Re: [TLS] draft-ietf-tls-tls13-21: TLS 1.3 record padding removal leaks padding size
Nikos Mavrogiannopoulos <nmav@redhat.com> Mon, 14 August 2017 07:11 UTC
Return-Path: <nmav@redhat.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 88FD5131CF2 for <tls@ietfa.amsl.com>; Mon, 14 Aug 2017 00:11:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.701
X-Spam-Level:
X-Spam-Status: No, score=-4.701 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-2.8, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iMBVmkjvKHxQ for <tls@ietfa.amsl.com>; Mon, 14 Aug 2017 00:11:57 -0700 (PDT)
Received: from mail-wr0-f180.google.com (mail-wr0-f180.google.com [209.85.128.180]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 42B7C131D24 for <tls@ietf.org>; Mon, 14 Aug 2017 00:11:57 -0700 (PDT)
Received: by mail-wr0-f180.google.com with SMTP id y41so6884519wrd.3 for <tls@ietf.org>; Mon, 14 Aug 2017 00:11:57 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:message-id:subject:from:to:cc:date:in-reply-to :references:mime-version:content-transfer-encoding; bh=taCyjqW26Nv/Iy74gEMGnRZwAflM9c2YKBDosATe0Co=; b=Vu2rEltnF+gr2dUwW04gt1Dcs0gp/D0GVFfB9MM1N+3wwRQVrohteDnXReZaitH7KY SeurVDZXXrcse9aZRe7H9QkLaavwuGsr+WAUNSoU13nHNmaDBpLB85w46+LXinoS8u9Q woe+xQKYSttgj9RMJlkuhvnCtJVPHpXRyABW8C1UDlLTfMacLsJN9gFQx7kQ3roewo7r GiFdxiXTdWen1IOsMYZR9VM/9gjoO33qzpkH874rmSLti/vOWWQCdaUzFon8/ivczQ6E ElKpX2ADX2NIfSnp3k+LykY1d33qhOfQ3hTIuFbgy5F59BSUfodh5zvLCjw8nJNGXHLP 6aKw==
X-Gm-Message-State: AHYfb5hZjBXjZRSGdGLKkhjm7k2TLiwqrhVGB9pxvz0/SmbeYKezUWAe Pxk1n6Si3S5dxL7qZlQRLQ==
X-Received: by 10.223.179.71 with SMTP id k7mr16982711wrd.232.1502694715670; Mon, 14 Aug 2017 00:11:55 -0700 (PDT)
Received: from dhcp-10-40-1-102.brq.redhat.com (nat-pool-brq-t.redhat.com. [213.175.37.10]) by smtp.gmail.com with ESMTPSA id m4sm7093186wmf.2.2017.08.14.00.11.54 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Mon, 14 Aug 2017 00:11:54 -0700 (PDT)
Message-ID: <1502694713.4288.3.camel@redhat.com>
From: Nikos Mavrogiannopoulos <nmav@redhat.com>
To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>, "Short, Todd" <tshort@akamai.com>
Cc: "tls@ietf.org" <tls@ietf.org>
Date: Mon, 14 Aug 2017 09:11:53 +0200
In-Reply-To: <87shgyndtw.fsf@fifthhorseman.net>
References: <1502460670.3202.8.camel@redhat.com> <075C47B6-A601-441F-B881-A7F78648B5F1@akamai.com> <CADh2w8QexuvQtXyOsj3WkiPf+2YjH8yFhR7Wj3Ek+b=U3Bb3Fg@mail.gmail.com> <87shgyndtw.fsf@fifthhorseman.net>
Content-Type: text/plain; charset="UTF-8"
X-Mailer: Evolution 3.24.4 (3.24.4-1.fc26)
Mime-Version: 1.0
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/QqWcZ8Szi8dDpQeq9m6WTAVdtcE>
Subject: Re: [TLS] draft-ietf-tls-tls13-21: TLS 1.3 record padding removal leaks padding size
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 14 Aug 2017 07:12:00 -0000
On Fri, 2017-08-11 at 14:45 -0400, Daniel Kahn Gillmor wrote: > On Fri 2017-08-11 18:43:15 +0200, Nikos Mavrogiannopoulos wrote: > > I don't argue with this but this is not the approach TLS 1.3 took. > > It > > provides a generic padding mechanism to be used across application > > protocols. > > The design approach that TLS 1.3 took was to provide a mechanism for > padding at the TLS layer, not to prescribe padding at the application > layer. You actually probably need both to defend against traffic > analysis in the big picture. > > Thoughtful, well-designed application-layer padding is likely to be > better than generic TLS-layer padding. But not all applications can > actually accomodate padding (and it's not clear that folks have done > the > thoughtful work even on those applications which *can* accomodate > padding). > > TLS offers a generic mechanism to support the cases where the > application can't do padding, or where the implementer has no control > over (or insight into) the application itself. It'll probably leak > in > the way you describe, but it'll probably also be better than > cleartext. > > Furthermore, there are TLS messages that are not application data at > all -- so those parts *have* to be padded at the TLS layer, as the > application cannot directly affect their size. > > A robust and safe padding approach needs to take into account all > layers > of the stack at once and coordinate between them. Without the > padding > mechanism in TLS, it wouldn't be possible to coordinate across the > whole stack. Typically protocol design which is build on top of other protocols assumes that they operate as reasonably. I doubt a TLS implementor who knows about this timing leak will be the one designing the application protocol on top, so my bet is that we are going to see application protocols defined which take advantage of that padding and believing they offer a plaintext length protection. That's why, I'd urge to underline this timing leak in the document rather than hiding it in generic timing leak considerations text. We already have experience with that. TLS 1.1 documented a similar leak prominently: "Implementation Note: Canvel et al. [CBCTIME] have demonstrated a ..." Note however that documenting the problem itself didn't help in that case, all implementations were vulnerably to the later lucky13 attack. The best IMHO is to document the way to address the timing leak. regards, Nikos
- [TLS] draft-ietf-tls-tls13-21: TLS 1.3 record pad… Nikos Mavrogiannopoulos
- Re: [TLS] draft-ietf-tls-tls13-21: TLS 1.3 record… Short, Todd
- Re: [TLS] draft-ietf-tls-tls13-21: TLS 1.3 record… Ted Lemon
- Re: [TLS] draft-ietf-tls-tls13-21: TLS 1.3 record… Nikos Mavrogiannopoulos
- Re: [TLS] draft-ietf-tls-tls13-21: TLS 1.3 record… Eric Rescorla
- Re: [TLS] draft-ietf-tls-tls13-21: TLS 1.3 record… Nikos Mavrogiannopoulos
- Re: [TLS] draft-ietf-tls-tls13-21: TLS 1.3 record… Andrei Popov
- Re: [TLS] draft-ietf-tls-tls13-21: TLS 1.3 record… Eric Rescorla
- Re: [TLS] draft-ietf-tls-tls13-21: TLS 1.3 record… Short, Todd
- Re: [TLS] draft-ietf-tls-tls13-21: TLS 1.3 record… Eric Rescorla
- Re: [TLS] draft-ietf-tls-tls13-21: TLS 1.3 record… Short, Todd
- Re: [TLS] draft-ietf-tls-tls13-21: TLS 1.3 record… Daniel Kahn Gillmor
- Re: [TLS] draft-ietf-tls-tls13-21: TLS 1.3 record… Nikos Mavrogiannopoulos
- Re: [TLS] draft-ietf-tls-tls13-21: TLS 1.3 record… Hubert Kario
- Re: [TLS] draft-ietf-tls-tls13-21: TLS 1.3 record… Hubert Kario
- Re: [TLS] draft-ietf-tls-tls13-21: TLS 1.3 record… Colm MacCárthaigh
- Re: [TLS] draft-ietf-tls-tls13-21: TLS 1.3 record… Hubert Kario
- Re: [TLS] draft-ietf-tls-tls13-21: TLS 1.3 record… Hubert Kario
- Re: [TLS] draft-ietf-tls-tls13-21: TLS 1.3 record… Ilari Liusvaara
- Re: [TLS] draft-ietf-tls-tls13-21: TLS 1.3 record… Hubert Kario
- Re: [TLS] draft-ietf-tls-tls13-21: TLS 1.3 record… Eric Rescorla
- Re: [TLS] draft-ietf-tls-tls13-21: TLS 1.3 record… Colm MacCárthaigh
- Re: [TLS] draft-ietf-tls-tls13-21: TLS 1.3 record… Hubert Kario
- Re: [TLS] draft-ietf-tls-tls13-21: TLS 1.3 record… Hubert Kario