Re: [TLS] Encrypting record headers: practical for TLS 1.3 after all?

Bill Cox <> Sun, 29 November 2015 17:11 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 427961A1A7E for <>; Sun, 29 Nov 2015 09:11:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.963
X-Spam-Status: No, score=-1.963 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RP_MATCHES_RCVD=-0.585, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id Yo63xtZ_Y1i3 for <>; Sun, 29 Nov 2015 09:11:40 -0800 (PST)
Received: from ( [IPv6:2607:f8b0:4001:c05::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 7E25C1A1A7F for <>; Sun, 29 Nov 2015 09:11:40 -0800 (PST)
Received: by igcmv3 with SMTP id mv3so56389466igc.0 for <>; Sun, 29 Nov 2015 09:11:39 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=SWarSyPzRqKlDYOrJT8+oUN7H2lfHrKJLgvbdXO89O0=; b=h+NY/FEq52vLSGNWZTpKSwubTlQnIkchEa1/6AJbmKVjuCl0OOjmq29M2dVIOV31af flEmu6Zn/TE5qtsKFi7U6r2gj57qef932L2YKwq4GA9DMCIL9I1FG2ZTjZ9uTPldf7Li GJfE98MyLG+DNn8PPu/JWBtfjTapzF4z4N1tooVFYwAy414ugHP14PasIgoKBoM16kJC wuPON3KnVQaTyVY7B1PcC6TV4n6mz2HmJz75JGUZ/1WinwNtJ3T8VtqUc8xZ45PDog5+ FhdFcylJd0Sl7eGbezE666uiC4tn4m/N4tHMP1uovgwDdWlEZGAmjpd95rdIkl7QY43v O/FQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=SWarSyPzRqKlDYOrJT8+oUN7H2lfHrKJLgvbdXO89O0=; b=lUFr4/j8j9rEPx8O4QtwZVOLVVFyZ+vuxbi3iRYJP6+CoEhvEgfsp7R4e/wafn/KfY HBz5WBTBOxOsKvqNM4ERc0U9S6cy8VWlcK0oOLRCg6IO53p/Noz4Y2VPmnLck3T9eFs1 P8/il/tjBjO06wTeUggDxGVpx7Vq8V86djVrHLQKDKhhrLmcAM0ysziyMyth+GxbsATN ymCJrm8MVUw2TNkL/KqfZ/cCpdRjMPyOgpHpIQFL3NiBW45NUJgeoeevre5+al8bS9n8 6CAwCw9hnmjHVntUiE6POjI8lfrRn0SUdv7D8tf1MsY+9MbUKwdBEEkW2ahunXAqckIL LHYA==
X-Gm-Message-State: ALoCoQkyLPraH6J6vkz4PwJL4XSS8Z8LSE9O8KKDjSMQG4bLSeFOojDTwK0P22e91P2nAHwLOCeJ
MIME-Version: 1.0
X-Received: by with SMTP id i5mr16986257igv.40.1448817099657; Sun, 29 Nov 2015 09:11:39 -0800 (PST)
Received: by with HTTP; Sun, 29 Nov 2015 09:11:39 -0800 (PST)
In-Reply-To: <>
References: <> <> <> <> <>
Date: Sun, 29 Nov 2015 09:11:39 -0800
Message-ID: <>
From: Bill Cox <>
To: Bryan A Ford <>
Content-Type: multipart/alternative; boundary="089e013a0e08922c250525b104e5"
Archived-At: <>
Cc: "" <>
Subject: Re: [TLS] Encrypting record headers: practical for TLS 1.3 after all?
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sun, 29 Nov 2015 17:11:42 -0000

Thanks for the detailed description of why we might want to obfuscate TLS
record lengths.  From a security point of view, the only potential attack
vector this might create is that the attacker will know in many cases the
plain text of the first 5 bytes.  A weakness in the stream cipher might be
more easily exploited in this case.  IIUC, we feel pretty good about the
latest AEAD ciphers, and guessing the clear text of many bytes in the
record already is not too hard.  Is that right?  So, from my fairly
uninformed point of view, this seems like a reasonable upgrade.

I have one concern.  These same boxes that hide record lengths by merging
and breaking up packets arbitrarily likely would deliver the packets not
well aligned to record boundaries.  Is this already the case?  If these
boxes currently inspect packets when breaking them up to split packets
along record boundaries, encrypting the lengths will defeat this efficiency
hack.  We might cause an increase in network latency in this case.  Do any
of the routers out there currently use the record length field when
splitting up packets?