Re: [TLS] Confirmation of Consensus on Removing Compression from TLS 1.3
mrex@sap.com (Martin Rex) Wed, 26 March 2014 20:56 UTC
Return-Path: <mrex@sap.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 113CB1A03CB for <tls@ietfa.amsl.com>; Wed, 26 Mar 2014 13:56:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.552
X-Spam-Level:
X-Spam-Status: No, score=-6.552 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-5, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GHsKKumVA0D1 for <tls@ietfa.amsl.com>; Wed, 26 Mar 2014 13:56:25 -0700 (PDT)
Received: from smtpde01.sap-ag.de (smtpde01.sap-ag.de [155.56.68.170]) by ietfa.amsl.com (Postfix) with ESMTP id 512DE1A03C6 for <tls@ietf.org>; Wed, 26 Mar 2014 13:56:25 -0700 (PDT)
Received: from mail05.wdf.sap.corp by smtpde01.sap-ag.de (26) with ESMTP id s2QKuI4p003225 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Wed, 26 Mar 2014 21:56:18 +0100 (MET)
In-Reply-To: <DA7A3139-EE44-4FE2-B674-4ECAE4D51079@cisco.com>
To: "Joseph Salowey (jsalowey)" <jsalowey@cisco.com>
Date: Wed, 26 Mar 2014 21:56:18 +0100
X-Mailer: ELM [version 2.4ME+ PL125 (25)]
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="US-ASCII"
Message-Id: <20140326205618.19F9A1AC7D@ld9781.wdf.sap.corp>
From: mrex@sap.com
X-SAP: out
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/UiutrWMxylBQPycDkiGrcIx4WQw
Cc: tls@ietf.org
Subject: Re: [TLS] Confirmation of Consensus on Removing Compression from TLS 1.3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: mrex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Mar 2014 20:56:28 -0000
Joseph Salowey (jsalowey) wrote: > > The use of compression within TLS has resulted in vulnerabilities > that can be exploited to disclose TLS encrypted application data. > The consensus in the room at IETF-89 was to remove compression from > TLS 1.3 to remove this attack vector. If you have concerns about > this decision please respond on the TLS list by April 11, 2014. This characterization about the use of compression in TLS is sufficiently misleading that it is wrong. First of all, the problem is nowhere specific to TLS, and affects compression anywhere within the software protocol stack. Besides, compression only aggravates the problem when either the entropy of all data within a TLS record is so extremely low, that the TLS record size difference will make the difference. As I previously noted on this list, the way it is specified, the TLS compression function could be used to provide a random padding of TLS records, so that all TLS records come out in equal size, essentially a form of anti-compression. And that could be applied to all existing cipher suites, including Stream ciphers and AEAD -- both of which do not allow any padding at all so far and therefor leak much more about the protected traffic than cipher suites that use the GenericBlockCipher PDU. The only situation where compression in general at the TLS-level aggravate the problem in any meaningful fashion is when either one or both of the endpoints do extraordinarily stupid things, like multiplexing attacker-supplied data with data that the attacker is not supposed to know into the same compression function (i.e. protect it with the very same TLS connection state rather than through seperate TLS connection states (i.e. with independent traffic protection keys), which is a clear an obvious fallacy, in clear abuse of the TLS protocol: http://tools.ietf.org/html/rfc5246#page-16 Any protocol designed for use over TLS must be carefully designed to deal with all possible attacks against it. As a practical matter, this means that the protocol designer must be aware of what security properties TLS does and does not provide and cannot safely rely on the latter. Our implementation does not implement support for compression so far, but if anyone wanted to have support for random padding in Stream and AEAD ciphers within TLS (v1.0-v1.2) I would really prefer to see that being done through an (anti-)compression scheme rather than changing all of the 2/3 Encryption PDUs seperately. For TLSv1.3, support for random (sized) padding could be added by appropriate definition of the respective PDUs and their processing, but that will reduce the code sharing further and further. -Martin
- [TLS] Confirmation of Consensus on Removing Compr… Joseph Salowey (jsalowey)
- Re: [TLS] Confirmation of Consensus on Removing C… Yaron Sheffer
- Re: [TLS] Confirmation of Consensus on Removing C… Martin Thomson
- Re: [TLS] Confirmation of Consensus on Removing C… Martin Rex
- Re: [TLS] Confirmation of Consensus on Removing C… Eric Rescorla
- Re: [TLS] Confirmation of Consensus on Removing C… Paterson, Kenny
- Re: [TLS] Confirmation of Consensus on Removing C… Martin Rex
- Re: [TLS] Confirmation of Consensus on Removing C… Eric Rescorla
- Re: [TLS] Confirmation of Consensus on Removing C… Watson Ladd
- Re: [TLS] Confirmation of Consensus on Removing C… Martin Rex
- Re: [TLS] Confirmation of Consensus on Removing C… Joachim Strömbergson
- Re: [TLS] Confirmation of Consensus on Removing C… Alyssa Rowan
- Re: [TLS] Confirmation of Consensus on Removing C… Richard Hartmann
- Re: [TLS] Confirmation of Consensus on Removing C… Peter Gutmann
- Re: [TLS] Confirmation of Consensus on Removing C… Karthikeyan Bhargavan
- Re: [TLS] Confirmation of Consensus on Removing C… Bill Frantz
- Re: [TLS] Confirmation of Consensus on Removing C… Joseph Salowey (jsalowey)
- Re: [TLS] Confirmation of Consensus on Removing C… Eric Rescorla
- Re: [TLS] Confirmation of Consensus on Removing C… Eric Rescorla