Re: [TLS] Heartbeat and padding
Watson Ladd <watsonbladd@gmail.com> Sun, 27 April 2014 16:05 UTC
Return-Path: <watsonbladd@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 306F81A067E for <tls@ietfa.amsl.com>; Sun, 27 Apr 2014 09:05:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7j4qP7KZb_aA for <tls@ietfa.amsl.com>; Sun, 27 Apr 2014 09:05:07 -0700 (PDT)
Received: from mail-yh0-x231.google.com (mail-yh0-x231.google.com [IPv6:2607:f8b0:4002:c01::231]) by ietfa.amsl.com (Postfix) with ESMTP id BCA7E1A067C for <tls@ietf.org>; Sun, 27 Apr 2014 09:05:07 -0700 (PDT)
Received: by mail-yh0-f49.google.com with SMTP id t59so1744389yho.36 for <tls@ietf.org>; Sun, 27 Apr 2014 09:05:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=9E2DLR/gmOgkStBuli2dKcJbTO+w9w6E2dgy28VlppU=; b=ItT2AQo7pm6SAkRa1+kQNzSLwl4LUDvsTiNr8m5S/dgGdD9XM+qK0DiakCGfKEKQBU iJaF1GWmousMlTMpWRrtJHy611rNhT4iy5+/8wMG94LwovsWAwPWm9JKGeyQN5j0mUTY lmhvBFv80Twrv+i45vDMOMjZt4r1REr93DCnAqcSW4rnerY5yJ8DRRhmaJUxPLVgIn4t d3ucFqtP5QfEvuT9AspK/EHtmUQOgqYtxbwB8Mqxq/0gaGz71hOEU0I31dDmqqAxpe3W 5hurykj7ojeWOttbSm/nwLfyiFdlFF7x73RmWE677jJSyOsf5CX1d40qHWgQUXEoqSj0 YnnA==
MIME-Version: 1.0
X-Received: by 10.236.137.8 with SMTP id x8mr30038668yhi.4.1398614707261; Sun, 27 Apr 2014 09:05:07 -0700 (PDT)
Received: by 10.170.63.197 with HTTP; Sun, 27 Apr 2014 09:05:07 -0700 (PDT)
In-Reply-To: <535C4EFD.7030608@pobox.com>
References: <535C4EFD.7030608@pobox.com>
Date: Sun, 27 Apr 2014 09:05:07 -0700
Message-ID: <CACsn0cnUL-wyMXO-x3C3B8DsYEnJBnWf2cVM+GidFg_U6JBfRg@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: Michael D'Errico <mike-list@pobox.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/M8gf-BVYUrEaXyq-W8gZUxYl-5w
Cc: TLS Mailing List <tls@ietf.org>
Subject: Re: [TLS] Heartbeat and padding
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 27 Apr 2014 16:05:10 -0000
On Sat, Apr 26, 2014 at 5:27 PM, Michael D'Errico <mike-list@pobox.com> wrote: > Not related to Heartbleed(tm), do we need to revisit the Heartbeat spec. > due to the random padding? There is a requirement to add at least 16 > bytes of random padding to every message: > > struct { > HeartbeatMessageType type; > uint16 payload_length; > opaque payload[HeartbeatMessage.payload_length]; > opaque padding[padding_length]; > } HeartbeatMessage; > > ... > > padding: The padding is random content that MUST be ignored by the > receiver. The length of a HeartbeatMessage is TLSPlaintext.length > for TLS and DTLSPlaintext.length for DTLS. Furthermore, the > length of the type field is 1 byte, and the length of the > payload_length is 2. Therefore, the padding_length is > TLSPlaintext.length - payload_length - 3 for TLS and > DTLSPlaintext.length - payload_length - 3 for DTLS. The > padding_length MUST be at least 16. > > The sender of a HeartbeatMessage MUST use a random padding of at > least 16 bytes. The padding of a received HeartbeatMessage message > MUST be ignored. > > > Since the recipient MUST ignore the padding, they can't reverse engineer > the peer's PRNG, so maybe this isn't a problem? Two points: Your PRNG shouldn't allow state recovery given a sample, and if telling people to ignore things that they shouldn't look at worked, we wouldn't need TLS. That said we need to do some serious removal of unused options. Sincerely, Watson Ladd > > Mike > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls
- [TLS] Heartbeat and padding Michael D'Errico
- Re: [TLS] Heartbeat and padding Hanno Böck
- Re: [TLS] Heartbeat and padding Watson Ladd
- Re: [TLS] Heartbeat and padding Aaron Zauner
- Re: [TLS] Heartbeat and padding Salz, Rich
- Re: [TLS] Heartbeat and padding Nikos Mavrogiannopoulos
- Re: [TLS] Heartbeat and padding Michael Tuexen
- Re: [TLS] Heartbeat and padding Bill Frantz
- Re: [TLS] Heartbeat and padding Richard Hartmann
- Re: [TLS] Heartbeat and padding Viktor Dukhovni
- Re: [TLS] Heartbeat and padding Nico Williams
- Re: [TLS] Heartbeat and padding Nico Williams