IETF Logo Mail Archive

Re: [TLS] draft-ietf-tls-tls13-21: TLS 1.3 record padding removal leaks padding size

Eric Rescorla <ekr@rtfm.com> Fri, 11 August 2017 17:21 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EEC94132461 for <tls@ietfa.amsl.com>; Fri, 11 Aug 2017 10:21:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DdZ3QnocrO2o for <tls@ietfa.amsl.com>; Fri, 11 Aug 2017 10:21:06 -0700 (PDT)
Received: from mail-yw0-x232.google.com (mail-yw0-x232.google.com [IPv6:2607:f8b0:4002:c05::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1011513252D for <tls@ietf.org>; Fri, 11 Aug 2017 10:21:06 -0700 (PDT)
Received: by mail-yw0-x232.google.com with SMTP id u207so26093336ywc.3 for <tls@ietf.org>; Fri, 11 Aug 2017 10:21:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=xm0ac41mIax2dzhQ19wzP0aCXUutgYBidvM2TPHni+g=; b=pZvASXzceArzbMfTO7fr93rKaLXZmf6EqY18BxHHvlQs0OpZjxVdSOdHfe08RdMiz+ QXaVqzc8mNjNFfqsVlFhszosC1lDVsExjDurTwXxOFwJcK8FSUvb2j33w5i5o2RdwZTi DTtAF+wEh5NTvSVJzNkkNhdWvpxeUlpSHnS5VTWd4xsR9x6Bw7WpjImUI01VsZgZz5Ru 6wrX3H+fsiyH23qQkfuPO9RTiox/qgkpeOeRdFzPqOk7AOfqwb3RlP4Mm5b5WQdaGHVs CUAFcrb02vsrncyl4Q1Iq3EyEHGuaZmou3p8yjlUulfm1waNiU2WtmMod+8yH0rnAPkm IfgQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=xm0ac41mIax2dzhQ19wzP0aCXUutgYBidvM2TPHni+g=; b=thr6HcODBpBv+La24XXhXSnYZSWYVZQlSqJW343MThI+MsXDbsCGqqVcOJUWjJiEZ2 wikVgZfgXA1xcb4FhmlnFQFATY7wO41dDpfNEjf9O/30AySkt2FnO5zoZO7gFuTkT0Pr 9YszaqTvCd7Rlrrl2Kze+wea0vheEtxeEl+g1PbH5Th3DTxFjYaKo6z0AhDDuNVz5sKI HtBa2tUbhGpQtHm+PvfnLwdMgQwj13eH1qQyg3ZRFw8nXQWJji9Ub2iGIK65tYLwqfKo awrQn/TdOdwpXlsJnEKMwrXMcxy5yc2DDYlQXTLuahvyc+Pt+X+mUOkZuLwdSx44dwop dE6g==
X-Gm-Message-State: AHYfb5hLQaHElIl79BdPQbf+2J99AetcHKzsDK5v/xEXbJ5AsaGt1VEX EwNUru6ygu2GdNwLdUTl9Q12tl/w6ETr
X-Received: by 10.37.248.12 with SMTP id u12mr13068141ybd.248.1502472065300; Fri, 11 Aug 2017 10:21:05 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.13.218.130 with HTTP; Fri, 11 Aug 2017 10:20:24 -0700 (PDT)
In-Reply-To: <CADh2w8Trp-7WiVCDzQ6OLiHqE_Fw530bp0gZeRKCJiaGkLfb3w@mail.gmail.com>
References: <1502460670.3202.8.camel@redhat.com> <CABcZeBOmFTrCEmV20XZe9hO5owdv1SsWaWkZHhQFfpNmfou4VQ@mail.gmail.com> <CADh2w8Trp-7WiVCDzQ6OLiHqE_Fw530bp0gZeRKCJiaGkLfb3w@mail.gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Fri, 11 Aug 2017 10:20:24 -0700
Message-ID: <CABcZeBNpJ5_03VZot_3hj7KHnJ8609HX-MY62n0+HLXoRg-+=Q@mail.gmail.com>
To: Nikos Mavrogiannopoulos <nmav@redhat.com>
Cc: "tls@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="f403045db866bd00c005567d8907"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/WTkvFDUUFI02QSJSRl4eOrG6YKQ>
Subject: Re: [TLS] draft-ietf-tls-tls13-21: TLS 1.3 record padding removal leaks padding size
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 11 Aug 2017 17:21:08 -0000

On Fri, Aug 11, 2017 at 9:47 AM, Nikos Mavrogiannopoulos <nmav@redhat.com>
wrote:

> On Fri, Aug 11, 2017 at 5:57 PM, Eric Rescorla <ekr@rtfm.com> wrote:
>
>>
>> On Fri, Aug 11, 2017 at 7:11 AM, Nikos Mavrogiannopoulos <nmav@redhat.com
>> > wrote:
>>
>>> Imagine the following scenario, where the server and client have this
>>> repeated communication N times per day:
>>>
>>> client     server
>>>     --X-->
>>>     <--Y--
>>>
>>>
>>> the client puts in X a message A of 1 byte or B of 1024 bytes, and pads
>>> it to the maximum size of TLS record. The server replies with the
>>> message "ok" (same every time), padded to the maximum size just after
>>> it reads X.
>>>
>>> However, TLS 1.3 detects the message size by iterating through all the
>>> padding bytes, and thus there is a timing leak observed by the time
>>> difference between receiving X and sending Y. Thus as an adversary I
>>> could take enough measurements and be able to distinguish between X
>>> having the value A or B.
>>>
>>> While I'd expect these iterations to be unmeasurable in desktop or
>>> server hardware, I am not sure about the situation in low-end IoT
>>> hardware. Is the design choice for having the padding removal depending
>>> on padding length intentional?
>>
>>
>> Yes, we're aware of this, and it's an intentional design choice. The
>> reasoning
>> was that once you have the padding removed, you'll need to operate on/copy
>> the unpadded content somewhere, and that's timing dependent anyway.
>>
>
> That is certainly an incorrect assumption. gnutls for example provides a
> zero-copy API, and I guess it is not the only implementation to have that.
>

And then the next thing that will happen is that the application will read
the data, which is length-dependent. The problem is that the plaintext is
variable length.


There is mentioning of possible timing channels in:
>>> https://tools.ietf.org/html/draft-ietf-tls-tls13-21#appendix-E.3
>>> However I don't quite understand how is this section intended to be
>>> read. The sentence for example: "Because the padding is encrypted
>>> alongside the actual content, an attacker cannot directly determine the
>>> length of the padding, but may be able to measure it indirectly by the
>>> use of timing channels exposed during record processing", what is its
>>> intention? Is it to acknowledge the above timing leak?
>>>
>>
>> Yes.
>>
>
> I am not sure if that text is sufficient to cover that issue. It seems as
> if the cbc timing attack is re-introduced here and pushing the fix to
> implementers. It may be better no to provide padding functionality with
> this "feature", as unfortunately it will be used by applications.
>

I don't believe that this is analysis is correct. This timing channel only
applies to the data after message integrity has been established (i.e.,
after AEAD processing), which is different from the situation in Lucky 13.
It seems like what leaks here is the length of the plaintext, which is also
what would be leaked if we simply did not have padding.

-Ekr


> regards,
> Nikos
>
>

v2.23.0 | Report a Bug | By Email