Re: [TLS] Possible timing attack on TLS 1.3 padding mechanism

Martin Thomson <martin.thomson@gmail.com> Fri, 02 March 2018 01:29 UTC

Return-Path: <martin.thomson@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BFE0D1241F3 for <tls@ietfa.amsl.com>; Thu, 1 Mar 2018 17:29:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id scvH7SpyB2sZ for <tls@ietfa.amsl.com>; Thu, 1 Mar 2018 17:29:27 -0800 (PST)
Received: from mail-oi0-x22e.google.com (mail-oi0-x22e.google.com [IPv6:2607:f8b0:4003:c06::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 61825120724 for <tls@ietf.org>; Thu, 1 Mar 2018 17:29:27 -0800 (PST)
Received: by mail-oi0-x22e.google.com with SMTP id g5so5992556oiy.8 for <tls@ietf.org>; Thu, 01 Mar 2018 17:29:27 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=estPB31CO+6MBCdTWDQ18APoUKKIc5EcEDC5FP1eSD8=; b=YNkIt4G+3ZhgAwwy0m58Y3bfo5KHMFriZL2BmzAYo0SJSGDhwk7XEyEPrQu2eJfuUF prVSPLckU5Pl/2otYdHjOxtbC4qGY94JTnFpBgvRDIC7r6nM0YAZolmjT2c6Nhil6ZEH LRhtK/if2AzTDsDmBYFZuPozgS72cupPnsXdOuaMo8g28JbJpQAGEimp4c46M+cbTIau w26DrT66N40lZCA2ljMRwjgn95yop7AsuB6muH8ALoZoY4Sr7iDC7Z8vOU+EW+yn5uzZ l68W/5SU7lKcP7uIEHSxxM3WcjeBUod3q+JopfkZkerFtZ76Vfn18gtMblCxlxxTw3KJ 1pHw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=estPB31CO+6MBCdTWDQ18APoUKKIc5EcEDC5FP1eSD8=; b=qjvjFjLcXLD/H7uSil0P7YD09mlGHoBdh5GBnLUob+3fLbi6o6RAJjOOp/V1QjbaPT E/387eGtdKnnyZ9ZqdU54tm6tBTfEMBFD2XdxAhJGonsKkoZZ3DghtiViynuo6PDj9az gbrkhTQl0LEpE+LKfzEu131lCdX3ZF6SKKwNWtkAwQaY5oTvdSw1MJzdhovqtydnXCLX H4lLG2Cjqq5MvkAxwIyoEW0R+VXAuNaWwxT1QMZA5jGe15MaU1BuVsuoKNRVBM/Miw/s DBsgaCTeE+CfZEWm61TnIkOnNIg1SUOGmr9+WVt2qq6qNSsgdXt9RpsaB0X1Kpi6gD1E aKnQ==
X-Gm-Message-State: AElRT7Ea/r8Wq0loLaXopbBvremnT4cVfvv9ErLXFtvW5MLLbIMzGinV cwwBClweY+0esix4Q1bT8jvZ9VlR9khwlwgLIe0=
X-Google-Smtp-Source: AG47ELv1qlQj2hzWfXP1nM1KqNpIuJlvFyUm3In4MAEn5usN6wNNR/KHjRodxTmcrgic3n+MGAqWcSh2C0zcDq9U1r4=
X-Received: by 10.202.56.214 with SMTP id f205mr2448572oia.254.1519954166629; Thu, 01 Mar 2018 17:29:26 -0800 (PST)
MIME-Version: 1.0
Received: by 10.157.16.85 with HTTP; Thu, 1 Mar 2018 17:29:26 -0800 (PST)
In-Reply-To: <CABcZeBMnxoT1Gq71TNHv0Kq0T9eG=gZP0eAmXobwyD5PdQx_0Q@mail.gmail.com>
References: <16A9FD3A-7805-4130-8438-39D0D3E7E3AB@rhul.ac.uk> <87zi3rs7mh.fsf@fifthhorseman.net> <CABkgnnVEMj7DGN0GxtSwWSfyDhhdXfXoiwA8XE6M5xgLAHo-iQ@mail.gmail.com> <CABcZeBMnxoT1Gq71TNHv0Kq0T9eG=gZP0eAmXobwyD5PdQx_0Q@mail.gmail.com>
From: Martin Thomson <martin.thomson@gmail.com>
Date: Fri, 2 Mar 2018 12:29:26 +1100
Message-ID: <CABkgnnUY3XZoBr2=RfAAvFtUnDQGjbqiM0R1BF9LZNPqK8qmMQ@mail.gmail.com>
To: Eric Rescorla <ekr@rtfm.com>
Cc: Daniel Kahn Gillmor <dkg@fifthhorseman.net>, "<tls@ietf.org>" <tls@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/PcTC7AE6WqlDCmU92jAM1mgI0sc>
Subject: Re: [TLS] Possible timing attack on TLS 1.3 padding mechanism
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 02 Mar 2018 01:29:29 -0000

On Fri, Mar 2, 2018 at 12:17 PM, Eric Rescorla <ekr@rtfm.com> wrote:
> This is fun, but I want to note that many (most) APIs are not zero-copy but
> rather involve
> SSL_Read() copying data from some internal buffer into a caller supplied
> buffer. So
> that operation also needs to be made constant time (e.g., by copying the
> whole
> padded region?), and so on...

Forgive me for indulging :)  For the record, I think that the current
text is perfectly adequate.