IETF Logo Mail Archive

Re: [TLS] Confirmation of Consensus on Removing Compression from TLS 1.3

"Paterson, Kenny" <Kenny.Paterson@rhul.ac.uk> Wed, 26 March 2014 21:19 UTC

Return-Path: <Kenny.Paterson@rhul.ac.uk>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6C1781A03D4 for <tls@ietfa.amsl.com>; Wed, 26 Mar 2014 14:19:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Level:
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HemkrFwK1Uxc for <tls@ietfa.amsl.com>; Wed, 26 Mar 2014 14:19:49 -0700 (PDT)
Received: from va3outboundpool.messaging.microsoft.com (va3ehsobe002.messaging.microsoft.com [216.32.180.12]) by ietfa.amsl.com (Postfix) with ESMTP id 475DC1A03C0 for <tls@ietf.org>; Wed, 26 Mar 2014 14:19:49 -0700 (PDT)
Received: from mail87-va3-R.bigfish.com (10.7.14.243) by VA3EHSOBE004.bigfish.com (10.7.40.24) with Microsoft SMTP Server id 14.1.225.22; Wed, 26 Mar 2014 21:19:47 +0000
Received: from mail87-va3 (localhost [127.0.0.1]) by mail87-va3-R.bigfish.com (Postfix) with ESMTP id 4218D1C0094; Wed, 26 Mar 2014 21:19:47 +0000 (UTC)
X-Forefront-Antispam-Report: CIP:157.56.248.5; KIP:(null); UIP:(null); IPV:NLI; H:AMSPRD0310HT004.eurprd03.prod.outlook.com; RD:none; EFVD:NLI
X-SpamScore: -26
X-BigFish: PS-26(z579ehz98dI2bc7M1432Izz1f42h208ch1ee6h1de0h1d18h1fdah2073h2146h1202h1e76h2189h1d1ah1d2ah21bch1fc6hz31iz1de098h1033IL17326ah8275bh8275dh1de097h186068hz2fh109h2a8h839h944hd25he5bhf0ah1220h1288h12a5h12a9h12bdh137ah13b6h1441h1504h1537h153bh162dh1631h1758h18e1h1946h19b5h19ceh1ad9h1b0ah224fh1d0ch1d2eh1d3fh1dfeh1dffh1fe8h1ff5h2052h20b3h2216h22d0h2336h2438h2461h2487h24d7h2516h2545h255eh25cch25f6h2605h262fh268bh1155h)
Received-SPF: pass (mail87-va3: domain of rhul.ac.uk designates 157.56.248.5 as permitted sender) client-ip=157.56.248.5; envelope-from=Kenny.Paterson@rhul.ac.uk; helo=AMSPRD0310HT004.eurprd03.prod.outlook.com ; .outlook.com ;
X-Forefront-Antispam-Report-Untrusted: SFV:NSPM; SFS:(10019001)(6009001)(428001)(189002)(24454002)(199002)(51704005)(74876001)(15975445006)(76786001)(76796001)(83072002)(56816005)(85852003)(74706001)(74366001)(81686001)(90146001)(74502001)(82746002)(47736001)(47976001)(4396001)(15202345003)(81816001)(36756003)(50986001)(33656001)(83716003)(87266001)(98676001)(2656002)(87936001)(74662001)(31966008)(80976001)(74482001)(49866001)(47446002)(92566001)(93136001)(92726001)(81542001)(81342001)(93516002)(97186001)(63696002)(54356001)(65816001)(66066001)(56776001)(54316002)(51856001)(46102001)(85306002)(80022001)(59766001)(77982001)(86362001)(95416001)(79102001)(19580395003)(95666003)(76482001)(94946001)(53806001)(19580405001)(94316002)(97336001)(83322001)(491001); DIR:OUT; SFP:1102; SCL:1; SRVR:DBXPR03MB383; H:DBXPR03MB383.eurprd03.prod.outlook.com; FPR:EC7FF1A5.9CFA91E1.BDE2107B.4E39D971.204FA; MLV:sfv; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
Received: from mail87-va3 (localhost.localdomain [127.0.0.1]) by mail87-va3 (MessageSwitch) id 1395868785808480_4255; Wed, 26 Mar 2014 21:19:45 +0000 (UTC)
Received: from VA3EHSMHS022.bigfish.com (unknown [10.7.14.249]) by mail87-va3.bigfish.com (Postfix) with ESMTP id B5CE2240062; Wed, 26 Mar 2014 21:19:45 +0000 (UTC)
Received: from AMSPRD0310HT004.eurprd03.prod.outlook.com (157.56.248.5) by VA3EHSMHS022.bigfish.com (10.7.99.32) with Microsoft SMTP Server (TLS) id 14.16.227.3; Wed, 26 Mar 2014 21:19:41 +0000
Received: from DBXPR03MB383.eurprd03.prod.outlook.com (10.141.10.15) by AMSPRD0310HT004.eurprd03.prod.outlook.com (10.255.40.39) with Microsoft SMTP Server (TLS) id 14.16.423.0; Wed, 26 Mar 2014 21:19:40 +0000
Received: from DBXPR03MB383.eurprd03.prod.outlook.com (10.141.10.15) by DBXPR03MB383.eurprd03.prod.outlook.com (10.141.10.15) with Microsoft SMTP Server (TLS) id 15.0.898.11; Wed, 26 Mar 2014 21:19:38 +0000
Received: from DBXPR03MB383.eurprd03.prod.outlook.com ([10.141.10.15]) by DBXPR03MB383.eurprd03.prod.outlook.com ([10.141.10.15]) with mapi id 15.00.0898.005; Wed, 26 Mar 2014 21:19:38 +0000
From: "Paterson, Kenny" <Kenny.Paterson@rhul.ac.uk>
To: "<mrex@sap.com>" <mrex@sap.com>
Thread-Topic: [TLS] Confirmation of Consensus on Removing Compression from TLS 1.3
Thread-Index: AQHPSSMxZ0z0INsV8EeHhSnGu4GmzJrz2WQAgAAGhTY=
Date: Wed, 26 Mar 2014 21:19:37 +0000
Message-ID: <2E8232FA-CFDF-42AA-A405-0B080EFE0135@rhul.ac.uk>
References: <DA7A3139-EE44-4FE2-B674-4ECAE4D51079@cisco.com>, <20140326205618.19F9A1AC7D@ld9781.wdf.sap.corp>
In-Reply-To: <20140326205618.19F9A1AC7D@ld9781.wdf.sap.corp>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [80.42.218.130]
x-forefront-prvs: 0162ACCC24
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: rhul.ac.uk
X-FOPE-CONNECTOR: Id%0$Dn%*$RO%0$TLS%0$FQDN%$TlsDn%
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/NiVXxr3Z9gftvLFDy4yPGFE5ums
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Confirmation of Consensus on Removing Compression from TLS 1.3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Mar 2014 21:19:52 -0000

Comments inline 

> On 26 Mar 2014, at 20:56, "Martin Rex" <mrex@sap.com> wrote:
> 
> Joseph Salowey (jsalowey) wrote:
>> 
>> The use of compression within TLS has resulted in vulnerabilities
>> that can be exploited to disclose TLS encrypted application data.
>> The consensus in the room at IETF-89 was to remove compression from
>> TLS 1.3 to remove this attack vector.  If you have concerns about
>> this decision please respond on the TLS list by April 11, 2014.
> 
> This characterization about the use of compression in TLS is
> sufficiently misleading that it is wrong.

Really? I assume you know about CRIME??

> 
> First of all, the problem is nowhere specific to TLS, and affects
> compression anywhere within the software protocol stack.

This much is true. But we can at least remove the problem at one layer, where it's particularly easy to exploit. 

> 
> Besides, compression only aggravates the problem when either the entropy
> of all data within a TLS record is so extremely low, that the TLS record
> size difference will make the difference.

But sometimes an attacker can arrange exactly this to be the case - as in CRIME. 

> As I previously noted on this list, the way it is specified, the TLS
> compression function could be used to provide a random padding of TLS
> records, so that all TLS records come out in equal size, essentially
> a form of anti-compression.  

What would you choose for that size? The max fragment size could end up being very wasteful in many application scenarios; the MAC overhead would be unacceptable in other use cases if the size was small. 

> And that could be applied to all existing
> cipher suites, including Stream ciphers and AEAD -- both of which
> do not allow any padding at all so far and therefor leak much more
> about the protected traffic than cipher suites that use the
> GenericBlockCipher PDU. 

CRIME can also be applied to CBC mode cipher suites, with some care. 

> The only situation where compression in general at the TLS-level
> aggravate the problem in any meaningful fashion is when either one
> or both of the endpoints do extraordinarily stupid things, like
> multiplexing attacker-supplied data with data that the attacker is not
> supposed to know into the same compression function (i.e. protect it
> with the very same TLS connection state rather than through seperate
> TLS connection states (i.e. with independent traffic protection keys),
> which is a clear an obvious fallacy, in clear abuse of the TLS protocol:
> 
> 
>   http://tools.ietf.org/html/rfc5246#page-16
> 
>   Any protocol designed for use over TLS must be carefully designed to
>   deal with all possible attacks against it.  As a practical matter,
>   this means that the protocol designer must be aware of what security
>   properties TLS does and does not provide and cannot safely rely on
>   the latter.
> 
> 

Again, the CRIME case is instructive. Merely having malicious JavaScript that can connect to a remote https site can lead to cookies being recovered. There, you can't stop attacker supplied data (http GET requests) being interleaved with sensitive data (secure cookies). I don't think i would characterise this as being "extraordinarily stupid". 

> 
> Our implementation does not implement support for compression so far,
> but if anyone wanted to have support for random padding in Stream and
> AEAD ciphers within TLS (v1.0-v1.2) I would really prefer to see that
> being done through an (anti-)compression scheme rather than changing
> all of the 2/3 Encryption PDUs seperately.
> 
> For TLSv1.3, support for random (sized) padding could be added by
> appropriate definition of the respective PDUs and their processing,
> but that will reduce the code sharing further and further.

I believe that random amounts of padding plus compression can still be broken by CRIME-like attacks, using only slightly more sophisticated statistical methods. 

Cheers

Kenny

> 
> 
> -Martin
> 
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>

v2.23.0 | Report a Bug | By Email