Re: [TLS] Confirmation of Consensus on Removing Compression from TLS 1.3

mrex@sap.com (Martin Rex) Wed, 26 March 2014 20:56 UTC

Return-Path: <mrex@sap.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 113CB1A03CB for <tls@ietfa.amsl.com>; Wed, 26 Mar 2014 13:56:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.552
X-Spam-Level:
X-Spam-Status: No, score=-6.552 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-5, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GHsKKumVA0D1 for <tls@ietfa.amsl.com>; Wed, 26 Mar 2014 13:56:25 -0700 (PDT)
Received: from smtpde01.sap-ag.de (smtpde01.sap-ag.de [155.56.68.170]) by ietfa.amsl.com (Postfix) with ESMTP id 512DE1A03C6 for <tls@ietf.org>; Wed, 26 Mar 2014 13:56:25 -0700 (PDT)
Received: from mail05.wdf.sap.corp by smtpde01.sap-ag.de (26) with ESMTP id s2QKuI4p003225 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Wed, 26 Mar 2014 21:56:18 +0100 (MET)
In-Reply-To: <DA7A3139-EE44-4FE2-B674-4ECAE4D51079@cisco.com>
To: "Joseph Salowey (jsalowey)" <jsalowey@cisco.com>
Date: Wed, 26 Mar 2014 21:56:18 +0100 (CET)
X-Mailer: ELM [version 2.4ME+ PL125 (25)]
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="US-ASCII"
Message-Id: <20140326205618.19F9A1AC7D@ld9781.wdf.sap.corp>
From: mrex@sap.com (Martin Rex)
X-SAP: out
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/UiutrWMxylBQPycDkiGrcIx4WQw
Cc: tls@ietf.org
Subject: Re: [TLS] Confirmation of Consensus on Removing Compression from TLS 1.3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: mrex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Mar 2014 20:56:28 -0000

Joseph Salowey (jsalowey) wrote:
>
> The use of compression within TLS has resulted in vulnerabilities
> that can be exploited to disclose TLS encrypted application data.
> The consensus in the room at IETF-89 was to remove compression from
> TLS 1.3 to remove this attack vector.  If you have concerns about
> this decision please respond on the TLS list by April 11, 2014.

This characterization about the use of compression in TLS is
sufficiently misleading that it is wrong.

First of all, the problem is nowhere specific to TLS, and affects
compression anywhere within the software protocol stack.

Besides, compression only aggravates the problem when either the entropy
of all data within a TLS record is so extremely low, that the TLS record
size difference will make the difference.

As I previously noted on this list, the way it is specified, the TLS
compression function could be used to provide a random padding of TLS
records, so that all TLS records come out in equal size, essentially
a form of anti-compression.  And that could be applied to all existing
cipher suites, including Stream ciphers and AEAD -- both of which
do not allow any padding at all so far and therefor leak much more
about the protected traffic than cipher suites that use the
GenericBlockCipher PDU. 


The only situation where compression in general at the TLS-level
aggravate the problem in any meaningful fashion is when either one
or both of the endpoints do extraordinarily stupid things, like
multiplexing attacker-supplied data with data that the attacker is not
supposed to know into the same compression function (i.e. protect it
with the very same TLS connection state rather than through seperate
TLS connection states (i.e. with independent traffic protection keys),
which is a clear an obvious fallacy, in clear abuse of the TLS protocol:


   http://tools.ietf.org/html/rfc5246#page-16

   Any protocol designed for use over TLS must be carefully designed to
   deal with all possible attacks against it.  As a practical matter,
   this means that the protocol designer must be aware of what security
   properties TLS does and does not provide and cannot safely rely on
   the latter.



Our implementation does not implement support for compression so far,
but if anyone wanted to have support for random padding in Stream and
AEAD ciphers within TLS (v1.0-v1.2) I would really prefer to see that
being done through an (anti-)compression scheme rather than changing
all of the 2/3 Encryption PDUs seperately.

For TLSv1.3, support for random (sized) padding could be added by
appropriate definition of the respective PDUs and their processing,
but that will reduce the code sharing further and further.

 
-Martin