Re: [TLS] potential attack on TLS cert compression
Alex C <immibis@gmail.com> Fri, 20 April 2018 23:46 UTC
Return-Path: <immibis@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7E52812D958 for <tls@ietfa.amsl.com>; Fri, 20 Apr 2018 16:46:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gdTjAM_nS8h9 for <tls@ietfa.amsl.com>; Fri, 20 Apr 2018 16:46:43 -0700 (PDT)
Received: from mail-lf0-x232.google.com (mail-lf0-x232.google.com [IPv6:2a00:1450:4010:c07::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 78BC6127201 for <tls@ietf.org>; Fri, 20 Apr 2018 16:46:43 -0700 (PDT)
Received: by mail-lf0-x232.google.com with SMTP id q5-v6so7286824lff.12 for <tls@ietf.org>; Fri, 20 Apr 2018 16:46:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=E1rB+famMGmZ1Ea0h6X5McbQzQhsLo9b5eesLqDLunE=; b=QA+qm86ks6q4LOrEzm+GehBtHwi3TQ+UTkH83VJKef2c+vDpNgboyJVaptFLFCo2nv i2Z+VF9jMm4bzt8mWv3n4RNhOgJyqV6adSvs/wH5DHDDsP/uiLd7z0eo4SqxGkZJVAUH YIr/O44VBG355t0VJqNlo/4j8s3QsYZWUZEKGN0ZXPGRi/ushcVKFF7DM4vB/vx3ilzm GJEEMlbInlpuGV/zcXgvKWWXWnzgqzDrsc1/4VM/XISNS6uoZQVU0flR0kODVDdXe4re 4LGLvpdt6tzWvPZiCDbvQCD31n1V3VyFom6EeWM0VrN77oKEMdR3OQbQ15JhIOcWicG8 8xmA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=E1rB+famMGmZ1Ea0h6X5McbQzQhsLo9b5eesLqDLunE=; b=h8rpff+BntUbsc3vuodl2iA+8UIMLvyK0/uaLrCv36FIDV+nTqlvA1E4jpJApDCKTp dn5sYT7t5kq4N99S1izhgkie3Sysd8F9ClYNBbu7MFagwmJq3qgHp1wkjYMzbS60p7+u tHlcVvvfwjiSEGkSw0yMoo5MQUr9jOBddO65gyS9s0CgXSrE1FRQuPoiPF3kZ0UawKxX 2vEBb+ucAKaZJO0PeLKaN+iwIHZ/UBFJdDacytAbwT8Muc4hX5cmFNoCu9GHlWn96Abd Kqt2EG/uHLmnyi42sysIcZsXeTexROPYGnaXs/MDD1ej0GAaFMgG+LaIxkI1IZ7TaLc6 zJTg==
X-Gm-Message-State: ALQs6tDCvgf+KkIZ2y4OKcVRqDL684d+x55f0ZyOECqgvpQ0t41kihsu rKS+fg5G7VWrO5stTFkM3jW6g0JhZ7V3Hm9wiiw=
X-Google-Smtp-Source: AB8JxZpjaf3TR9pulmq8kjHiEvxMiNkmKPuRhf9peHaaP+oBwse9gWRS0tBcBbB+Mulb+TDE40lWL3yinERGsvz8BTE=
X-Received: by 2002:a19:f203:: with SMTP id q3-v6mr3738354lfh.54.1524268001581; Fri, 20 Apr 2018 16:46:41 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.46.71.1 with HTTP; Fri, 20 Apr 2018 16:46:41 -0700 (PDT)
In-Reply-To: <CAAZdMae_oiF_5t43JTv9XsxM=qL55qbGWip0YPtTjPX95NU0UQ@mail.gmail.com>
References: <MWHPR15MB1821D5D75667B3C8F4132A1EB6A90@MWHPR15MB1821.namprd15.prod.outlook.com> <CAF8qwaBgpMnQ=dNgMOZrQRGwQUEswQiz6hDkyNiDVJXvh36X6A@mail.gmail.com> <20180322171000.GA23594@LK-Perkele-VII> <20180322183941.GA31902@bolet.org> <CAAZdMae_oiF_5t43JTv9XsxM=qL55qbGWip0YPtTjPX95NU0UQ@mail.gmail.com>
From: Alex C <immibis@gmail.com>
Date: Sat, 21 Apr 2018 11:46:41 +1200
Message-ID: <CAMqknA6Fqpn_SxvS36AxoZprt5tVk=WnJrt1AooBAzQdN+93UA@mail.gmail.com>
To: Victor Vasiliev <vasilvv@google.com>
Cc: Thomas Pornin <pornin@bolet.org>, "tls@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000c6e0f0056a504cff"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/ZGxYH2E-g1TvlY2nRZ02aiGlv4A>
Subject: Re: [TLS] potential attack on TLS cert compression
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 20 Apr 2018 23:46:46 -0000
It seems to me that if this is a valid threat model, then all software is potentially vulnerable. TLS records are carried over TCP segments. What if an attacker can change the way records are divided into segments, and thereby trigger a bug in the record parser? On Fri, Apr 20, 2018 at 9:40 AM, Victor Vasiliev <vasilvv@google.com> wrote: > Did we ever reach any agreement about what to do here? > > For me, the threat model here seems fairly far-fetched and infeasible, in > the sense that the threat only exists in some very specific bugs in > multithreaded decompressor. > > I'd be less reluctant to do this if it were not for the fact that all > solutions I've considered for this are quite annoying. Putting the hash on > the wire means wasting bytes, and altering the transcript hash introduces a > lot of complexity into some implementations. > > On Thu, Mar 22, 2018 at 11:39 AM, Thomas Pornin <pornin@bolet.org> wrote: >> >> Certificate compression would be challenging to implement, though. >> Usually, compression relies on at least a "window" over the decompressed >> data (32 kB for Zlib/Deflate). Some rudimentary forms of compression >> don't need that (e.g. run-length encoding) but usually offer poor >> compression ratios. A 32 kB window is a lot for the kind of architecture >> that BearSSL targets. >> > > This is roughly my intuition -- you could parse certificate messages in a > streaming manner, but if you're on a sufficiently limited platform that > this is a worthwhile investment, you're probably not going to use > certificate compression anyways. > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls > >
- [TLS] potential attack on TLS cert compression Subodh Iyengar
- Re: [TLS] potential attack on TLS cert compression David Benjamin
- Re: [TLS] potential attack on TLS cert compression Ilari Liusvaara
- Re: [TLS] potential attack on TLS cert compression Subodh Iyengar
- Re: [TLS] potential attack on TLS cert compression Subodh Iyengar
- Re: [TLS] potential attack on TLS cert compression Ilari Liusvaara
- Re: [TLS] potential attack on TLS cert compression Thomas Pornin
- Re: [TLS] potential attack on TLS cert compression Victor Vasiliev
- Re: [TLS] potential attack on TLS cert compression Alex C
- Re: [TLS] potential attack on TLS cert compression Salz, Rich