Re: [TLS] Analysis of encrypting the headers - what is the length

"Jim Schaad" <> Sun, 06 December 2015 21:49 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 4AB9F1B33DE for <>; Sun, 6 Dec 2015 13:49:14 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 1WPY9xwcwfli for <>; Sun, 6 Dec 2015 13:49:12 -0800 (PST)
Received: from ( []) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id B3BAF1B33DC for <>; Sun, 6 Dec 2015 13:49:12 -0800 (PST)
Received: from hebrews ( []) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: by (Postfix) with ESMTPSA id ECE7838F05; Sun, 6 Dec 2015 13:49:11 -0800 (PST)
From: Jim Schaad <>
To: 'Bryan A Ford' <>,
References: <11f501d12ed6$41150270$c33f0750$> <>
In-Reply-To: <>
Date: Sun, 06 Dec 2015 13:46:25 -0800
Message-ID: <00ed01d1306f$8ee4d6c0$acae8440$>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 15.0
Content-Language: en-us
Thread-Index: AQK2HzzDa6zorWW5wNKNhe+Y0Giw8AGkqSGknOdskxA=
Archived-At: <>
Subject: Re: [TLS] Analysis of encrypting the headers - what is the length
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sun, 06 Dec 2015 21:49:14 -0000

> -----Original Message-----
> From: TLS [] On Behalf Of Bryan A Ford
> Sent: Sunday, December 06, 2015 1:22 AM
> To:
> Subject: Re: [TLS] Analysis of encrypting the headers - what is the length
> On 12/4/15 9:56 PM, Jim Schaad wrote:
> > I will start by re-iterating my initial position that I would prefer
> > that the DTLS and TLS analysis is going to be the same in terms of
> > masking the header information.  So I decided to do some thought
> > experiments about what happens if the length were to be encrypted and
> > how many different situations does this not appear to help the
> Why are you fixated on enumerating different situations where encrypting
> headers doesn't help, while completely ignoring situations where it can
> You could draw up an infinite list of scenarios in both categories.  No
> provision will address every possible attack scenario - padding definitely
> either! - but both header encryption and padding are complementary
> that each make attacks more difficult for attackers in different ways.

Having a solid idea of what the limitations of a solution are can be
extremely helpful in trying to determine if the solution solves the problem
as presented.  My understanding of the problem that you are trying to solve
is to hid the length of the data by encrypting it.  Knowing when this does
and does not work is part and parcel of trying to do the evaluation of a
solutions effectiveness and then being able to do an evaluation of the
benefits and costs of such a solution.

It might be helpful to have a more formal set of situations where the
solution works so that it can be compared.  If the solution of encrypting
the header requires additional tactics as well, then it should be well
understood that the encryption solution is, in itself, insufficient.   Doing
so would also allow for a better understanding of what other solutions can
be used to address the same, or similar, problems potentially without the
same costs.

The question of whether padding does or does not solve the problem depends
to a large extend on what the attack model you are using is.  If the attack
model requires that you know the exact length of the data involved, then
doing a simple padding with random lengths of data, or padding out to a
fixed boundary does solve the problem entirely.  If the attack model is
based on distinguishing very large and very small blocks of data, then
padding can solve this by making all responses pad out to a very large size.
Again one needs to look at the costs of this as always sending a large
amount of data in response, most of which is padding, presents a problem for
the network and potentially the devices sending and receiving the data
(power consumption).  One therefore needs to do tradeoffs of the solution vs
the problems.  

I am assuming that your attack model more closely follows the first one
presented, but given that you have never stated it in any sort of formal
language that is at best a wild guess on my part.


> B