:49 -0800 (PST)
To: Peter Gutmann <>, Nikos Mavrogiannopoulos <>
References: <> <> <>
From: Bryan A Ford <>
X-Enigmail-Draft-Status: N1110
Message-ID: <>
Date: Mon, 30 Nov 2015 10:58:48 +0100
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:38.0) Gecko/20100101 Thunderbird/38.3.0
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="------------ms040906000808090509040100"
Archived-At: <>
Cc: "" <>
Subject: Re: [TLS] Encrypting record headers: practical for TLS 1.3 after all?
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 30 Nov 2015 09:58:54 -0000

On 11/30/15 2:40 AM, Peter Gutmann wrote:
> Nikos Mavrogiannopoulos <> writes:
>> I believe your proposal is a nice example of putting the cart before the
>> horse. Before proposing something it should be clear what do you want to
>> protect from, what is the threat?
> Exactly.  If you want to thwart traffic analysis, you need to do something
> like what's done by designs like Aqua ("Towards Efficient Traffic-analysis 
> Resistant Anonymity Networks"), or ideas from any of the other anti-traffic-
> analysis work that's emerged in the past decade or two.

I'm well aware of Aqua and "the other anti-traffic-analysis work that's
emerged in the past decade or two": in fact I led one of the major
recent systematic projects in that space.  See for example:

> You get traffic
> analysis resistance by, for example, breaking data into fixed-length
> packets, using cover traffic, and messing with packet timings, not by
> encrypting TLS headers.

Packet padding and header encryption are both important, complementary
security measures: you get security benefits from each that you don't
get from the other.  Yes, you need padding to obtain systematic
protection from traffic analysis - when for whatever reason not all
implementations are always padding to the exact same standardized record
length, header encryption makes padded streams less trivially
distinguishable from unpadded streams, and makes streams with different
record sizes less trivially distinguishable from each other.

Padding-based transmission formats such as Aqua and Tor tend to specify
a single fixed packet size for *all* traffic using that protocol.  For
example, the Tor protocol always uses 256-byte cells for everything.
This is for obvious indistinguishability reasons: e.g., if some versions
of Tor padded to 256 bytes while other versions padded to 512 bytes,
then it would be trivial for an adversary to distinguish the two.  And
if the 512-byte version of Tor were fairly uncommon (either because it's
"too new" or "too old" or specific to a rare platform or whatever), then
the Tor streams using 512-byte cells would stick out obviously from
anyone else.

Furthermore, popular and well-designed as it is, Tor and similar
protocols have the well-known problem that it's pretty trivial for a
traffic analysis attacker to distinguish a Tor stream from any other
non-Tor stream. The severity of this weakness was put in sharp
perspective by the Harvard bomb hoax incident
 And it's not in any way because Tor was poorly-designed: on the
contrary, the problem is Tor sticks out because it's a well-designed
traffic-analysis-resistant protocol sharply silhouetted against a
backdrop of traffic that makes no attempt at traffic analysis
protection.  One thing that would greatly help Tor and all similar,
padded protocols is if they could "blend in" even just a little bit
better with the vast bulk of ordinary TLS-encrypted Web traffic, and
that's one of the big opportunities we're talking about here.  But to
make that happen, we would need to either (a) specify that *all* TLS 1.3
implementations use the same standardized record length like Tor does,
or (b) if that's not practical, do whatever we can to make flows padded
to a particular size less obviously distinguishable from unpadded flows
or flows padded to a different size.

If you think it is practical for the TLS 1.3 standard to specify a
single, fixed record size that all implementations of TLS 1.3 must use
(i.e., explicitly freeze not only the version field but the length
field), then that would be great for traffic analysis protection and on
that basis I would support that proposal.  But that frankly seems to me
likely a bit too much to ask given the diversity of TLS implementations
and use-cases.  Tell me if you believe otherwise.

So on the assumption that TLS 1.3 might not be ready to jump "whole-hog"
into Aqua/Tor-style transmission protocols that standardize a single
constant record size, I believe that header encryption provides at least
a useful, weak but significant security improvement at negligible cost.
 Sure, active attackers can still use "dribble attacks" (as discussed
recently on the SSH mailing list) to sniff out the record boundaries,
but they have to be active on-path and have to delay traffic, which
risks getting noticed.  Many attackers in practice are passive (don't
have the option or just don't want to invest the resources for full
MITM), and/or don't want to risk getting noticed by fiddling with the
traffic in readily detectable ways.


> Peter.