Re: [TLS] Analysis of encrypting the headers - what is the length
"Jim Schaad" <ietf@augustcellars.com> Sun, 06 December 2015 21:49 UTC
Return-Path: <ietf@augustcellars.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4AB9F1B33DE for <tls@ietfa.amsl.com>; Sun, 6 Dec 2015 13:49:14 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1WPY9xwcwfli for <tls@ietfa.amsl.com>; Sun, 6 Dec 2015 13:49:12 -0800 (PST)
Received: from smtp4.pacifier.net (smtp4.pacifier.net [64.255.237.176]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B3BAF1B33DC for <tls@ietf.org>; Sun, 6 Dec 2015 13:49:12 -0800 (PST)
Received: from hebrews (c-24-21-96-37.hsd1.or.comcast.net [24.21.96.37]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: jimsch@nwlink.com) by smtp4.pacifier.net (Postfix) with ESMTPSA id ECE7838F05; Sun, 6 Dec 2015 13:49:11 -0800 (PST)
From: Jim Schaad <ietf@augustcellars.com>
To: 'Bryan A Ford' <brynosaurus@gmail.com>, tls@ietf.org
References: <11f501d12ed6$41150270$c33f0750$@augustcellars.com> <5663FE47.1050106@gmail.com>
In-Reply-To: <5663FE47.1050106@gmail.com>
Date: Sun, 06 Dec 2015 13:46:25 -0800
Message-ID: <00ed01d1306f$8ee4d6c0$acae8440$@augustcellars.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 15.0
Content-Language: en-us
Thread-Index: AQK2HzzDa6zorWW5wNKNhe+Y0Giw8AGkqSGknOdskxA=
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/SDLPfvyfB8aR6vhZkYfMin_FJRw>
Subject: Re: [TLS] Analysis of encrypting the headers - what is the length
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 06 Dec 2015 21:49:14 -0000
> -----Original Message----- > From: TLS [mailto:tls-bounces@ietf.org] On Behalf Of Bryan A Ford > Sent: Sunday, December 06, 2015 1:22 AM > To: tls@ietf.org > Subject: Re: [TLS] Analysis of encrypting the headers - what is the length > > On 12/4/15 9:56 PM, Jim Schaad wrote: > > I will start by re-iterating my initial position that I would prefer > > that the DTLS and TLS analysis is going to be the same in terms of > > masking the header information. So I decided to do some thought > > experiments about what happens if the length were to be encrypted and > > how many different situations does this not appear to help the situation. > > Why are you fixated on enumerating different situations where encrypting > headers doesn't help, while completely ignoring situations where it can help? > You could draw up an infinite list of scenarios in both categories. No security > provision will address every possible attack scenario - padding definitely doesn't > either! - but both header encryption and padding are complementary provisions > that each make attacks more difficult for attackers in different ways. Having a solid idea of what the limitations of a solution are can be extremely helpful in trying to determine if the solution solves the problem as presented. My understanding of the problem that you are trying to solve is to hid the length of the data by encrypting it. Knowing when this does and does not work is part and parcel of trying to do the evaluation of a solutions effectiveness and then being able to do an evaluation of the benefits and costs of such a solution. It might be helpful to have a more formal set of situations where the solution works so that it can be compared. If the solution of encrypting the header requires additional tactics as well, then it should be well understood that the encryption solution is, in itself, insufficient. Doing so would also allow for a better understanding of what other solutions can be used to address the same, or similar, problems potentially without the same costs. The question of whether padding does or does not solve the problem depends to a large extend on what the attack model you are using is. If the attack model requires that you know the exact length of the data involved, then doing a simple padding with random lengths of data, or padding out to a fixed boundary does solve the problem entirely. If the attack model is based on distinguishing very large and very small blocks of data, then padding can solve this by making all responses pad out to a very large size. Again one needs to look at the costs of this as always sending a large amount of data in response, most of which is padding, presents a problem for the network and potentially the devices sending and receiving the data (power consumption). One therefore needs to do tradeoffs of the solution vs the problems. I am assuming that your attack model more closely follows the first one presented, but given that you have never stated it in any sort of formal language that is at best a wild guess on my part. Jim > > B
- [TLS] Analysis of encrypting the headers - what i… Jim Schaad
- Re: [TLS] Analysis of encrypting the headers - wh… Christian Huitema
- Re: [TLS] Analysis of encrypting the headers - wh… Bryan A Ford
- Re: [TLS] Analysis of encrypting the headers - wh… Jim Schaad