Re: [TLS] Encryption of TLS 1.3 content type

Yoav Nir <ynir.ietf@gmail.com> Mon, 28 July 2014 10:52 UTC

Return-Path: <ynir.ietf@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9E82B1A020A for <tls@ietfa.amsl.com>; Mon, 28 Jul 2014 03:52:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id leBGIUUA5CVF for <tls@ietfa.amsl.com>; Mon, 28 Jul 2014 03:52:30 -0700 (PDT)
Received: from mail-wg0-x22d.google.com (mail-wg0-x22d.google.com [IPv6:2a00:1450:400c:c00::22d]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3D2CA1A03EF for <tls@ietf.org>; Mon, 28 Jul 2014 03:52:30 -0700 (PDT)
Received: by mail-wg0-f45.google.com with SMTP id x12so7265787wgg.16 for <tls@ietf.org>; Mon, 28 Jul 2014 03:52:27 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=UfR66JqOqlowVapzyizSKnMLsDxSx2Ywp2ay3/U6o2s=; b=vGYSxKFNBRvbY9oMw+KFpcwAk6Ph2xWb+4XoVitOocsMk9ygekoWX7CpMCBWJR1BBl Dae+RgHsza+L5gLgKXuPeSPLMeyWo+iRh2JIr9RGn3u9dB2AsKafPs0frbeFPLdUHq/s jGiRh+CINVJ8W1+PnAsUUdEzWn6JIZMUpG7doc5BGHIwlYeKGmcPZlLUJuobswjzYk1Y 8OSFTgIWuj9hhiDV7x6SwopORmoxY30GQZ7aa09Woqi5xheb1miNRiPsWNzK+7fjjre/ vjCuz34hqthaH8X9uKJtG+8yTMZcXLAu0vt9bUlC4hh6yGoEp34QL+ceTeKmln1sGpOW kZVg==
X-Received: by 10.180.35.36 with SMTP id e4mr30843312wij.12.1406544746739; Mon, 28 Jul 2014 03:52:26 -0700 (PDT)
Received: from [172.24.248.227] (dyn32-131.checkpoint.com. [194.29.32.131]) by mx.google.com with ESMTPSA id u7sm2134918wif.3.2014.07.28.03.52.25 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Mon, 28 Jul 2014 03:52:26 -0700 (PDT)
Content-Type: text/plain; charset=windows-1252
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
From: Yoav Nir <ynir.ietf@gmail.com>
In-Reply-To: <1406537753.2413.12.camel@dhcp-2-127.brq.redhat.com>
Date: Mon, 28 Jul 2014 13:52:22 +0300
Content-Transfer-Encoding: quoted-printable
Message-Id: <DEFD5756-098F-4EC5-9B1E-85B6D9338BD6@gmail.com>
References: <DD255E31-FA87-40CE-AF13-0F43A7DD54CF@cisco.com> <CACsn0cnt-ry182AjOyTTZGteifs7VyRPYHaj-xDCBOf0D53w9A@mail.gmail.com> <CAAF6GDfK7awipoMT_PPyKnTe-fF1=KY1Be8kUMSYrXN0Wzb=tg@mail.gmail.com> <1406537753.2413.12.camel@dhcp-2-127.brq.redhat.com>
To: Nikos Mavrogiannopoulos <nmav@redhat.com>
X-Mailer: Apple Mail (2.1878.6)
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/NtPHX57pC2SM1Nm7wKhHzo_z3eY
Cc: "<tls@ietf.org>" <tls@ietf.org>
Subject: Re: [TLS] Encryption of TLS 1.3 content type
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 28 Jul 2014 10:52:35 -0000

On Jul 28, 2014, at 11:55 AM, Nikos Mavrogiannopoulos <nmav@redhat.com> wrote:

> On Sat, 2014-07-26 at 10:59 -0700, Colm MacCárthaigh wrote:
>> On Sat, Jul 26, 2014 at 10:43 AM, Watson Ladd <watsonbladd@gmail.com>
> wrote:
>>> This is a change with no rationale: the content type leaks extremely
>>> limited information. It complicates implementations that wish to
> keep
>>> a high degree of codepath similarity between TLS 1.2 and TLS 1.3.
>> Leaking alert messages has been a recurring theme common to several
>> attacks; hindering a MITM's ability to discern alert messages seems
>> like a rational rationale.
> 
> Are there any pointers to these attacks? Will these attacks be countered
> with such a change? I believe not as alert messages consist of only two
> bytes and will be distinct from any other higher protocol messages
> transferred by the TLS record protocol. Unless TLS 1.3 intended to
> include a length hiding mechanism I see this change as unnecessary and I
> agree with Watson on that.

While no definite decisions were made, there was a positive response to the idea of allowing arbitrary length padding to the plaintext in all encrypted records, which can be used to hide alert messages. 

Of course, non-fatal alerts are (1) rare, and (2) not always treated as such, so it’s easy to spot the alert record, because it’s the one before the FIN or RST. In DTLS alerts are mostly non-fatal, so it makes more sense.

So on balance, +1.

> If we cannot avoid changes to TLS 1.3 charter, I believe that any new
> proposal comes with a concrete case for it and associated costs of
> implementing vs not-implementing. The initial agreement was for a small
> revision to TLS (even though I didn't agree on that), and that is now
> used as a vehicle to push unrelated to the charter major changes with no
> planning whatsoever. 

Our charter does say “Develop a mode that encrypts as much of the handshake as is possible”

Yoav