Re: [TLS] Heartbeat and padding
Aaron Zauner <azet@azet.org> Mon, 28 April 2014 12:45 UTC
Return-Path: <azet@azet.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 06E721A09F9 for <tls@ietfa.amsl.com>; Mon, 28 Apr 2014 05:45:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uhzPwAC0PP9x for <tls@ietfa.amsl.com>; Mon, 28 Apr 2014 05:45:52 -0700 (PDT)
Received: from mail-ee0-f50.google.com (mail-ee0-f50.google.com [74.125.83.50]) by ietfa.amsl.com (Postfix) with ESMTP id A9D9F1A09F6 for <tls@ietf.org>; Mon, 28 Apr 2014 05:45:51 -0700 (PDT)
Received: by mail-ee0-f50.google.com with SMTP id c13so4784410eek.37 for <tls@ietf.org>; Mon, 28 Apr 2014 05:45:50 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to :cc:subject:references:in-reply-to:content-type; bh=Zxtxro9URFNT/mmL3pnXAYLNFfmoFvV79dcMy4HCKqM=; b=KcCgzuSkZjmszmQKZiGtlWhr7g2qb5LXGGASOrXHFPiKAhCTDrQIGOryA1dWtmYBhC ymDPpPvREaiGeZdrDy6uZIPP5OhRqAj7cD/+O3A/oinyw8pve92p91TKycIghP5svPa6 UyPVDhsz0tSAaVOswkc1+lZRW4Rxd35yz5brljbTrW3098c2Uak2UotIZzQsXudA/CY8 LOwX6Ecu9FTPyA8mU96/wCHsrkhyUx+PMRJNSkjKyQArqPmef26TSsb5wg0ur+IZAUSY 8S5GR7xdhAm73ZCeDMvMh9JE4lSlmw+WrGv2VsK1ECVFJsrWMJ+Y9tyTJnxs55oAB7MM jIdQ==
X-Gm-Message-State: ALoCoQkq6BqyUygPI46WvTrq3lcHvaDNwXT+c5bNtOHqOmW1nAoTqROOXOPIXqtyZdvxjTjrT3xc
X-Received: by 10.14.199.8 with SMTP id w8mr1056312een.94.1398689150376; Mon, 28 Apr 2014 05:45:50 -0700 (PDT)
Received: from [10.60.30.119] ([193.170.94.190]) by mx.google.com with ESMTPSA id bc51sm50119223eeb.22.2014.04.28.05.45.48 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Mon, 28 Apr 2014 05:45:49 -0700 (PDT)
Message-ID: <535E4D78.1030307@azet.org>
Date: Mon, 28 Apr 2014 14:45:44 +0200
From: Aaron Zauner <azet@azet.org>
User-Agent: Postbox 3.0.9 (Macintosh/20140129)
MIME-Version: 1.0
To: Michael D'Errico <mike-list@pobox.com>
References: <535C4EFD.7030608@pobox.com>
In-Reply-To: <535C4EFD.7030608@pobox.com>
X-Enigmail-Version: 1.2.3
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="------------enig38D5519DE3E00DF0B778299E"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/QXrcmrfid99ypf56hkvD3njbYRQ
Cc: TLS Mailing List <tls@ietf.org>
Subject: Re: [TLS] Heartbeat and padding
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 28 Apr 2014 12:45:53 -0000
Michael D'Errico wrote:
> Not related to Heartbleed(tm), do we need to revisit the Heartbeat spec.
> due to the random padding? There is a requirement to add at least 16
> bytes of random padding to every message:
>
> struct {
> HeartbeatMessageType type;
> uint16 payload_length;
> opaque payload[HeartbeatMessage.payload_length];
> opaque padding[padding_length];
> } HeartbeatMessage;
>
> ...
>
> padding: The padding is random content that MUST be ignored by the
> receiver. The length of a HeartbeatMessage is TLSPlaintext.length
> for TLS and DTLSPlaintext.length for DTLS. Furthermore, the
> length of the type field is 1 byte, and the length of the
> payload_length is 2. Therefore, the padding_length is
> TLSPlaintext.length - payload_length - 3 for TLS and
> DTLSPlaintext.length - payload_length - 3 for DTLS. The
> padding_length MUST be at least 16.
>
> The sender of a HeartbeatMessage MUST use a random padding of at
> least 16 bytes. The padding of a received HeartbeatMessage message
> MUST be ignored.
>
>
> Since the recipient MUST ignore the padding, they can't reverse engineer
> the peer's PRNG, so maybe this isn't a problem?
You should ignore it, but you can still recieve it, right?
I was wondering about exactly the same issue a few weeks ago. As far as
I know (and some people familiar with implementations have suggested)
you do not need to pad with CSPRNG here and implementations allegedly do
not do so, I didn't have time to check in codebases of SSL libs though.
Aaron
- [TLS] Heartbeat and padding Michael D'Errico
- Re: [TLS] Heartbeat and padding Hanno Böck
- Re: [TLS] Heartbeat and padding Watson Ladd
- Re: [TLS] Heartbeat and padding Aaron Zauner
- Re: [TLS] Heartbeat and padding Salz, Rich
- Re: [TLS] Heartbeat and padding Nikos Mavrogiannopoulos
- Re: [TLS] Heartbeat and padding Michael Tuexen
- Re: [TLS] Heartbeat and padding Bill Frantz
- Re: [TLS] Heartbeat and padding Richard Hartmann
- Re: [TLS] Heartbeat and padding Viktor Dukhovni
- Re: [TLS] Heartbeat and padding Nico Williams
- Re: [TLS] Heartbeat and padding Nico Williams